Windows Analysis Report
SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe
Analysis ID: 1543312
MD5: 5360ec27f015cc0662710451f7084303
SHA1: 992317242e0acae6cdfaffa812a867d858bbc13a
SHA256: d2bd84b83282597a8106aa18b38902262cbe81efce426a55e6cd50725556d0c5
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Drops large PE files
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Changes image file execution options
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305891511353.0000020B57CCD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: powershell.exe, 00000002.00000002.306176831095.0000021AE9D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000002.00000002.306176831095.0000021AE9D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305891511353.0000020B57CCD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: powershell.exe, 00000002.00000002.306152783655.0000021A814F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.306168142673.0000021A9006D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305891511353.0000020B57CCD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.pngXzw
Source: powershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.306152783655.0000021A80001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXzw
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305892444259.0000020B57E75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305892444259.0000020B57EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B58081000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B5804D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DD19000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE69000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCD9000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E28D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E28D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DEA9000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E24D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.intel.com/support/gfx_feedback
Source: powershell.exe, 00000002.00000002.306152783655.0000021A80001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305938250782.0000020B57F4C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305884641149.0000020B57F27000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306647230166.000001A56E85D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306618086324.000001A56E85C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306589926692.000001A56E05F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305884641149.0000020B58008000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305938250782.0000020B5802D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306618086324.000001A56E93D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305884641149.0000020B58008000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305938250782.0000020B5802D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306618086324.000001A56E93D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: powershell.exe, 00000002.00000002.306168142673.0000021A9006D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.306168142673.0000021A9006D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.306168142673.0000021A9006D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/downloadthumbnail/
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/downloadthumbnail/X
Source: SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC8A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E1F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/CRT4.dll
Source: SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/4
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/D
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E1E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305892444259.0000020B57E19000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE12000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC82000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E100000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306592448609.000001A56DC7C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E1F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/Q
Source: powershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/PesterXzw
Source: powershell.exe, 00000002.00000002.306152783655.0000021A814F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.306168142673.0000021A9006D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E1E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305892444259.0000020B57E19000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE12000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC82000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E100000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306592448609.000001A56DC7C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC8A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E1F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/N
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/f
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E1E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305892444259.0000020B57E19000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE12000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC82000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E100000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306592448609.000001A56DC7C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E1F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E1E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305892444259.0000020B57E19000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE12000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC82000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E100000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306592448609.000001A56DC7C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E1F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/b
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/p
Source: SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC8A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E1F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/x

System Summary
barindex
Drops large PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe File dump: SppExtComObj.exe.0.dr 706740224 Jump to dropped file
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF93F5930E9 2_2_00007FF93F5930E9
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E8B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B58063000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
Source: classification engine Classification label: mal80.evad.winEXE@22/6@0/0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2428:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4524:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4780:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4524:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2428:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4780:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nwy0oost.mwj.ps1 Jump to behavior
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "wusa /uninstall /kb:890830 /quiet /norestart"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "del /f /q %SystemRoot%\System32\MRT.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe "C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe "C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "wusa /uninstall /kb:890830 /quiet /norestart" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "del /f /q %SystemRoot%\System32\MRT.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe "C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe "C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Section loaded: perfos.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wusa.exe Section loaded: dpx.dll Jump to behavior
Source: C:\Windows\System32\wusa.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\wusa.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wusa.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\wusa.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wusa.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe Section loaded: pdh.dll Jump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe Section loaded: secur32.dll Jump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe Section loaded: netutils.dll Jump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe Section loaded: samcli.dll Jump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe Section loaded: perfos.dll Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Static file information: File size 30691840 > 1048576
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1ce7000
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Static PE information: section name: _RDATA
Source: SppExtComObj.exe.0.dr Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF93F3AD2A5 pushad ; iretd 2_2_00007FF93F3AD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF93F4C242D push E95B4B93h; ret 2_2_00007FF93F4C2539
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF93F4C37FA pushad ; iretd 2_2_00007FF93F4C3811
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe File created: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe File created: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview64.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview64.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GlassWireSetup.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GlassWireSetup.exe MinimumStackCommitInBytes Jump to behavior
Changes image file execution options
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview64.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GlassWireSetup.exe MinimumStackCommitInBytes Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9797 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1908 Thread sleep count: 9797 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: SgrmBroker.exe, 0000000E.00000003.306568332512.000001A56BE1C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hype
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57E2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partition0
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57E2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCC0000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE50000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305867242122.0000020B55CE9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305868692231.0000020B55CE9000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306578136932.000001A56D84A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306578310501.000001A56D88F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Tim
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306664152503.000001A56DE1D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE1D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DC8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCCC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Servicee Z
