Trojan.Bitcoinminer

By GoldSparrow in Trojans

Threat Scorecard

Popularity Rank:	95
Threat Level:	80 % (High)
Infected Computers:	1,594,207

First Seen:	May 18, 2012
Last Seen:	February 8, 2026
OS(es) Affected:	Windows

Trojan.Bitcoinminer is one of the detection names that have been associated with an executable file named 'indexer.exe' that is used to mine BitCoins and FeatherCoins. Trojan.Bitcoinminer will be installed in a hidden directory in the AppData directory on the infected computer. Trojan.Bitcoinminer will mine Bitcoins using the infected computer's resources. Cryptocurrency mining can be extremely demanding on a computer's resources, making it overheat, perform poorly and consume more power. While BitCoin mining is a legitimate activity, Trojan.Bitcoinminer is used by on artists to take advantage of a victim's computer to mine BitCoins or another cryptocurrency, then keeping the profits generated at the expense of the victim's computer. While mining BitCoins with a single computer is rarely profitable, the people that distribute Trojan.Bitcoinminer and similar Trojans will take advantage of the combined resources of numerous infected computers by mining BitCoins and keeping the proceeds. Many Trojan.Bitcoinminer infections have been spotted in Russia, Ukraine and Indonesia currently.

How Trojan.Bitcoinminer may be Delivered

The most common way in which Trojan.Bitcoinminer may enter a computer is through fake software downloads and updates. Con artists may hide threats like Trojan.Bitcoinminer inside software and media files distributed online. Victims will download them from shady websites and the install Trojan.Bitcoinminer on their computers without being aware of it. The fact is that Trojan.Bitcoinminer will not alert the victims that their computers are infected such as a notification or interfere in any way. However, Trojan.Bitcoinminer will use up more than three-quarters of the infected computer's processing power for mining cryptocurrency. Victims of the Trojan.Bitcoinminer attack will, therefore, realize that their computers run extremely slowly and become unresponsive or unstable frequently. Additionally, it is not uncommon for threats like Trojan.Bitcoinminer to conflict with the victim's computer, causing various performance issues and preventing other software from functioning properly.

The Trojan.Bitcoinminer Infection and Its Related Symptoms

There are several symptoms that may indicate that your computer has been infected with Trojan.Bitcoinminer. Computer users have reported that most software, including email clients, will become unresponsive, freeze or crash frequently. Some software, especially Internet browsers, will fail to open completely and many files will fail to load. When victims attempt to use the infected computer to view a video or listen to music, this will have stuttering or altered playback, stopping and not resulting in a functional experience frequently. One typical problem associated with Trojan.Bitcoinminer will happen when typing. Computer users may notice that their keyboard inputs have a delay, especially on word processing programs. This indicates that a large portion of the infected computer's resources is being used. These symptoms may occur if victims are attempting to use a program that requires lots of resources (for example, for rendering a high-quality video). In this case, however, it's Trojan.Bitcoinminer that is using up the system's resources to mine cryptocurrency.

General Recommendations Related to Trojan.Bitcoinminer

Victims of Trojan.Bitcoinminer may notice 'indexer.exe' listed in the Task Manager. This is almost always an indicator of a Trojan.Bitcoinminer infection and requires action from the computer user. However, 'indexer.exe' is not the only name used by this BitCoin miner. PC security researchers advise computer users to remain vigilant, since other variants of Trojan.Bitcoinminer with different file names may appear. Malware investigators recommend that computer users use a security program to remove Trojan.Bitcoinminer and other threats. If your computer continues to show symptoms, it is important to use a different anti-virus program to ensure that the Trojan.Bitcoinminer infection or any related threat has been found (in some cases, other components may prevent its removal). The following are other names by which Trojan.Bitcoinminer may be detected:

PUP.Optional.Bitminer
RDN/Generic.dx!cxt
Riskware.Win32.BtcMine.cnywcu
Tool.BtcMine.157
Trojan ( 0048fd0e1 )
Trojan.Win32.Generic!BT
Trojan.Win32.S.BitMiner.932352
W32/Trojan.PBJZ-2853
Win32/BitCoinMiner.AS
Win32/Trojan.Multi.daf

SpyHunter Detects & Remove Trojan.Bitcoinminer

File System Details

Trojan.Bitcoinminer may create the following file(s):

Expand All | Collapse All

#	File Name	MD5	Detections Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
1.	winrmsrv.exe	462ee20e8abbbb559bd1c4f8be87b123	28,327
Name: winrmsrv.exe MD5: 462ee20e8abbbb559bd1c4f8be87b123 Size: 731.13 KB (731136 bytes) Detections: 28,327 Type: Executable File Path: %WINDIR%\system32\winrmsrv.exe Group: Malware file Last Updated: February 3, 2026
2.	optimization.exe	cb77f063286ca531454f87c4acd6c990	1,014
Name: optimization.exe MD5: cb77f063286ca531454f87c4acd6c990 Size: 10.28 MB (10283008 bytes) Detections: 1,014 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\microsoft\defragmentation Group: Malware file Last Updated: October 24, 2025
3.	ServiceHub.CLR.x64.exe	4a8982935d9fd546297141fc7d81bf63	647
Name: ServiceHub.CLR.x64.exe MD5: 4a8982935d9fd546297141fc7d81bf63 Size: 6.73 MB (6732800 bytes) Detections: 647 Type: Executable File Path: %ALLUSERSPROFILE%\Mega Tools\ServiceHub.CLR.x64.exe Group: Malware file Last Updated: November 2, 2025
4.	m.fjk	0479efe544f5242dea4a36beb4c7aac6	546
Name: m.fjk MD5: 0479efe544f5242dea4a36beb4c7aac6 Size: 11.81 MB (11814319 bytes) Detections: 546 Path: C:\Users\<username>\AppData\Roaming Group: Malware file Last Updated: December 1, 2025
5.	trz127E.tmp	baa1555b4d7878ca84962519947ad0c3	272
Name: trz127E.tmp MD5: baa1555b4d7878ca84962519947ad0c3 Size: 2.45 MB (2451968 bytes) Detections: 272 Type: Temporary File Path: C:\Users\<username>\AppData\Roaming\trz127E.tmp Group: Malware file Last Updated: October 24, 2025
6.	services64.exe	63703ea195bf16c8ad4f37177171de12	215
Name: services64.exe MD5: 63703ea195bf16c8ad4f37177171de12 Size: 5.59 MB (5593088 bytes) Detections: 215 Type: Executable File Path: C:\Users\<username>\AppData\Local\Temp\services64.exe Group: Malware file Last Updated: January 6, 2022
7.	desktop_media_service.exe	92f630bfb87c32b205316958034b8f29	180
Name: desktop_media_service.exe MD5: 92f630bfb87c32b205316958034b8f29 Size: 3.26 MB (3260416 bytes) Detections: 180 Type: Executable File Path: %ALLUSERSPROFILE%\2114947171962198487\desktop_media_service.exe Group: Malware file Last Updated: June 26, 2020
8.	1.exe	551e8c3cd0958e64c5cdf0176c606129	148
Name: 1.exe MD5: 551e8c3cd0958e64c5cdf0176c606129 Size: 4.81 MB (4814476 bytes) Detections: 148 Type: Executable File Path: %WINDIR%\web\1.exe Group: Malware file Last Updated: July 29, 2021
9.	Roaming/GameService2/service.exe	025ef509839a563c88b5409c7e17226e	148
Name: Roaming/GameService2/service.exe MD5: 025ef509839a563c88b5409c7e17226e Size: 5.63 MB (5635072 bytes) Detections: 148 Type: Executable File Path: C:\Users\<username>\AppData\Roaming/GameService2/service.exe Group: Malware file Last Updated: February 24, 2022
10.	TiWorker.exe	5b9608dce1723c3f321863e4fe1d070b	89
Name: TiWorker.exe MD5: 5b9608dce1723c3f321863e4fe1d070b Size: 4.44 MB (4449744 bytes) Detections: 89 Type: Executable File Path: C:\WINDOWS\SysWOW64\TiWorker.exe Group: Malware file Last Updated: March 4, 2022
11.	3f70a0a3669cf11f8e4bff5d61c758bdce53baf22d9244dc0db0fe66262d7a34	b5e6b2c92cced7cbe825b5ddfd577291	76
Name: 3f70a0a3669cf11f8e4bff5d61c758bdce53baf22d9244dc0db0fe66262d7a34 MD5: b5e6b2c92cced7cbe825b5ddfd577291 Size: 18.94 KB (18944 bytes) Detections: 76 Path: %SYSTEMDRIVE%\Users\<username>\Desktop\4622292107165696\3f70a0a3669cf11f8e4bff5d61c758bdce53baf22d9244dc0db0fe66262d7a34 Group: Malware file Last Updated: December 7, 2025
12.	bridlebuddlesservice.exe	caddcd79b283edfa5169e3cb1eb86d06	60
Name: bridlebuddlesservice.exe MD5: caddcd79b283edfa5169e3cb1eb86d06 Size: 10.1 MB (10103296 bytes) Detections: 60 Type: Executable File Path: %PROGRAMFILES(x86)%\bridlebuddles Group: Malware file Last Updated: December 8, 2019
13.	vcservice.exe	468f91ff2774a8484faa49ae63bbbbec	46
Name: vcservice.exe MD5: 468f91ff2774a8484faa49ae63bbbbec Size: 439.8 KB (439808 bytes) Detections: 46 Type: Executable File Path: C:\Users\<username>\AppData\Roaming\GameService2\vcservice.exe Group: Malware file Last Updated: February 24, 2022
14.	overidlebuddiesservice.exe	c7ae8932538274154653bcfbaf2210d0	36
Name: overidlebuddiesservice.exe MD5: c7ae8932538274154653bcfbaf2210d0 Size: 10.75 MB (10753024 bytes) Detections: 36 Type: Executable File Path: c:\program files (x86)\overidlebuddies Group: Malware file Last Updated: August 16, 2019
15.	29cf036480b6.dll	77ba4a18ef8719c2f218e87dfdcba58f	31
Name: 29cf036480b6.dll MD5: 77ba4a18ef8719c2f218e87dfdcba58f Size: 109.56 KB (109568 bytes) Detections: 31 Type: Dynamic link library Path: %WINDIR%\System32\29cf036480b6.dll Group: Malware file Last Updated: December 12, 2025
16.	sppsvc.exe	8491a3f6c096bd19310d1e899fad94f5	19
Name: sppsvc.exe MD5: 8491a3f6c096bd19310d1e899fad94f5 Size: 1.43 MB (1438208 bytes) Detections: 19 Type: Executable File Path: C:\WINDOWS\Fonts\sppsvc.exe Group: Malware file Last Updated: October 24, 2025
17.	helper.exe	c414dfba78d5fce6a9b7df644ce75003	18
Name: helper.exe MD5: c414dfba78d5fce6a9b7df644ce75003 Size: 7.58 MB (7586304 bytes) Detections: 18 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\microsoft\windows Group: Malware file Last Updated: September 15, 2021
18.	zcoin-qt.exe	20f333c444ebe1d7ecdb744296b4d2ea	18
Name: zcoin-qt.exe MD5: 20f333c444ebe1d7ecdb744296b4d2ea Size: 42.52 MB (42525712 bytes) Detections: 18 Type: Executable File Path: d:\zcoin Group: Malware file Last Updated: January 18, 2020
19.	guiminer-20110501.exe	5c40990dbae70347e37ccdd4ca10081f	14
Name: guiminer-20110501.exe MD5: 5c40990dbae70347e37ccdd4ca10081f Size: 7.27 MB (7276915 bytes) Detections: 14 Type: Executable File Path: %SYSTEMDRIVE%\Documents and Settings\Owner\Desktop\ONE PLACE\BItcoin Miner Guide\bitcoin miner+guide\install+setup\guiminer-20110501.exe Group: Malware file Last Updated: November 25, 2022
20.	Kingmaker Rise to the Throne - Collector's. Edition.exe	4dcc9bf45072c5bbb88dc5f4d55dc7f7	14
Name: Kingmaker Rise to the Throne - Collector's. Edition.exe MD5: 4dcc9bf45072c5bbb88dc5f4d55dc7f7 Size: 987.66 KB (987663 bytes) Detections: 14 Type: Executable File Path: C:\Users\<username>\AppData\Roaming\Kingmaker Rise to the Throne - Collector's. Edition.exe Group: Malware file Last Updated: October 24, 2025
21.	Services.exe	d9059794e2cfe43a6db03faee5860bc6	13
Name: Services.exe MD5: d9059794e2cfe43a6db03faee5860bc6 Size: 3.51 MB (3512360 bytes) Detections: 13 Type: Executable File Path: C:\Users\<username>\AppData\Local\Temp\RarSFX8 Group: Malware file Last Updated: June 22, 2020
22.	sysconfig.exe	4152bf9e1aaa428fbbcf91d133f25794	12
Name: sysconfig.exe MD5: 4152bf9e1aaa428fbbcf91d133f25794 Size: 8.7 KB (8704 bytes) Detections: 12 Type: Executable File Path: C:\kernel Group: Malware file Last Updated: September 11, 2019
23.	osdmnus.exe	4caf60213aebb70e4ea983a3141ef5bc	10
Name: osdmnus.exe MD5: 4caf60213aebb70e4ea983a3141ef5bc Size: 7.16 KB (7168 bytes) Detections: 10 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\osdmnuu_dir\osdmnus.exe Group: Malware file Last Updated: June 27, 2020
24.	XMR Silent Miner by Tigerzplace.exe	4c624ced3b2e239cf9c6b6488c37d97e	8
Name: XMR Silent Miner by Tigerzplace.exe MD5: 4c624ced3b2e239cf9c6b6488c37d97e Size: 14.21 MB (14211608 bytes) Detections: 8 Type: Executable File Path: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Group: Malware file Last Updated: April 12, 2020
25.	Desktop-64.exe	2c9550a1516bcc5590379fb0e968118b	6
Name: Desktop-64.exe MD5: 2c9550a1516bcc5590379fb0e968118b Size: 4.57 MB (4578304 bytes) Detections: 6 Type: Executable File Path: C:\Wlndows\system32 Group: Malware file Last Updated: February 11, 2020
26.	ja.exe	a06f3792c7e517bca2f7b7e519630f07	6
Name: ja.exe MD5: a06f3792c7e517bca2f7b7e519630f07 Size: 271.97 MB (271972975 bytes) Detections: 6 Type: Executable File Path: C:\ist Group: Malware file Last Updated: February 8, 2020
27.	skinsunlocked.exe	f1a545f5d7a0443cc0bded7704c1022e	4
Name: skinsunlocked.exe MD5: f1a545f5d7a0443cc0bded7704c1022e Size: 7.05 MB (7050752 bytes) Detections: 4 Type: Executable File Path: C:\ProgramData\kydudqtYtV\skinsunlocked.exe Group: Malware file Last Updated: April 8, 2022
28.	Update.exe	f1dcd42899ff80dd03925b3e5c4ea81e	3
Name: Update.exe MD5: f1dcd42899ff80dd03925b3e5c4ea81e Size: 901.2 KB (901204 bytes) Detections: 3 Type: Executable File Path: C:\ProgramData\Wargaming.net\GameCenter\Update.exe Group: Malware file Last Updated: September 10, 2023
29.	service.exe	f7a86d16bc207b5c867bdd4e39b726f7	2
Name: service.exe MD5: f7a86d16bc207b5c867bdd4e39b726f7 Size: 5.67 MB (5676544 bytes) Detections: 2 Type: Executable File Path: c:\Users\<username>\appdata\roaming\gameservice2 Group: Malware file Last Updated: October 15, 2021
30.	bitfc2e.tmp	69a51616979d7896d8378fe517e571f8	1
Name: bitfc2e.tmp MD5: 69a51616979d7896d8378fe517e571f8 Size: 10.74 MB (10749696 bytes) Detections: 1 Type: Temporary File Path: c:\Users\<username>\appdata\local\temp Group: Malware file Last Updated: May 11, 2019

More files

Registry Details

Trojan.Bitcoinminer may create the following registry entry or registry entries:

File name without path

32xmrig.exe

64xmrig.exe

cpuminer-gw64.exe

cpuminer-sse2.exe

DOC001.exe

IdlingBuddy.lnk

IMG001.exe

img002.exe

nbminer.exe

nheqminer.exe

nheqminer32.exe

NsCpuCNMiner32.exe

NsCpuCNMiner64.exe

NsGpuCNMiner.exe

xmrig-amd.exe

xmrig-notls.exe

xmrig-nvidia.exe

Regexp file mask

%ALLUSERSPROFILE%\Application Data\NVIDIA_cure.exe

%ALLUSERSPROFILE%\DriversI\intel.exe

%ALLUSERSPROFILE%\esif.exe

%ALLUSERSPROFILE%\flash\msacuil.exe

%ALLUSERSPROFILE%\Framework\System.exe

%ALLUSERSPROFILE%\GS_Svc.exe

%ALLUSERSPROFILE%\Intel(R) Management\intel[RANDOM CHARACTERS].exe

%ALLUSERSPROFILE%\Intel(R) Management\run.exe

%ALLUSERSPROFILE%\Komar.exe

%ALLUSERSPROFILE%\Mbvhost.exe

%ALLUSERSPROFILE%\Microsoft\Defender\jusched_srv.exe

%ALLUSERSPROFILE%\Microsoft\Security Windows\svshost.exe

%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\DOC001.exe

%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe

%ALLUSERSPROFILE%\MicrosoftCare.exe

%ALLUSERSPROFILE%\NVIDIA_cure.exe

%ALLUSERSPROFILE%\olly.exe

%ALLUSERSPROFILE%\onedrive.exe

%ALLUSERSPROFILE%\Roamer.exe

%ALLUSERSPROFILE%\run[NUMBERS].exe

%ALLUSERSPROFILE%\Skype\chrome.exe

%ALLUSERSPROFILE%\Skype\msacuil.exe

%ALLUSERSPROFILE%\SQLEXPRESS_X64_86.exe

%ALLUSERSPROFILE%\System32\Logs\ShellExperienceHost.exe

%ALLUSERSPROFILE%\VsTelemetry\vshub.exe

%ALLUSERSPROFILE%\windowsservices\helper.vbs

%ALLUSERSPROFILE%\zun.exe

%APPDATA%\1.cmd

%APPDATA%\2.cmd

%APPDATA%\32.exe

%APPDATA%\Adobe\Flash Player\MediaCache\IEMonitor.exe

%APPDATA%\Adobe\Share\AMDshare.exe

%APPDATA%\Adobe\Share\Launcher.exe

%APPDATA%\Adobe\Share\NVIDIAshare.exe

%APPDATA%\Adobe\Share\Share[NUMBERS].exe

%APPDATA%\Adobe\syssl.exe

%APPDATA%\Adobe\Updater6\AdobeService.exe

%APPDATA%\Alxi\Alxi.vbs

%appdata%\appcontainer\storage\microsoft.microsoftedge_8wekyb3d8bbwe\children\001\internet settings\guard.exe

%appdata%\appcontainer\storage\microsoft.microsoftedge_8wekyb3d8bbwe\children\001\internet settings\sysclc.exe

%APPDATA%\appmgr\appmgr.exe

%APPDATA%\Architecture\member\Systemcore.exe

%APPDATA%\coinutil.dll

%APPDATA%\crmsvc.exe

%APPDATA%\DirectX\DirectX.vbs

%APPDATA%\documents\imonitor.exe

%APPDATA%\driver\driver.exe

%APPDATA%\etctool\etc.vbs

%APPDATA%\Filosof\Filosof.vbs

%APPDATA%\FireFox\launcher\Systemcore.exe

%appdata%\google\chrome\user data\spool.exe

%APPDATA%\GoogleUpdater.exe

%APPDATA%\Idle\Idle.exe

%APPDATA%\Images\image.exe

%APPDATA%\Images\images.exe

%APPDATA%\isaa.exe

%APPDATA%\Java\x86-64bits Windows\Config-DefaultMain\SysUtils SDK v2.49\svhcost.exe