Source: SgrmBroker.exe, 0000000E.00000003.306664152503.000001A56DE1D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE1D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DC8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Hypervisor Root PartitioncoR
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57E2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partition
Source: SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCCC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partition
Source: SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCCC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus PipesC:\Program Filesx [
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305866096591.0000020B576E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305866914754.0000020B576E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305867364112.0000020B576E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305866440634.0000020B576E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305865795783.0000020B576E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305866355243.0000020B576E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305866010520.0000020B576E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec
Source: SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCC0000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE50000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partitiony8
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57E2A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCCC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: SgrmBroker.exe, 0000000E.00000003.306566218581.000001A56BE1F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time48
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCCC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor^
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57E2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processoru
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processorx
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor{
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipeslk
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processorwm
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305877912239.0000020B576E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCCC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus
Source: SgrmBroker.exe, 0000000E.00000003.306664152503.000001A56DE1D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE1D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DC8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partitionll
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus{
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCC0000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE50000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305867242122.0000020B55CD9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual P
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305870765408.0000020B576DD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305870488983.0000020B576DD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305870708726.0000020B576DD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305870930560.0000020B576C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot|
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306664152503.000001A56DE1D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE1D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DC8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisor
Source: SgrmBroker.exe, 0000000E.00000003.306566176706.000001A56D859000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306569214033.000001A56D860000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306564832420.000001A56D860000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306563826086.000001A56D84E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Tim
Source: SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCCC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V HypervisorQ
Source: SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DD4A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306644289443.000001A56BE09000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306636288128.000001A56DEDA000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306613321274.000001A56BE09000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot9/^
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57E2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisord
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisor
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid PartitionQ
Source: SgrmBroker.exe, 0000000E.00000003.306577819213.000001A56D935000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305869689037.0000020B55CEA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305867143409.0000020B55CEA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: e4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evictions/sec5080Page Table Reclamations/sec5082Page Table Resets/sec5084Page Table Validations/sec5086APIC TPR Accesses/sec5088Page Table Write Intercepts/sec5090Synthetic Interrupts/sec5092Virtual Interrupts/sec5094APIC IPIs Sent/sec5096APIC Self IPIs Sent/sec5098GPA Space Hypercalls/sec5100Logical Processor Hypercalls/sec5102Long Spin Wait
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305871195703.0000020B5776C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mpted discoveries9600Local Cache: Cache complete file segments9602Local Cache: Cache partial file segments9604Hosted Cache: Client file segment offers made9606Retrieval: Average branch rate9608Discovery: Successful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes?
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305884641149.0000020B58008000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305938250782.0000020B5802D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306618086324.000001A56E93D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305878018631.0000020B576D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot||
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305867143409.0000020B55CEA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305868692231.0000020B55CED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot Err00
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root PartitionlRk
Source: SgrmBroker.exe, 0000000E.00000003.306578626050.000001A56D936000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: erage Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020Exter
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57E2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partitionsk_
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57E2A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCC0000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE50000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processor.mui
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipesw
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisorfn
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration ServiceN
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V VM Vid Partition.dll
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305877787106.0000020B57738000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec
Source: SgrmBroker.exe, 0000000E.00000003.306664152503.000001A56DEDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot9/^
Source: SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCCC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipesb [
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305868203224.0000020B57716000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305870385586.0000020B5772F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305870343476.0000020B5772F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1
Source: SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCCC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force" Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe NtQueryInformationProcess: Indirect: 0x7FF79E55B7AF Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe NtQueryInformationProcess: Indirect: 0x7FF6E1B0E88E Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe NtQueryInformationProcess: Indirect: 0x7FF6E1B0FAFC Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe NtQueryInformationProcess: Indirect: 0x7FF6E1B0FB95 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe NtQueryInformationProcess: Indirect: 0x7FF6E1B0E9EF Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe NtQueryInformationProcess: Indirect: 0x7FF79E55B64F Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe NtQuerySystemInformation: Indirect: 0x7FF79E561615 Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe NtQueryInformationProcess: Indirect: 0x7FF79E55C9A1 Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe NtQueryInformationProcess: Indirect: 0x7FF79E55C91C Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "wusa /uninstall /kb:890830 /quiet /norestart" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "del /f /q %SystemRoot%\System32\MRT.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe "C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Process created: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe "C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f Jump to behavior
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305899234435.0000020B57D27000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305899234435.0000020B57DA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Queries volume information: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe Queries volume information: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543312 Sample: SecuriteInfo.com.Win64.Troj... Startdate: 27/10/2024 Architecture: WINDOWS Score: 80 36 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->36 38 Sigma detected: Execution from Suspicious Folder 2->38 7 SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe 5 6 2->7         started        process3 file4 34 C:\ProgramData\...\SppExtComObj.exe, PE32+ 7->34 dropped 40 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 7->40 42 Creates an undocumented autostart registry key 7->42 44 Drops large PE files 7->44 46 3 other signatures 7->46 11 SgrmBroker.exe 7->11         started        14 powershell.exe 23 7->14         started        16 cmd.exe 1 7->16         started        18 3 other processes 7->18 signatures5 process6 signatures7 48 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 11->48 50 Queries memory information (via WMI often done to detect virtual machines) 11->50 52 Found direct / indirect Syscall (likely to bypass EDR) 11->52 54 Loading BitLocker PowerShell Module 14->54 20 WmiPrvSE.exe 14->20         started        22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 reg.exe 1 1 16->26         started        28 conhost.exe 18->28         started        30 conhost.exe 18->30         started        32 wusa.exe 18->32         started        process8
No contacted IP infos