%APPDATA%\Launcher_01.exe

%APPDATA%\Launcher_08.exe

%APPDATA%\libraries\MicrosoftRuntimeUpdate.vbe

%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SyncCheck.exe

%APPDATA%\Mama\mama.vbs

%APPDATA%\mcrserver.exe

%APPDATA%\MicroMon\curl.exe

%APPDATA%\Microsoft\msconfig.exe

%APPDATA%\Microsoft\office\dllchost.exe

%APPDATA%\Microsoft\Windows Protect\winprotect.exe

%APPDATA%\Microsoft\Windows\CPU\taskhost.exe

%APPDATA%\Microsoft\Windows\Helper.exe

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\AudioDriver.url

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Browge.vbs

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Check for updates.bat

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\fBCjxCDztG.url

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\GoogleCrashHandlerws.vbs

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\IeServise.lnk

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\key.exe

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\miner.exe.url

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\OneMisc.vbs

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\rara.vbs

%APPDATA%\Microsoft\Windows\winhost.exe

%APPDATA%\MicrosoftViewer.exe

%APPDATA%\miner-x64.exe

%APPDATA%\miner.dll

%APPDATA%\rarog.exe

%APPDATA%\Roamer.exe

%APPDATA%\RunSpeed\RunSpeed.vbs

%APPDATA%\Sasha\Sasha.vbs

%APPDATA%\SearchProtocolHosts.exe

%APPDATA%\server\minergate.exe

%APPDATA%\server\runhosts.exe

%APPDATA%\svc\svc.exe

%APPDATA%\System\etp.exe

%APPDATA%\systemcare-ppi-ul5.dll

%APPDATA%\systemcare.exe

%APPDATA%\SystemProcess\SystemProcess.exe

%APPDATA%\taskmg.exe

%APPDATA%\TeleMetric\TeleMetric.exe

%APPDATA%\Temp\DOC001.exe

%APPDATA%\Updater\localversion.txt

%APPDATA%\Updater\Update.cmd

%APPDATA%\Valit\jukov.vbs

%APPDATA%\Valit\lera.vbs

%APPDATA%\Valit\Valit.vbs

%APPDATA%\vfc\ffmpeg\task.exe

%APPDATA%\windows-ppi-ul5.dll

%APPDATA%\WindowsApps\CPU1\intel1.exe

%APPDATA%\WindowsApps\CPU\intel.exe

%APPDATA%\WindowsApps\taskwint.exe

%APPDATA%\WindowsApps\winitex.exe

%APPDATA%\winhost.exe

%APPDATA%\winlog.exe

%APPDATA%\winlog.vbs

%APPDATA%\WinRAR\Precomp\precomp.exe

%APPDATA%\xmrig[NUMBERS].exe

%APPDATA%\Zara\zara.vbs

%COMMONPROGRAMFILES%\System\svchost.exe

%COMMONPROGRAMFILES(x86)%\new.bat

%HOMEDRIVE%\Applications\cmdsrvs.exe

%HOMEDRIVE%\Applications\Service.exe

%HOMEDRIVE%\Applications\websock.exe

%HOMEDRIVE%\ASD\cpuminer-sse2.exe

%HOMEDRIVE%\ASD\nh.exe

%HOMEDRIVE%\backupsys\pow32.bat

%HOMEDRIVE%\backupsys\system.bat

%HOMEDRIVE%\backupsys\taskmgr32.exe

%HOMEDRIVE%\backupsys\window[NUMBERS].vbs

%HOMEDRIVE%\browse\browse.exe

%HOMEDRIVE%\Browse\cmdsrvs.exe

%HOMEDRIVE%\Disk\cmdsvr.exe

%HOMEDRIVE%\Disk\securedisk.exe

%HOMEDRIVE%\Disk\WebService.exe

%HOMEDRIVE%\DOC001.exe

%HOMEDRIVE%\images.scr

%HOMEDRIVE%\intel\setup.vbs

%HOMEDRIVE%\MSOCache\svchost.exe

%HOMEDRIVE%\WindowsData\hostdl.exe

%LOCALAPPDATA%\amd\amd_accelerator.exe

%LOCALAPPDATA%\Explorer Data\msiexec64.exe

%LOCALAPPDATA%\Intel\iaa23.exe

%LOCALAPPDATA%\Intel\iap23.dll

%localappdata%\intel\iii.pl

%localappdata%\intel\iii.zip

%LOCALAPPDATA%\Intel\imgre.exe

%LOCALAPPDATA%\Intel\intelmngr.exe

%LOCALAPPDATA%\Intel\management.db

%localappdata%\intel\red.dll

%LOCALAPPDATA%\isaa.exe

%LOCALAPPDATA%\Optimizer\Optimizer.exe

%LOCALAPPDATA%\Roamer.exe

%LOCALAPPDATA%\smartstats\smassvc.exe

%LOCALAPPDATA%\SQLite\SQLManager.exe

%LOCALAPPDATA%\SQLite\wincpu.exe

%PROGRAMFILES%\SQLite\SQLManager.exe

%PROGRAMFILES(x86)%\SQLite\SQLManager.exe

%PROGRAMFILES(x86)%\SQLite\wincpu.exe

%PUBLIC%\documents\documentsindex.dll

%PUBLIC%\Libraries\wsappx.exe

%TEMP%\DrToolKrl.sys

%TEMP%\hiddengate.exe

%TEMP%\isaa.exe

%TEMP%\Kilence.exe

%TEMP%\Roamer.exe

%TEMP%\wup\wup.exe

%TEMP%\xmrig.exe

%TEMP%\ytmp\t[NUMBERS].[RANDOM CHARACTERS]

%USERPROFILE%\Documents\xmrig.exe

%USERPROFILE%\NVDisplay.exe

%WINDIR%\deftesrg.exe

%WINDIR%\fonts\conhost.exe

%WINDIR%\Fonts\MsEssentialSecurity.exe

%WINDIR%\Fonts\svchost.exe

%WINDIR%\HS_Svc.exe

%WINDIR%\IIS\crss.exe

%WINDIR%\ime\rescv.exe

%WINDIR%\inf\msief.exe

%WINDIR%\installer\patchcach\systemnt.exe

%WINDIR%\jb-JP\spools.exe

%WINDIR%\LiveKernel\SRPolicySvc.exe

%WINDIR%\mcfg\mcfg.exe

%WINDIR%\microsoft.net\framework64\v4.0.30319\gpsrv.exe

%WINDIR%\mscsuscr.exe

%WINDIR%\nv\NvProfileUpdater64.exe

%WINDIR%\nvidia\NvUpdater64.exe

%WINDIR%\scsktsvc.exe

%WINDIR%\servime.exe

%WINDIR%\Sys64\starter.exe

%WINDIR%\Sys\taskmgr.exe

%WINDIR%\System32\config\systemprofile\AppData\Roaming\Microsoft\cred.ps1

%WINDIR%\system32\dllhostex.exe

%WINDIR%\System32\drivers\etc\svchost.exe

%WINDIR%\system32\MaintenancesServices.dll

%WINDIR%\System32\mcicda32.dll

%WINDIR%\system32\mcicda64.dll

%WINDIR%\system32\SecUpdateHost.exe

%WINDIR%\system32\Tasks\CPUSpeed

%WINDIR%\system32\Tasks\GPUSpeed

%WINDIR%\System32\Tasks\RestoreRevTask

%WINDIR%\System32\Tasks\UpdaterChromeApp[RANDOM CHARACTERS]

%WINDIR%\system32\TasksHostServices.exe

%WINDIR%\system32\vmichapagentsrv.dll

%WINDIR%\system32\werlfault.exe

%WINDIR%\System32\windfn.exe

%WINDIR%\system32\wmassrv.dll

%WINDIR%\system32\WUDHostServices.exe

%WINDIR%\SysWOW64\HS\Client.exe

%WINDIR%\SysWOW64\HS\HS_Svc.exe

%WINDIR%\TEMP\32x64.exe

%WINDIR%\TEMP\amdxx64.exe

%WINDIR%\TEMP\antspywares.exe

%WINDIR%\TEMP\av64n.exe

%WINDIR%\TEMP\nvi864.exe

%Windir%\temp\y1.bat

%WINDIR%\wdf\wdf.exe

%WINDIR%\window.exe

%WINDIR%\wmi\WmiPrvSE.exe

%WINDIR%\WmiPrvSE.exe

%WINDIR%\wmu2\wininit.exe

%WINDIR%\wolf\minerw{0,1}.exe

%WINDIR%\xmrig[NUMBERS].exe

HKEY..\..\..\..{RegistryKeys}

Software\Ashampoo\Ashampoo Gadge It\PQwick

SOFTWARE\IdleBuddy

SOFTWARE\idledbuddy

Software\idlenessbuddy

SOFTWARE\idlingbuddy

SOFTWARE\Jetmedia

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CPUSpeed

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GPUSpeed

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RestoreRevTask

Software\Microsoft\Windows\CurrentVersion\Run\AVAADA

Software\Microsoft\Windows\CurrentVersion\Run\PQwick

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vnlgp

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zminer

SOFTWARE\Native System Provider

SOFTWARE\SystemaRev

Software\VideoDrivers

SOFTWARE\Wow6432Node\IdleBuddy

SOFTWARE\Wow6432Node\idledbuddy

SOFTWARE\Wow6432Node\idlenessbuddy

SOFTWARE\Wow6432Node\idlingbuddy

SOFTWARE\Wow6432Node\Jetmedia

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vnlgp

SOFTWARE\Wow6432Node\Native System Provider

SYSTEM\ControlSet001\Services\AdobeFlashPlayerHash

SYSTEM\ControlSet001\Services\DirectX11b

SYSTEM\ControlSet001\Services\MinerGate

SYSTEM\ControlSet001\services\NativeDesktopMediaService

SYSTEM\ControlSet002\Services\AdobeFlashPlayerHash

SYSTEM\ControlSet002\Services\DirectX11b

SYSTEM\ControlSet002\Services\MinerGate

SYSTEM\ControlSet002\services\NativeDesktopMediaService

SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerHash

SYSTEM\CurrentControlSet\Services\DirectX11b

SYSTEM\CurrentControlSet\Services\MinerGate

System\CurrentControlSet\Services\NativeDesktopMediaService

HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}

Altruistic

bridlebuddles

Id_Buddy

IdBuddy

idle--buddy

IdleBuddy

idledbuddy

idlenessbuddy

IdlingBuddy

overidlebuddies

PQwick

{0854AE3A-3A63-4BC6-BE20-F4185D343B5A}_is1

{4A91D8B3-712F-4815-B29B-E610008C4704}

{4CF9B388-78FA-46C3-B409-196FE2CF5F20}

{BEA0F17A-FD14-4646-8138-30994D87948A}_is1

{C2AA50F8-B1B8-4A40-BC18-E6CAB19DC0ED}_is1

{EC27A18E-53F3-4434-B08D-26C3E751C50F}

{FC44DE72-60F9-4BC1-B098-D2F6B5A06187}

Directories

Trojan.Bitcoinminer may create the following directory or directories:

%ALLUSERSPROFILE%\Application Data\clr_optimization_v4.0.30318_64

%ALLUSERSPROFILE%\Application Data\clr_optimization_v4.0.52760_64

%ALLUSERSPROFILE%\Application Data\wrdjdgyrmg

%ALLUSERSPROFILE%\AudioDriver

%ALLUSERSPROFILE%\DirectX11b

%ALLUSERSPROFILE%\Flashas

%ALLUSERSPROFILE%\Flashe

%ALLUSERSPROFILE%\FrameworkHostPro

%ALLUSERSPROFILE%\Guard Tool

%ALLUSERSPROFILE%\Guardm

%ALLUSERSPROFILE%\Haalety

%ALLUSERSPROFILE%\Intel(R)Usb3.0

%ALLUSERSPROFILE%\IntelD

%ALLUSERSPROFILE%\JetMedia

%ALLUSERSPROFILE%\Logiteh

%ALLUSERSPROFILE%\Micro Foundation 7

%ALLUSERSPROFILE%\MicrosoftCorporation

%ALLUSERSPROFILE%\ModuleGS

%ALLUSERSPROFILE%\PhysicalDeviceAdapter

%ALLUSERSPROFILE%\SRAPO64srrstr

%ALLUSERSPROFILE%\ServiceProfiles

%ALLUSERSPROFILE%\Systema Natives

%ALLUSERSPROFILE%\SystemaRev

%ALLUSERSPROFILE%\Systemfiles

%ALLUSERSPROFILE%\Task.Manager.Helper

%ALLUSERSPROFILE%\UHASecurity

%ALLUSERSPROFILE%\Windows64

%ALLUSERSPROFILE%\WindowsAppCertification

%ALLUSERSPROFILE%\clr_optimization_v4.0.30318_64

%ALLUSERSPROFILE%\eizzbvEmWK

%ALLUSERSPROFILE%\flashes

%ALLUSERSPROFILE%\flashi

%ALLUSERSPROFILE%\hkrfjnygtg

%ALLUSERSPROFILE%\lpmti

%ALLUSERSPROFILE%\mg32

%ALLUSERSPROFILE%\playersclub

%ALLUSERSPROFILE%\securityhealth

%ALLUSERSPROFILE%\sqlncli11imageres

%ALLUSERSPROFILE%\task

%ALLUSERSPROFILE%\wincss

%ALLUSERSPROFILE%\wintcpautoproxysvc

%ALLUSERSPROFILE%\wrdjdgyrmg

%ALLUSERSPROFILE%\zvmimcgqez

%ALLUSERSPROFILE%\{4FCEED6C-B7D9-405B-A844-C3DBF418BF87}

%ALLUSERSPROFILE%\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}

%APPDATA%\8mFuF

%APPDATA%\AMDProcess

%APPDATA%\Adobe32

%APPDATA%\Adobe32x64

%APPDATA%\Alix

%APPDATA%\Aplfone

%APPDATA%\AsCDPro

%APPDATA%\AudioHDriver

%APPDATA%\Auto1Feed

%APPDATA%\DPTopologyApp

%APPDATA%\Defender

%APPDATA%\Dibifu_9

%APPDATA%\Faqelo

%APPDATA%\Fujelo

%APPDATA%\Google\GoogleUpdates

%APPDATA%\IdleProcess

%APPDATA%\Ie1Servise

%APPDATA%\IeMiss2

%APPDATA%\IeServise

%APPDATA%\Logiteh

%APPDATA%\Maik

%APPDATA%\Microsoft Help\hs_module

%APPDATA%\Microsoft\Windows\Start Menu\Programs\IdleBuddy

%APPDATA%\Microsoft\Windows\Start Menu\Programs\id_buddy

%APPDATA%\Microsoft\Windows\Start Menu\Programs\idle--buddy

%APPDATA%\Miicrosoft

%APPDATA%\MingC

%APPDATA%\Nanera

%APPDATA%\Olesya

%APPDATA%\OneMisc

%APPDATA%\RarZip

%APPDATA%\Sorsur

%APPDATA%\Svcms

%APPDATA%\Sysfiles

%APPDATA%\System Process

%APPDATA%\Systema Natives

%APPDATA%\SystemaRev

%APPDATA%\TelemetricSys

%APPDATA%\Vatico

%APPDATA%\Versions Watcher

%APPDATA%\Vive

%APPDATA%\WinZIP_32

%APPDATA%\WindowsFirewall

%APPDATA%\WindowsHelp

%APPDATA%\Windows_x64_nheqminer-5c

%APPDATA%\ZSystemDll

%APPDATA%\adobe\nvv8

%APPDATA%\adobe\x64e

%APPDATA%\adobe\x64r

%APPDATA%\adobe\x64rx

%APPDATA%\brhost

%APPDATA%\bvhost

%APPDATA%\com.flash.WidgetBrowser

%APPDATA%\com_shell

%APPDATA%\jetmedia

%APPDATA%\jsonminify

%APPDATA%\jswUpdate

%APPDATA%\mercya

%APPDATA%\microsoft\teamviewer

%APPDATA%\myinstall

%APPDATA%\rundll32.exe

%APPDATA%\shell\0\0\0\0\0\googlerec

%APPDATA%\sppui

%APPDATA%\svhost

%APPDATA%\systemdata\searcher

%APPDATA%\uconhosts

%APPDATA%\vbhost

%APPDATA%\vghost

%APPDATA%\winrar_tools

%APPDATA%\x11

%APPDATA%\xBooster

%APPDATA%\xmlframwork

%APPDATA%\xszman

%AppData%\AsToolCD

%AppData%\ClearMe

%AppData%\Microsoft\Protect\Upd64

%AppData%\MineCor

%Appdata%\Avira Antivir

%COMMONPROGRAMFILES%\myinstall

%COMMONPROGRAMFILES(x86)%\myinstall

%HOMEDRIVE%\Chrome\XMR

%HOMEDRIVE%\Users\Default\AppData\Roaming\System

%HOMEDRIVE%\XMR

%HOMEDRIVE%\dapp

%HOMEDRIVE%\ness\miner

%LOCALAPPDATA%\ESET-NOD32

%LOCALAPPDATA%\Logiteh

%LOCALAPPDATA%\Roaming\Cache

%LOCALAPPDATA%\cypjMERAky

%LOCALAPPDATA%\minergate-cli

%PROGRAMFILES%\BRTSvc

%PROGRAMFILES%\IdBuddy

%PROGRAMFILES%\Idle-Buddy

%PROGRAMFILES%\IdleBuddy

%PROGRAMFILES%\Jetmedia

%PROGRAMFILES%\LaCie Private Public

%PROGRAMFILES%\PQwick1.1

%PROGRAMFILES%\System Native\Main Services

%PROGRAMFILES%\SystemNanoPacks

%PROGRAMFILES%\Systema Natives\MServices X

%PROGRAMFILES%\SystemaRev

%PROGRAMFILES%\SystemaRev\RevServicesX

%PROGRAMFILES%\bridlebuddles

%PROGRAMFILES%\ibuddy

%PROGRAMFILES%\id_buddy

%PROGRAMFILES%\idle--buddy

%PROGRAMFILES%\idledbuddy

%PROGRAMFILES%\idlenessbuddy

%PROGRAMFILES%\idlingbuddy

%PROGRAMFILES%\inteldriverpack

%PROGRAMFILES%\jsstmedia

%PROGRAMFILES%\overidlebuddies

%PROGRAMFILES(x86)%\BRTSvc

%PROGRAMFILES(x86)%\Hardware Driver Management

%PROGRAMFILES(x86)%\IdBuddy

%PROGRAMFILES(x86)%\Idle-Buddy

%PROGRAMFILES(x86)%\IdleBuddy

%PROGRAMFILES(x86)%\Jetmedia

%PROGRAMFILES(x86)%\LaCie Private Public

%PROGRAMFILES(x86)%\PQwick1.1

%PROGRAMFILES(x86)%\System Native\Main Services

%PROGRAMFILES(x86)%\SystemaRev

%PROGRAMFILES(x86)%\bridlebuddles

%PROGRAMFILES(x86)%\ibuddy

%PROGRAMFILES(x86)%\id_buddy

%PROGRAMFILES(x86)%\idle--buddy

%PROGRAMFILES(x86)%\idledbuddy

%PROGRAMFILES(x86)%\idlenessbuddy

%PROGRAMFILES(x86)%\jsstmedia

%PROGRAMFILES(x86)%\overidlebuddies

%Public%\Avast! -Antivirus

%TEMP%\WindowsData1

%TEMP%\WindowsTask

%USERPROFILE%\Documents\TransactionServices Inc

%USERPROFILE%\OneDrive\Documents\SystemServices Inc

%USERPROFILE%\OneDrive\Documents\TransactionServices Inc

%WINDIR%\HashStrem

%WINDIR%\SysWOW64\HS\hs_module

%WINDIR%\SysWOW64\xmr64

%WINDIR%\System32\Tasks\Microsoft\Windows\sysem\ssrec\a

%WINDIR%\fonts\cao

%WINDIR%\hs_module

%WINDIR%\speechstracing

%WINDIR%\system32\HS\hs_module

%WINDIR%\system32\SecureBootThemes

%WINDIR%\system32\SysprepThemes

%WINDIR%\system32\config\systemprofile\Documents\TransactionServices Inc

%WINDIR%\system32\config\systemprofile\appdata\local\bjihiwsdsu

%WINDIR%\syswow64\config\systemprofile\appdata\local\bjihiwsdsu

%WINDIR%\wdms

%WINDIR%\{DE03ECBA-2A77-438C-8243-0AF592BDBB20}

%allusersprofile%\altruistic

%appdata%\VideoDrivers

%appdata%\appcontainer\storage\microsoft.microsoftedge_8wekyb3d8bbwe\children\001\internet settings\cpu

%appdata%\silent

%appdata%\wow64_microsoft-windows-vssproxystub

%appdata%\zgs

%homedrive%\0_miner_mondero

%localappdata%\TMeter

%programfiles%\Altrst

%programfiles%\Altst

%programfiles%\altruist

%programfiles%\altruistic

%programfiles%\altruistics

%windir%\pcdata

Analysis Report

General information

Family Name:	Trojan.Bitcoinminer
Signature status:	No Signature

Known Samples

MD5: 8708b8f909c61666670b0d53b2d05dd1

SHA1: 5231b08b55069d030ad0d20166b6d8dac0ea2f4e

File Size: 4.65 MB, 4651008 bytes

MD5: 0a4fa29495453876817754c208ac314c

SHA1: 1c67d8cd9cc7db8cff3f688f3d9f3c1287ecfd91

File Size: 4.15 MB, 4148508 bytes

MD5: d809e7a7a700a71a6fc9624d831b1282

SHA1: cd9d79c69cc6e2666f851a0e19eefc75951e6710

File Size: 6.42 MB, 6423552 bytes

MD5: efd484df13e457609b29609cecfd1ca7

SHA1: c4a39a8b477b313443703b88aec23f9ebed60096

File Size: 407.55 KB, 407552 bytes

MD5: 3e3ea44ccacf089e3b5e53af8fdb6e85

SHA1: 029fdc232488d9e778da6d96f581cce532a33bfe

SHA256: 926175E0C5EA589A1BF5FCA5A10BD65369A95C544B0482C2C5588FA72971DCB6

File Size: 8.82 MB, 8819712 bytes

MD5: 93b10cec0c314eaf5bdcb5b7b6c0df76

SHA1: a61593f1e458edb9abc84dbfa3b0fccc34f8470e

SHA256: B24ECE9FA44937E02375A64566D0BC0B5085F3EB26508BFCD9523C09E3803440

File Size: 486.93 KB, 486931 bytes

MD5: 7af8612feefaf956cfd88717003ccc3b

SHA1: cfe5b4a4c91fb546b3badf6ec0d969a4735af31f

SHA256: 64CE0DD2EA45B8097FD03C9BC215AEABD777CEC4DE7BEBC46D373810A3633980

File Size: 2.20 MB, 2196992 bytes

MD5: b0748036b87a43f671181bef7bd4ed36

SHA1: 94296d6f7e6ab120c5326cbbd61195f3c0629440

SHA256: 3FA648050F5C7809A1A34BC86558526141C317C94E2165266987EF821912D084

File Size: 23.04 KB, 23040 bytes

MD5: aca54459a38acf282034205c590b8690

SHA1: 688ed8bf1d85843e1c1edd30d0a9fc003384ff9e

SHA256: 5AB213723CA3C0758750502F606E78C0185E09570F1F1F826572228D72F0D180

File Size: 7.68 KB, 7680 bytes

MD5: 0753b827a389a1527600f7f1a878fb8f

SHA1: c3d25abb82698cd1fe5b60571cd3b9562fce56bc

SHA256: D203683821431583BB881FB715679C4C3D2E6A4E92C1EEA6755C8BA909E966F8

File Size: 3.88 MB, 3884032 bytes

MD5: c0bdcc6d3c12ec80893019aef72ec670

SHA1: a3d02b11f8abccad0d449bede513cd4950bd2a90

SHA256: C701F045F039EEE10260046D0377F6DFEB3307B1A4DA067F17EA04ADFFCEEA5F

File Size: 182.78 KB, 182784 bytes

MD5: b6fe01c002120404f1f94e678fbd2dca

SHA1: f396851e7374c07c9a7cc0ffa3284a1de73e7c23

SHA256: 24306BCC02E7DC4D96BC7F91815521E78A78208F86924EC37FF350AA5409AB57

File Size: 182.78 KB, 182784 bytes

MD5: 883bd06fac626d1a1692c6ee999b5631

SHA1: 8d45c449b81ef6571db4d827ae6138a72716ad79

SHA256: 8D8F8FC1BE5818A2F6A0DD3BA7A9B37D805561B5718C3FC279873FC66632A365

File Size: 3.88 MB, 3884032 bytes

MD5: fc5d7717d7b788aedea37e3b77ab8e22

SHA1: b434ada4098f40edeed7fefd508140adbc00b22c

SHA256: 4D2D5342B7C2FA33D0E45F29E745BBA810316F7BC5C40CD1C833A6D93C6FD9F6

File Size: 182.78 KB, 182784 bytes

MD5: eb96c6f88395dfed2ee011a1f433ef65

SHA1: 2bee30dc7a2cd28cc0137a80eecbe8e9fc77745e

SHA256: 5ECF6D306F085736E7C676B953801D66FD5224142340A302DDACC07E9B200658

File Size: 42.02 KB, 42016 bytes

MD5: f7ab9d17b9e5d1d885504e7bc8e4f714

SHA1: 63891d50e069607eb06bf81a82f12bb28889429c

SHA256: 6C4A8D359BE938BFD74D3FD7516239DECD0110737E5612FF4C0D29AA6A54D8A9

File Size: 3.20 MB, 3196416 bytes

MD5: d490722b3e9038d3ac0ecc6edb6d232f

SHA1: 18f27e4714fd9f7fdcdb40fa1845407d095f80f8

SHA256: D55C6A4B026F7B2C61E8DAD4C301E5D757916A7DBA4B1BF39940D569AC7370AB

File Size: 6.91 MB, 6910513 bytes

MD5: 611b6d04825d3b43459d84362ac3bb7e

SHA1: a0222125e8c8cb9bb7dcfd47080dd91ecdc457e0

SHA256: A9A130E0D61760F4007043C0916442BA9CACE758207200C66C04498EB2CC85A9

File Size: 182.78 KB, 182784 bytes

MD5: d5b6f95a0bfc91eadd991d22607f72c9

SHA1: 481b92be05300e7319333644f64f14ab1d0bf24c

SHA256: 95D3C97BDA22A98CCA1F4B98BAED756A1C3CD911373EF313B05DD2CE9A58C20E

File Size: 6.58 MB, 6583266 bytes

MD5: ed134b91c80354fddfb7333a6a2e5f53

SHA1: 4e69027ffbd9dd67d1938befffe35bf7a52f4173

SHA256: 0A0A880B6B20F2B9F16A2AA18FB26F5F01EF20E533A81CF4EE68FA400E1032D4

File Size: 7.00 MB, 6997103 bytes

MD5: d3b36ad769f7c4e5831a8bf69542d79d

SHA1: 59f14afa84eb9ac4c9593c6765f91a6469aa8893

SHA256: 99A181687483AC0E31CBCC75BEE319488DB631B8DCCEDD9EE5FACAE9EB78CEDB

File Size: 1.07 MB, 1068032 bytes

MD5: 561cddf4f1b5aa519a0ec303d956f423

SHA1: 600276347abed96a481884d2b16907fe429efc61

SHA256: 28106CC51AE4A66D0C0164566DC7473111AFDD589BA0202A235CDAD0ED339750

File Size: 45.84 KB, 45841 bytes

MD5: beb4046e13087acd62168996ec917613

SHA1: 54868ec0a94fc7894aeb41e0189999edfcb4838e

SHA256: FDA2ED927328C2735D0A9EA41E5F6004B15DD900864037EB0E288B68A9A77D9A

File Size: 467.46 KB, 467456 bytes

MD5: 27a18ac4684d2905499a751335a67241

SHA1: 55c35a3bf57b23bc777c7f058698599a56906c97

SHA256: 83CB55A977C92B16E4833E0EF3A22D49C75EDE9C52350EAABF6DCB890E9709EA

File Size: 182.78 KB, 182784 bytes

MD5: 1e1f8c773da189bacaf740370dc7a8be

SHA1: 7f41722cb74b3722183d772d286d5dd0c4b81d08

SHA256: FAA22852F076DC111F778816D2F9FA99414BB1032C8A87A3D78C0AF438D77BF4

File Size: 7.00 MB, 6996894 bytes

MD5: 09236c05b2bf5377f7c8350e301a92be

SHA1: eac001ec14ce7155a9e7e03d9e4180237abd1f18

SHA256: FF8A6B15D8E880DE6C9D24178DD9D2AA6B6E39D3D8E35776626863CD2A302C26

File Size: 3.22 MB, 3220563 bytes

MD5: f14f8f4d98d10ab8f14e4229a3bb945a

SHA1: d9cf2baea2a56cd1ed179820713000c0db810179

SHA256: 5D02F179B0F1BBABD7DF55049FE7FCA45CE2428188BB5B397DD5801D29C0526B

File Size: 303.62 KB, 303616 bytes

MD5: 65f9923e7eae36dd35c48bb9a1f2cfa9

SHA1: a531b2e41a67b7e86fa97a058c7b84ad6d3861fb

SHA256: 4894489E3490203C1F31596D2E58347004FFA29ADDE1273C9BEE0B3D07C5803B

File Size: 9.96 MB, 9959226 bytes

MD5: 75f00ffab3d1865442b3af99e3bd4a30

SHA1: 5a96ca2e9f335df8b6e9379bc9073fd47c3f0631

SHA256: 883F799674AA73B6F6078E572DB902503F5E0B02648530070354D4B0885D8C40

File Size: 30.21 KB, 30208 bytes

MD5: 5c5482a1ea80eb425a89d92e6b03a933

SHA1: c12761bde561181027747b01ba2b3e6f9e331314

SHA256: E9BF967EA476848695A81FAC2EF375C9296E1411E035E2B98BEA2AC16458153C

File Size: 9.74 MB, 9741824 bytes

MD5: cafb4d986ace879fb2429b18ddc8ee7f

SHA1: e6c49ad89c5d0476d967ce8ff3ebe1005bd10d1b

SHA256: C05CB9823B3C5320CC01B230636D57CE017873229A67A013C2B07352FB1E00D8

File Size: 41.86 KB, 41863 bytes

MD5: 8194b5740918a9db4f1e01dd10543f23

SHA1: 472cfc191339d1864444e2679298121bd963e314

SHA256: CB85361B9706540CE3DAC07D5B18C618E619EF1FB7A5F07F63175EA1F4F99CE0

File Size: 4.81 MB, 4811776 bytes

MD5: 70d501e3a7e5ce1d3daba4e629a23125

SHA1: 63ff2ccf13744e14033b0caa0bf7341957cd91bd

SHA256: FB258543F08DDA0B28471FAE508FB5AB349E7E14C290325243DD84873C13A84B

File Size: 182.78 KB, 182784 bytes

MD5: 7ff9cfa46854bf2287db3764fa555873

SHA1: a1831f250059b40a00c3f2b5f1fdf8de55b715d0

SHA256: 65078F057ED2B2FE5FE7D93F270E3C23DCA32696148262D4A0749530949FC8D6

File Size: 233.47 KB, 233472 bytes

MD5: 16b80efd72c80b529bf6082fdf160133

SHA1: 4f6db8f5127533a3b26692ed41215ac68dc8da99

SHA256: F4C435E665E6341C25822304E9748AB54E30688FC28A1935451942F109E5C57D

File Size: 41.50 KB, 41502 bytes

MD5: 3da021830e8d036fde875163905461d6

SHA1: a73f976ff0dcffa12753a4b46292bf3c5b40f4f8

SHA256: EFB61F6EA4E89E200CFC9B687DC7068DF1EB75B00D83BB36B01AD5D5D50EBF9B

File Size: 338.94 KB, 338944 bytes

MD5: 822fc1264a8d274cd02b2300e7630955

SHA1: f4e1698474aaf2848319904dcb4aaf6a9587ad58

SHA256: 4A139D8D8163D43BDD056DBDBDF9A77EBFF68C8377E58865B39573BC91295657

File Size: 38.09 KB, 38090 bytes

MD5: fa5bf1f97d6e53918cc690a847dd576f

SHA1: 408a7388cecfbe61fa3fa55beb5444968f8ec248

SHA256: F3189EA9883718D719015E2C892B073E9E43805194FD5939295406552A96134C

File Size: 338.94 KB, 338944 bytes

MD5: 4693395c4d4192c674a951c852dd7ced

SHA1: 305a145479e155a6bd0af79dfca514672621d2b2

SHA256: FC0639F28F7A0345FB289A16B7BC5AC795FBA9747623EDAAB715DCD62DE0CEAE

File Size: 3.22 MB, 3220563 bytes

MD5: ab084b9bbc37f2b7e6b920c8e8fb7b78

SHA1: f3e2756acf83994d9439216c834331d5a4940da8

SHA256: 8E755F1F8AB727018E7974640B93D5F31AE7D86FB19DA152CBAE100C3BF5F548

File Size: 182.78 KB, 182784 bytes

MD5: 5f5145d9788b71c70a1a3ab3e4ea33ed

SHA1: 45b4b5dc2acf6417491eedf2fcae3ebbedb5a6b3

SHA256: 8B3FB1273D429EBD5F207ECB5C2176E7911DFBCA3CE6327EDFC875C2018568EF

File Size: 146.94 KB, 146944 bytes

MD5: f7ae86e3c15db21d66caaf7fa2639329

SHA1: f43edcaf657d9c51f407513264d5aaecbe9e66ac

SHA256: 7D600DA00910AAF6E4CE32891BF2DE717AE0D21D70E569082CA789E13F3D6393

File Size: 2.40 MB, 2403840 bytes

MD5: b44fa46b78d92e82ba2bf13d23faaa43

SHA1: 7106f19fb86654805e1d1012b6c3ee4e3a086e74

SHA256: DF6548CCB40A57A5D34A6F3D2EB70C7EF6C36943BD8649F21AE0BD69ABA2A1B2

File Size: 6.44 MB, 6437263 bytes

MD5: 0dfc22a787a7628e2c25d978d1b8786b

SHA1: 50d69de7cc76c172c9bd8f13198a29f7fe42e0ab

SHA256: CE7C1134068F3C61D234B608F9A760E5967218291C74441B910E6837619842B2

File Size: 6.40 MB, 6401536 bytes

MD5: fbafe8764cb60112ccb1987c24e04684

SHA1: 70bbc9e9c5c7b605bf63dfcb11adddd707c88974

SHA256: 38A8AE613683D5D3B0E7DC1C5943A9FD59FA0AE47968B235270CA3815A4308B6

File Size: 447.49 KB, 447488 bytes

MD5: bf9dc07083e331d9645d926fa411427a

SHA1: 29d67e13e948d215264a3664a1ac77f27f5068b3

SHA256: 9BDDAE1F50FBEEBA8541FF1C724BA64A249F4AFB71400CD31CCFFA8540086348

File Size: 5.24 MB, 5236736 bytes

MD5: 93601652bc6be91c2ab609083bc846a7

SHA1: b148e3b44ef9d1239622ce4041f467dacf2aec9c

SHA256: E513ADBB62A1D96C0DE63E3E3D48E28547450650F756204697AE4EF0FDDE2C96

File Size: 3.53 MB, 3532648 bytes

MD5: b5b4bfb732f054fa14d1301bbe269fff

SHA1: d0b009a536ac31b5819c94fb26d796302deb9aac

SHA256: CFC84B8EC694D555556A08AFD9F1C673F25E03BF20E1FDE5115BE19579B11808

File Size: 4.99 MB, 4994560 bytes

MD5: ccb8d582fb41cafd7912c07de5b0a8a3

SHA1: e5b998703b0fa552e119136c4f4d1ad68c521302

SHA256: 97EA1998D6853C77D928F56E7FC39427EAB3885ABD6881003BC7D3E27407DFDE

File Size: 330.75 KB, 330752 bytes

MD5: 1d16c85ca1861dfb9c5ce4b06a758af5

SHA1: 2d16a6f3313f485cd280e14fafac75517764d257

SHA256: AF8C7AE9C80D15C87F7345DB4F6C984FDF458D2040C9CF52DA1D63795D888289

File Size: 37.38 KB, 37376 bytes

MD5: dc4b5f7e3e5964a9ff1f7d6e2c366cad

SHA1: 3250c9a0c9132062a28d7951b0fb521932c91f98

SHA256: 67B31153AB8AF38B77941FE0F4BA08D449C3049F3F0D087489161A9DAC2D52D4

File Size: 3.20 MB, 3202224 bytes

MD5: d93a1d8839de6ffe52fda9f8e090b4a7

SHA1: 99f26215690b650c5cfb3cf1655c40b3a1b4586a

SHA256: 6CC2631AAB1778BD817E30DDC51642812867C3ECEB422A3D44BFF27489B85558

File Size: 5.45 MB, 5449728 bytes

MD5: 5f05e3da8b9ab8a6f2165baabbd37784

SHA1: 4518da62360432e0e5a966c50d9963502a868ed8

SHA256: A76A269F73BE68CBDE81E94E3583225FDA3BB25ED1055D1FD927829D076E266C

File Size: 9.96 MB, 9960960 bytes

MD5: aec6ad34be5258d5b108c3ef4c22ce29

SHA1: 284e317e7e37525c7b8b701df4607514ef1683ac

SHA256: 29B59E83736413B1FC74A69D36B5110DA2E4447447A4869E6ECD04DA657180D1

File Size: 3.18 MB, 3182080 bytes

MD5: 718b931359ccb1c1d9239a6005bfb0a7

SHA1: 552e2bb6fd59889f28aba695963ac9a2ce146507

SHA256: C6D16C0752266FADBE95A94EB9B9CA98525CA9E30B67D71FEE9CB7B678B2F4ED

File Size: 8.36 MB, 8356352 bytes

MD5: 630ff1c494304d261a6b950144cbff1c

SHA1: 5597c10b0b2d85c5f193a989fa677823773a4eb0

SHA256: 62B9FA195CE5037AB7535FA8F9D2A0D62790BA1B0A0D78532CA5FCD9850F1FCB

File Size: 4.14 MB, 4143472 bytes

MD5: d1c2814cf2e261a112e67f7927eacdfb

SHA1: 5b03f261746e2d03b295054a22829f6308cb5391

SHA256: 0AA0831A790F60C6FC54883EC590CE7447B193D48855CADB0A7E9F20CACBF2EA

File Size: 304.11 KB, 304112 bytes

MD5: 4aa5c6df628ff3b7f91c919c8a57b9d8

SHA1: 9fe38e53a43aa4651972ac4507551245247b5272

SHA256: 782F1AFE2E06094A261BA849A7810B4E075F0D13C2F95B48CF6C4137ABA09E6E

File Size: 3.22 MB, 3220563 bytes

MD5: 4161d550d851f6aa828b0bbe08fa19e0

SHA1: 04f49b62291df27003be9756d79530844c0cc8c3

SHA256: 2F05FB515D3362592571E70CB02F9DE31054DD6F30A64688AF68D67660DE21F1

File Size: 44.22 KB, 44223 bytes

MD5: 124ba8321e41ae30cd0b05f9ea388173

SHA1: 1fdee658736ab3b0e251202fc4d820a661302f33

SHA256: A1AF0CDC24237A8A1BADDE7AEE24E149BFD5CB6CFB491C484BB10FBB96FAB092

File Size: 445.95 KB, 445952 bytes

MD5: 7187e421b0647fc60aea472764757b84

SHA1: 2863e3cecea37397e28cc1ddff59f6d741cb9039

SHA256: 2E596F61AA262CD47E2368C5B3012DE06A6962559F5CC1B4D32747DD87804F1C

File Size: 8.70 MB, 8700416 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have resources
File doesn't have security information
File has been packed
File has exports table
File has TLS information
File is .NET application

File is 32-bit executable
File is 64-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Assembly Version	1.0.0.0 0.8.1.0 0.0.0.0
Comments	Adds Upgrades to be bought via the Terminal Flavor=Retail This installation was built with Inno Setup. This is a shim that points to a particular file. It was generated by ShimGen (Shim Generator). The use of shimgen must comply with its proprietary license.
Company Name	Common Softwares Computta.com Cowan Innovations Inc. EnhancedEnterprises Gunther-Gerben Boxhammer Microsoft Corporation RealDimensions Software, LLC sharkbot The Monero Developer Community www.microsoft.com Show More www.truemining.online www.xmrig.com
File Description	.NET Runtime Optimization Service Altruistics Uninstaller Antimalware Core Service Computta CPVisual EnhancedEnterprises Gunther-Gerben Boxhammer Launcher Host Process for Windows Services icl Microsoft Windows Networking Sevrices Show More Setup/Uninstall sharkbot ShimGen generated shim - shim svchost.exe winrar-x64-591 Installer XMRig ZeroFee by True Mining
File Version	51.1052.0.0 10.0.26100.5074 (WinBuild.160101.0800) 6.31.6.0 6.22.2-zerofee 6.22.2 6.21.1 4.18.25100.9008 (b0af8b174efae63a7a64d96131727074dad31379) 4.8.9065.0 built by: NET481REL1LAST_C 2.5.2 2.1.0 Show More 2, 0, 0, 0 1.30 1.6.0.1 1.0.0.0 0.89 0.8.1.0 0.0.0.0
Internal Name	Altruistics Uninstaller Computta CPVisual.exe EnhancedEnterprises.dll ethminer.exe Game Launcher HdcksMen.exe icl.exe MpDefenderCoreService.exe mscorsvc.exe Show More okay.exe Pegasus icarus Hvnc.exe sharkbot.dll svchost.exe updater-checker.exe winrar-x64-591 XENO EMULATOR BYPASS.exe
Legal Copyright	Computta.com Copyright (C) 2016-2024 Copyright (C) 2016-2024 xmrig.com Copyright (C) 2016-2024 xmrig.com \| Copyright (C) 2021-2025 True Mining Copyright (C) 2016-2025 Networking Sevrices Copyright (C) 2018- Gunther-Gerben Boxhammer Copyright (C) 2021 Common Softwares Copyright © 2013 - 2017 RealDimensions Software, LLC Copyright © 2022 Cowan Innovations Inc. © 2022 Show More © Microsoft Corporation. All rights reserved. © Microsoft Corporation. All rights reserved.
Original File Name	winrar-x64-591.exe
Original Filename	Altruistics Uninstaller CPVisual.exe EnhancedEnterprises.dll ethminer.exe GGBH.exe HdcksMen.exe icl.exe MpDefenderCoreService.exe mscorsvc.exe msedgeview3.exe Show More okay.exe Pegasus icarus Hvnc.exe sharkbot.dll svchost.exe uninstall.exe updater-checker.exe Windows Networking Sevrices.exe wmsearch.exe XENO EMULATOR BYPASS.exe xmrig.exe
Private Build	DDBLD356B
Product Name	Altruistics Computta Деинсталлятор CPVisual EnhancedEnterprises GGBH Launcher icl Microsoft® .NET Framework Microsoft® Windows® Operating System Monero GUI Wallet sharkbot Show More ShimGen generated shim svchost.exe Windows Networking Sevrices winrar-x64-591 wmsearch XMRig Zerofee
Product Version	10.0.26100.5074 6.31.6.0 6.22.2-zerofee 6.22.2 6.21.1 4.18.25100.9008 4.8.9065.0 2.5.2 2.1.0 2, 0, 0, 0 Show More 1.30 1.6.0.1 1.0.0.0 1.0.0+8d0131e98690c8e8725040a073b49b40f14c4711 1.0.0 0.89 0.18.4.5 0.18.4.4 0.18.4.3 0.18.4.2 0.8.1 0.0.0.0

Digital Signatures

Signer	Root	Status
16QP LIMITED	COMODO RSA Code Signing CA	Self Signed
Contagious Computing Complex	Contagious Computing Complex	Self Signed
www.freesharesoft.com	www.freesharesoft.com	Self Signed

File Traits

.NET
2+ executable sections
big overlay
dll
fptable
GetConsoleWindow
HighEntropy
Inno
InnoSetup Installer
Installer Manifest

Installer Version
NewLateBinding
No Version Info
ntdll
packed
RAR (In Overlay)
RijndaelManaged
Run
VirtualQueryEx
WRARSFX
WriteProcessMemory
x64
x86

Block Information

Total Blocks:	20
Potentially Malicious Blocks:	7
Whitelisted Blocks:	12
Unknown Blocks:	1

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 ? x x x x x x x

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

Agent.FDD
Agent.GOG
Agent.LPAA
BadIIS.GA
Bitcoinminer.CBA

Bitcoinminer.E
Bitcoinminer.H
Bitcoinminer.KC
Bitcoinminer.L
Bitcoinminer.LC
BypassUAC.HA
ClipBanker.IF
Coinminer.AHC
Coinminer.GCJ
Coinminer.RB
Downloader.GDG
Downloader.GDH
Dropper.Agent.GD
Gamehack.EBF
Gamehack.GSI
Injector.AK
Injector.DRC
Injector.DRD
Keylogger.GDC
Keylogger.RA
Kryptik.XXBA
Kryptik.XXBF
Lumma.GFD
MSIL.Agent.KAB
MSIL.Cerbu.C
MSIL.Dropper.XF
MSIL.Heracles.IO
MSIL.Inject.AB
MSIL.Inject.YT
MSIL.Injector.XT
MSIL.Krypt.GEBU
MSIL.Krypt.SEA
MSIL.Krypt.U
MSIL.Kryptik.XC
MSIL.Spy.Agent.XF
MSIL.Spy.Agent.XG
Rugmi.IA
ShellcodeRunner.YD
Sheloader.A
Sheloader.C
Stealer.KF
SteamStealer.C
Trickbot.AJ
Trojan.Agent.Gen.BL
Trojan.Agent.Gen.FN
Trojan.Agent.Gen.NA
Wdfload.A

Files Modified

File	Attributes
\device\namedpipe	Generic Read,Write Attributes
\device\namedpipe	Generic Write,Read Attributes
\device\namedpipe\dav rpc service	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\pshost.133976748101365294.6008.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134125939623293346.7060.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\toserveradvinst_estimate_c:\users\user\downloads\5597c10b0b2d85c5f193a989fa677823773a4eb0_0004143472	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\toserveradvinst_extract_c:\users\user\downloads\5597c10b0b2d85c5f193a989fa677823773a4eb0_0004143472	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\toserveradvinst_extract_c:\users\user\downloads\b148e3b44ef9d1239622ce4041f467dacf2aec9c_0003532648	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\wkssvc	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\__psscriptpolicytest_cs0icwc3.bdn.psm1	Generic Write,Read Attributes

c:\users\user\appdata\local\temp\__psscriptpolicytest_kise41dq.atn.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_kiwtn0sh.3nf.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_n3lf2rfk.g0m.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\aieadaf.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\aieadaf.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\aieadaf.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\build.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\exeb93a.bat	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\exeb93a.bat	Synchronize,Write Data
c:\users\user\appdata\local\temp\jusched.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\temp_script.bat	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\~df01a2810d2fc46141.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\5080dc7a65db6a5960ecd874088f3328_bc00434159dae8351451cce9c748f5d7	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\cc42971b7939a9ca55c44cfc893d7c1d	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\d2b5168cdd0ebf4c0c8ea1c3a1fae07f_2f10f6ac1b30a30cd4f31e26cb4e9b13	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\5080dc7a65db6a5960ecd874088f3328_bc00434159dae8351451cce9c748f5d7	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\cc42971b7939a9ca55c44cfc893d7c1d	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\d2b5168cdd0ebf4c0c8ea1c3a1fae07f_2f10f6ac1b30a30cd4f31e26cb4e9b13	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\common softwares\1.30\1033.dll	Generic Write,Read Attributes
c:\users\user\appdata\roaming\common softwares\1.30\decoder.dll	Generic Write,Read Attributes
c:\users\user\appdata\roaming\common softwares\1.30\dfd0a61\winrar-x64-591.msi	Generic Write,Read Attributes
c:\users\user\appdata\roaming\hackers.exe	Generic Write,Read Attributes
c:\users\user\appdata\roaming\systema natives\mservices x 2.1.0\install\6e7ac47\mservice x.msi	Generic Write,Read Attributes
c:\users\user\appdata\roaming\systema natives\mservices x 2.1.0\install\decoder.dll	Generic Write,Read Attributes
c:\users\user\appdata\roaming\systema natives\mservices x 2.1.0\install\holder0.aiph	Generic Write,Read Attributes
c:\users\user\downloads\c:\programdata	Synchronize,Write Attributes
c:\windows\__tmp_rar_sfx_access_check_1284734	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\appcompat\programs\amcache.hve	Read Data,Read Control,Write Data
c:\windows\appcompat\programs\amcache.hve	Write Attributes
c:\windows\kmspico_setup.exe	Generic Write,Read Attributes
c:\windows\kmspico_setup.exe	Synchronize,Write Attributes
c:\windows\system32.vbs	Generic Write,Read Attributes
c:\windows\system32.vbs	Synchronize,Write Attributes
c:\windows\window.exe	Generic Write,Read Attributes
c:\windows\window.exe	Synchronize,Write Attributes
c:\windows\windows.bat	Generic Write,Read Attributes
c:\windows\windows.bat	Synchronize,Write Attributes
c:\windows\windows.vbs	Generic Write,Read Attributes
c:\windows\windows.vbs	Synchronize,Write Attributes

Registry Modifications

Key::Value	Data	API Name
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list::c:\users\user\downloads\2bee30dc7a2cd28cc0137a80eecbe8e9fc77745e_0000042016	c:\users\user\downloads\2bee30dc7a2cd28cc0137a80eecbe8e9fc77745e_0000042016:*:Enabled:ipsec	RegNtPreCreateKey
HKCU\software\acoirphv::w1_0	윣렴	RegNtPreCreateKey
HKCU\software\acoirphv::w2_0	♄	RegNtPreCreateKey
HKCU\software\acoirphv::w3_0	ꢀĒ	RegNtPreCreateKey
HKCU\software\acoirphv::w4_0	d	RegNtPreCreateKey
HKCU\software\acoirphv::w1_1	鑴ᢈ	RegNtPreCreateKey
HKCU\software\acoirphv::w2_1	䀓潫	RegNtPreCreateKey
HKCU\software\acoirphv::w3_1	컗湹	RegNtPreCreateKey
HKCU\software\acoirphv::w4_1	昳潫	RegNtPreCreateKey
HKCU\software\acoirphv::w1_2	鎌ᘵ	RegNtPreCreateKey

HKCU\software\acoirphv::w2_2		RegNtPreCreateKey
HKCU\software\acoirphv::w3_2		RegNtPreCreateKey
HKCU\software\acoirphv::w4_2		RegNtPreCreateKey
HKCU\software\acoirphv::w1_3	搧ੌ	RegNtPreCreateKey
HKCU\software\acoirphv::w2_3	ᕁ乂	RegNtPreCreateKey
HKCU\software\acoirphv::w3_3	鮅佐	RegNtPreCreateKey
HKCU\software\acoirphv::w4_3	㍡乂	RegNtPreCreateKey
HKCU\software\acoirphv::w1_4		RegNtPreCreateKey
HKCU\software\acoirphv::w2_4	膋붭	RegNtPreCreateKey
HKCU\software\acoirphv::w3_4	㇜벿	RegNtPreCreateKey
HKCU\software\acoirphv::w4_4	餸붭	RegNtPreCreateKey
HKCU\software\acoirphv::w1_5	䐓㦱	RegNtPreCreateKey
HKCU\software\acoirphv::w2_5		RegNtPreCreateKey
HKCU\software\acoirphv::w3_5	圳Ⰺ	RegNtPreCreateKey
HKCU\software\acoirphv::w4_5	ￗⴘ	RegNtPreCreateKey
HKCU\software\acoirphv::w1_6	ꍢ湍	RegNtPreCreateKey
HKCU\software\acoirphv::w2_6	䁎鲄	RegNtPreCreateKey
HKCU\software\acoirphv::w3_6	캊鶖	RegNtPreCreateKey
HKCU\software\acoirphv::w4_6	普鲄	RegNtPreCreateKey
HKCU\software\acoirphv::w1_7	峟觾	RegNtPreCreateKey
HKCU\software\acoirphv::w2_7	퀚௯	RegNtPreCreateKey
HKCU\software\acoirphv::w3_7	擡૽	RegNtPreCreateKey
HKCU\software\acoirphv::w4_7	찅௯	RegNtPreCreateKey
HKCU\software\acoirphv::w1_8	鶹醪	RegNtPreCreateKey
HKCU\software\acoirphv::w2_8	Ɱ筛	RegNtPreCreateKey
HKCU\software\acoirphv::w3_8	騸穉	RegNtPreCreateKey
HKCU\software\acoirphv::w4_8	㋜筛	RegNtPreCreateKey
HKCU\software\winrar sfx::c:\programdata	%ProgramData%	RegNtPreCreateKey
HKCU\software\axtkjpwe::a1_0	윣렴	RegNtPreCreateKey
HKCU\software\axtkjpwe::a2_0	♄	RegNtPreCreateKey
HKCU\software\axtkjpwe::a3_0	ꢀĒ	RegNtPreCreateKey
HKCU\software\axtkjpwe::a4_0	d	RegNtPreCreateKey
HKCU\software\axtkjpwe::a1_1	遢ྂ	RegNtPreCreateKey
HKCU\software\axtkjpwe::a2_1	䐅硡	RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list::c:\users\user\downloads\600276347abed96a481884d2b16907fe429efc61_0000045841	c:\users\user\downloads\600276347abed96a481884d2b16907fe429efc61_0000045841:*:Enabled:ipsec	RegNtPreCreateKey
HKCU\software\axtkjpwe::a3_1	쫁祳	RegNtPreCreateKey
HKCU\software\axtkjpwe::a4_1	戥硡	RegNtPreCreateKey
HKCU\software\axtkjpwe::a1_2	鮠㠡	RegNtPreCreateKey
HKCU\software\axtkjpwe::a2_2		RegNtPreCreateKey
HKCU\software\axtkjpwe::a3_2	氂	RegNtPreCreateKey
HKCU\software\axtkjpwe::a4_2	쓦	RegNtPreCreateKey
HKCU\software\axtkjpwe::a1_3	燡⴪	RegNtPreCreateKey
HKCU\software\axtkjpwe::a2_3	椤	RegNtPreCreateKey
HKCU\software\axtkjpwe::a3_3	蹃栶	RegNtPreCreateKey
HKCU\software\axtkjpwe::a4_3	⚧椤	RegNtPreCreateKey
HKCU\software\axtkjpwe::a1_4	ﵾ꿂	RegNtPreCreateKey
HKCU\software\axtkjpwe::a2_4	釓	RegNtPreCreateKey
HKCU\software\axtkjpwe::a3_4	ↄ	RegNtPreCreateKey
HKCU\software\axtkjpwe::a4_4	襠	RegNtPreCreateKey
HKCU\software\axtkjpwe::a1_5	僥䵏	RegNtPreCreateKey
HKCU\software\axtkjpwe::a2_5	쾊姦	RegNtPreCreateKey
HKCU\software\axtkjpwe::a3_5	䏅壴	RegNtPreCreateKey
HKCU\software\axtkjpwe::a4_5	姦	RegNtPreCreateKey
HKCU\software\axtkjpwe::a1_6	裮₁	RegNtPreCreateKey
HKCU\software\axtkjpwe::a2_6	毂퉈	RegNtPreCreateKey
HKCU\software\axtkjpwe::a3_6	퍚	RegNtPreCreateKey
HKCU\software\axtkjpwe::a4_6	䷢퉈	RegNtPreCreateKey
HKCU\software\axtkjpwe::a1_7	㽹좸	RegNtPreCreateKey
HKCU\software\axtkjpwe::a2_7	뎼䪩	RegNtPreCreateKey
HKCU\software\axtkjpwe::a3_7	݇䮻	RegNtPreCreateKey
HKCU\software\axtkjpwe::a4_7	꾣䪩	RegNtPreCreateKey
HKCU\software\axtkjpwe::a1_8	봉⧺	RegNtPreCreateKey
HKCU\software\axtkjpwe::a2_8	ೞ쌋	RegNtPreCreateKey
HKCU\software\axtkjpwe::a3_8	몈숙	RegNtPreCreateKey
HKCU\software\axtkjpwe::a4_8	ቬ쌋	RegNtPreCreateKey
HKCU\software\awyjmkjc::b1_0	윣렴	RegNtPreCreateKey
HKCU\software\awyjmkjc::b2_0	♄	RegNtPreCreateKey
HKCU\software\awyjmkjc::b3_0	ꢀĒ	RegNtPreCreateKey
HKCU\software\awyjmkjc::b4_0	d	RegNtPreCreateKey
HKCU\software\awyjmkjc::b1_1	衡႓	RegNtPreCreateKey
HKCU\software\awyjmkjc::b2_1	将杰	RegNtPreCreateKey
HKCU\software\awyjmkjc::b3_1	틂晢	RegNtPreCreateKey
HKCU\software\awyjmkjc::b4_1	稦杰	RegNtPreCreateKey
HKCU\software\awyjmkjc::b1_2	ꮦ؃	RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list::c:\users\user\downloads\e6c49ad89c5d0476d967ce8ff3ebe1005bd10d1b_0000041863	c:\users\user\downloads\e6c49ad89c5d0476d967ce8ff3ebe1005bd10d1b_0000041863:*:Enabled:ipsec	RegNtPreCreateKey
HKCU\software\awyjmkjc::b2_2	틀컠	RegNtPreCreateKey
HKCU\software\awyjmkjc::b3_2	射쿲	RegNtPreCreateKey
HKCU\software\awyjmkjc::b4_2	컠	RegNtPreCreateKey
HKCU\software\awyjmkjc::b1_3	㧤牟	RegNtPreCreateKey
HKCU\software\awyjmkjc::b2_3	䢂㙑	RegNtPreCreateKey
HKCU\software\awyjmkjc::b3_3	왆㝃	RegNtPreCreateKey
HKCU\software\awyjmkjc::b4_3	溢㙑	RegNtPreCreateKey
HKCU\software\awyjmkjc::b1_4	鵲펆	RegNtPreCreateKey
HKCU\software\awyjmkjc::b2_4	鷁	RegNtPreCreateKey
HKCU\software\awyjmkjc::b3_4	䆈鳓	RegNtPreCreateKey
HKCU\software\awyjmkjc::b4_4	鷁	RegNtPreCreateKey
HKCU\software\awyjmkjc::b1_5		RegNtPreCreateKey
HKCU\software\awyjmkjc::b2_5	䞅Բ	RegNtPreCreateKey
HKCU\software\awyjmkjc::b3_5	쯊Р	RegNtPreCreateKey
HKCU\software\awyjmkjc::b4_5	挮Բ	RegNtPreCreateKey
HKCU\software\awyjmkjc::b1_6	ᣤ鹫	RegNtPreCreateKey
HKCU\software\awyjmkjc::b2_6	﯈沢	RegNtPreCreateKey
HKCU\software\awyjmkjc::b3_6	甌涰	RegNtPreCreateKey
HKCU\software\awyjmkjc::b4_6		RegNtPreCreateKey
HKCU\software\awyjmkjc::b1_7	읰嘂	RegNtPreCreateKey
HKCU\software\awyjmkjc::b2_7	䮵퐓	RegNtPreCreateKey
HKCU\software\awyjmkjc::b3_7	ｎ픁	RegNtPreCreateKey
HKCU\software\awyjmkjc::b4_7	垪퐓	RegNtPreCreateKey
HKCU\software\awyjmkjc::b1_8	紑텲	RegNtPreCreateKey
HKCU\software\awyjmkjc::b2_8	쳆㮃	RegNtPreCreateKey
HKCU\software\awyjmkjc::b3_8	窐㪑	RegNtPreCreateKey
HKCU\software\awyjmkjc::b4_8	퉴㮃	RegNtPreCreateKey
HKCU\software\alsrpuhq::f1_0	윣렴	RegNtPreCreateKey
HKCU\software\alsrpuhq::f2_0	♄	RegNtPreCreateKey
HKCU\software\alsrpuhq::f3_0	ꢀĒ	RegNtPreCreateKey
HKCU\software\alsrpuhq::f4_0	d	RegNtPreCreateKey
HKCU\software\alsrpuhq::f1_1	鵥֎	RegNtPreCreateKey
HKCU\software\alsrpuhq::f2_1	䤂牭	RegNtPreCreateKey
HKCU\software\alsrpuhq::f3_1	쟆獿	RegNtPreCreateKey
HKCU\software\alsrpuhq::f4_1	漢牭	RegNtPreCreateKey
HKCU\software\alsrpuhq::f1_2	膮ⰹ	RegNtPreCreateKey
HKCU\software\alsrpuhq::f2_2		RegNtPreCreateKey
HKCU\software\alsrpuhq::f3_2	瘌	RegNtPreCreateKey
HKCU\software\alsrpuhq::f4_2		RegNtPreCreateKey
HKCU\software\alsrpuhq::f1_3	᫰ፆ	RegNtPreCreateKey
HKCU\software\alsrpuhq::f2_3	殖坈	RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list::c:\users\user\downloads\f4e1698474aaf2848319904dcb4aaf6a9587ad58_0000038090	c:\users\user\downloads\f4e1698474aaf2848319904dcb4aaf6a9587ad58_0000038090:*:Enabled:ipsec	RegNtPreCreateKey
HKCU\software\alsrpuhq::f3_3	噚	RegNtPreCreateKey
HKCU\software\alsrpuhq::f4_3	䶶坈	RegNtPreCreateKey
HKCU\software\alsrpuhq::f1_4	쥢蟲	RegNtPreCreateKey
HKCU\software\alsrpuhq::f2_4	ꗏ즵	RegNtPreCreateKey
HKCU\software\alsrpuhq::f3_4	ᖘ좧	RegNtPreCreateKey
HKCU\software\alsrpuhq::f4_4	뵼즵	RegNtPreCreateKey
HKCU\software\alsrpuhq::f1_5	韾⢊	RegNtPreCreateKey
HKCU\software\alsrpuhq::f2_5	࢑㰣	RegNtPreCreateKey
HKCU\software\alsrpuhq::f3_5	蓞㴱	RegNtPreCreateKey
HKCU\software\alsrpuhq::f4_5	ⰺ㰣	RegNtPreCreateKey
HKCU\software\alsrpuhq::f1_6	廌屙	RegNtPreCreateKey
HKCU\software\alsrpuhq::f2_6	뷠꺐	RegNtPreCreateKey
HKCU\software\alsrpuhq::f3_6	㌤꾂	RegNtPreCreateKey
HKCU\software\alsrpuhq::f4_6	鯀꺐	RegNtPreCreateKey
HKCU\software\alsrpuhq::f1_7	驔ꋯ	RegNtPreCreateKey
HKCU\software\alsrpuhq::f2_7	ᚑ⃾	RegNtPreCreateKey
HKCU\software\alsrpuhq::f3_7	ꉪ⇬	RegNtPreCreateKey
HKCU\software\alsrpuhq::f4_7	઎⃾	RegNtPreCreateKey
HKCU\software\alsrpuhq::f1_8	픱禚	RegNtPreCreateKey
HKCU\software\alsrpuhq::f2_8	擦鍫	RegNtPreCreateKey
HKCU\software\alsrpuhq::f3_8	튰鉹	RegNtPreCreateKey
HKCU\software\alsrpuhq::f4_8	穔鍫	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe		RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\afe5d244a8d1194230ff479fe2f897bbcd7a8cb4::blob	ㄛ熰㙀ᓌ鄶쒭﴾ᣬ0ᙶ蛍倇㶌དྷﺾ睨㔷珼潴ꥂ拽메爻Ӱ鑹꿥杗쇒妖隄 T到ࠆثԁ܅ȃࠆثԁ܅̃ਆثЁ舁਷Ѓࠆثԁ܅Ѓࠆثԁ܅؃ࠆثԁ܅܃ࠆثԁ܅ăࠆثԁ܅ࠃSC䄰∰ఆثЁ눁ıĂąሰူਆثЁ舁㰷āȃ쀀ᬰԆ腧Č〃〒ؐ⬊ĆĄ㞂	RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\afe5d244a8d1194230ff479fe2f897bbcd7a8cb4::blob	\ကↂﮏ玑搾欓燥垟ꇃ䓒톨䈙Ｐ齇뮗竍뒌㧋퓃Ⱗ揟乷렝씐麨꾻ɾ悔萼궎㣮㋙퐲b 쓡軥⧆ᬩㅠݿ煆嶸꡾嬍✇挴䭓됲㐂:Sectigo (formerly Comodo CA)S	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	酨訵ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	嗉訵ǜ	RegNtPreCreateKey
HKCU\software\ej-technologies\exe4j\pids::c:\users\user\downlo~1\5b03f2~1	ᢔ	RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list::c:\users\user\downloads\04f49b62291df27003be9756d79530844c0cc8c3_0000044223	c:\users\user\downloads\04f49b62291df27003be9756d79530844c0cc8c3_0000044223:*:Enabled:ipsec	RegNtPreCreateKey
HKCU\software\ahstyuhy::l1_0	윣렴	RegNtPreCreateKey
HKCU\software\ahstyuhy::l2_0	♄	RegNtPreCreateKey
HKCU\software\ahstyuhy::l3_0	ꢀĒ	RegNtPreCreateKey
HKCU\software\ahstyuhy::l4_0	d	RegNtPreCreateKey
HKCU\software\ahstyuhy::l1_1	饯ᖎ	RegNtPreCreateKey
HKCU\software\ahstyuhy::l2_1	䴈扭	RegNtPreCreateKey
HKCU\software\ahstyuhy::l3_1	쏌捿	RegNtPreCreateKey
HKCU\software\ahstyuhy::l4_1	欨扭	RegNtPreCreateKey
HKCU\software\ahstyuhy::l1_2	覺హ	RegNtPreCreateKey
HKCU\software\ahstyuhy::l2_2	쓚	RegNtPreCreateKey
HKCU\software\ahstyuhy::l3_2	縘었	RegNtPreCreateKey
HKCU\software\ahstyuhy::l4_2	훼쓚	RegNtPreCreateKey
HKCU\software\ahstyuhy::l1_3	ᛆ捆	RegNtPreCreateKey
HKCU\software\ahstyuhy::l2_3	枠❈	RegNtPreCreateKey
HKCU\software\ahstyuhy::l3_3	♚	RegNtPreCreateKey
HKCU\software\ahstyuhy::l4_3	䆀❈	RegNtPreCreateKey
HKCU\software\ahstyuhy::l1_4		RegNtPreCreateKey
HKCU\software\ahstyuhy::l2_4	뗧覵	RegNtPreCreateKey
HKCU\software\ahstyuhy::l3_4	ְ袧	RegNtPreCreateKey
HKCU\software\ahstyuhy::l4_4	굔覵	RegNtPreCreateKey
HKCU\software\ahstyuhy::l1_5	ꏜ	RegNtPreCreateKey
HKCU\software\ahstyuhy::l2_5	㲳	RegNtPreCreateKey
HKCU\software\ahstyuhy::l3_5	냼	RegNtPreCreateKey
HKCU\software\ahstyuhy::l4_5	᠘	RegNtPreCreateKey
HKCU\software\ahstyuhy::l1_6	䚠뱙	RegNtPreCreateKey
HKCU\software\ahstyuhy::l2_6	ꖌ亐	RegNtPreCreateKey
HKCU\software\ahstyuhy::l3_6	⭈侂	RegNtPreCreateKey
HKCU\software\ahstyuhy::l4_6	莬亐	RegNtPreCreateKey
HKCU\software\ahstyuhy::l1_7	羪㋬	RegNtPreCreateKey
HKCU\software\ahstyuhy::l2_7	냽	RegNtPreCreateKey
HKCU\software\ahstyuhy::l3_7	䞔뇯	RegNtPreCreateKey
HKCU\software\ahstyuhy::l4_7	냽	RegNtPreCreateKey
HKCU\software\ahstyuhy::l1_8	連	RegNtPreCreateKey
HKCU\software\ahstyuhy::l2_8	䒶፫	RegNtPreCreateKey
HKCU\software\ahstyuhy::l3_8	ቹ	RegNtPreCreateKey
HKCU\software\ahstyuhy::l4_8	娄፫	RegNtPreCreateKey

Windows API Usage

Category	API
Anti Debug	IsDebuggerPresent NtQuerySystemInformation OutputDebugString
User Data Access	GetComputerName GetComputerNameEx GetUserDefaultLocaleName GetUserName GetUserNameEx GetUserObjectInformation OpenClipboard
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAddAtomEx ntdll.dll!NtAdjustPrivilegesToken ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAllocateLocallyUniqueId ntdll.dll!NtAlpcConnectPort ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcCreateResourceReserve ntdll.dll!NtAlpcCreateSecurityContext ntdll.dll!NtAlpcDeleteSecurityContext Show More ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcQueryInformationMessage ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtAlpcSetInformation ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtCancelTimer2 ntdll.dll!NtCancelWaitCompletionPacket ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtCompareSigningLevels ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateIoCompletion ntdll.dll!NtCreateKey ntdll.dll!NtCreateMailslotFile ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer ntdll.dll!NtCreateTimer2 ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtCreateWorkerFactory ntdll.dll!NtDelayExecution ntdll.dll!NtDeleteValueKey ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtFsControlFile ntdll.dll!NtGetCachedSigningLevel ntdll.dll!NtGetNlsSectionPtr ntdll.dll!NtLoadKeyEx ntdll.dll!NtLockFile ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenMutant ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenSymbolicLinkObject ntdll.dll!NtOpenThread ntdll.dll!NtOpenThreadToken ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtPowerInformation ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryObject ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySymbolicLinkObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtQueueApcThreadEx2 ntdll.dll!NtReadFile ntdll.dll!NtReadRequestData ntdll.dll!NtReadVirtualMemory ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRemoveIoCompletionEx 165 additional items are not displayed above.
Process Shell Execute	CreateProcess
Encryption Used	BCryptOpenAlgorithmProvider
Other Suspicious	AdjustTokenPrivileges
Network Winsock2	WSAStartup
Network Winsock	closesocket gethostname socket
Network Info Queried	GetAdaptersAddresses
Service Control	OpenSCManager OpenService StartServiceCtrlDispatcher
Network Wininet	InternetOpen InternetOpenUrl InternetReadFile
Keyboard Access	GetKeyState
Process Manipulation Evasion	NtUnmapViewOfSection ReadProcessMemory
Network Urlomon	URLDownloadToFile
Cert Store Read	CertEnumCertificatesInStore CertOpenStore
Cert Store Write	CertAddEncodedCertificateToStore
Process Terminate	TerminateProcess

Shell Command Execution


							powershell -Command "Add-MpPreference -ExclusionProcess 'powershell.exe'"


							c:\users\user\downloads\Altruistics.exe "c:\users\user\downloads\Altruistics.exe" "-u" "-g" ":\sandbox_live\SandboxTool.exe"


							C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe dw20.exe -x -s 708


							D:\Windows Files 381.529\xmrig.exe (NULL)


							D:\Windows Files 381.529\Windows Files Manager User mode.exe (NULL)


									schtasks.exe /create /f /RL HIGHEST /sc onlogon /tn "MicrosoftEdgeUpdateTaskMachineCoreUE" /tr "rundll32.exe C:\Windows\System32\vcruntime143_threads.dll,Update"


									schtasks.exe /create /f /RL HIGHEST /sc hourly /mo 1 /tn "MicrosoftEdgeUpdateTaskMachineCoreUI" /tr "rundll32.exe C:\Windows\System32\vcruntime143_threads.dll,Update"


									schtasks /delete /f /tn "MicrosoftEdgeUpdateTaskMachineCoreUO"


									C:\Users\Lueocmoq\AppData\Local\Temp\temp_script.bat


									C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell  -Command "Add-MpPreference -ExclusionProcess 'C:\\*'"


									C:\WINDOWS\system32\cmd.exe /C for %I in ("c:\Users\user\downloads\5b03f261746e2d03b295054a22829f6308cb5391_0000304112") do @echo %~sI

Trojan.Bitcoinminer

Threat Scorecard

EnigmaSoft Threat Scorecard

How Trojan.Bitcoinminer may be Delivered

The Trojan.Bitcoinminer Infection and Its Related Symptoms

General Recommendations Related to Trojan.Bitcoinminer

SpyHunter Detects & Remove Trojan.Bitcoinminer

File System Details

Registry Details

Directories

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

Digital Signatures

Digital Signatures

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Related Posts

Trending

Most Viewed