Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe
Analysis ID:1543312
MD5:5360ec27f015cc0662710451f7084303
SHA1:992317242e0acae6cdfaffa812a867d858bbc13a
SHA256:d2bd84b83282597a8106aa18b38902262cbe81efce426a55e6cd50725556d0c5
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Drops large PE files
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Changes image file execution options
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Process Tree

  • System is w10x64native
  • SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe (PID: 7504 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe" MD5: 5360EC27F015CC0662710451F7084303)
    • powershell.exe (PID: 1332 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • WmiPrvSE.exe (PID: 1912 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • cmd.exe (PID: 2936 cmdline: "cmd.exe" /c "wusa /uninstall /kb:890830 /quiet /norestart" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • wusa.exe (PID: 5864 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: E43499EE2B4CF328A81BACE9B1644C5D)
    • cmd.exe (PID: 5444 cmdline: "cmd.exe" /c "del /f /q %SystemRoot%\System32\MRT.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4540 cmdline: "cmd.exe" /c "reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • reg.exe (PID: 3296 cmdline: reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • SppExtComObj.exe (PID: 4936 cmdline: "C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe" MD5: 9102BCFA11AE0DCE708EFA689B3A15CC)
    • SgrmBroker.exe (PID: 5628 cmdline: "C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe" MD5: FE61B23A827523EF5C5E77B0FCA6E5A5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe", CommandLine: "C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe", CommandLine|base64offset|contains: , Image: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe, NewProcessName: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe, OriginalFileName: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, ParentProcessId: 7504, ParentProcessName: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, ProcessCommandLine: "C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe", ProcessId: 5628, ProcessName: SgrmBroker.exe
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, ParentProcessId: 7504, ParentProcessName: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force", ProcessId: 1332, ProcessName: powershell.exe
Sigma detected: CurrentVersion NT Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 1099466887, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, ProcessId: 7504, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview.exe\MinimumStackCommitInBytes
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, ParentProcessId: 7504, ParentProcessName: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force", ProcessId: 1332, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, ParentProcessId: 7504, ParentProcessName: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force", ProcessId: 1332, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305891511353.0000020B57CCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: powershell.exe, 00000002.00000002.306176831095.0000021AE9D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000002.00000002.306176831095.0000021AE9D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305891511353.0000020B57CCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: powershell.exe, 00000002.00000002.306152783655.0000021A814F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.306168142673.0000021A9006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305891511353.0000020B57CCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXzw
Source: powershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.306152783655.0000021A80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXzw
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305892444259.0000020B57E75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305892444259.0000020B57EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B58081000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B5804D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DD19000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE69000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCD9000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E28D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E28D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DEA9000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E24D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.intel.com/support/gfx_feedback
Source: powershell.exe, 00000002.00000002.306152783655.0000021A80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305938250782.0000020B57F4C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305884641149.0000020B57F27000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306647230166.000001A56E85D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306618086324.000001A56E85C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306589926692.000001A56E05F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305884641149.0000020B58008000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305938250782.0000020B5802D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306618086324.000001A56E93D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305884641149.0000020B58008000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305938250782.0000020B5802D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306618086324.000001A56E93D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: powershell.exe, 00000002.00000002.306168142673.0000021A9006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.306168142673.0000021A9006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.306168142673.0000021A9006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/downloadthumbnail/
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/downloadthumbnail/X
Source: SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC8A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E1F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/CRT4.dll
Source: SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/4
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/D
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E1E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305892444259.0000020B57E19000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE12000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC82000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E100000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306592448609.000001A56DC7C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E1F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/Q
Source: powershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXzw
Source: powershell.exe, 00000002.00000002.306152783655.0000021A814F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.306168142673.0000021A9006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E1E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305892444259.0000020B57E19000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE12000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC82000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E100000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306592448609.000001A56DC7C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC8A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E1F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/N
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/f
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E1E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305892444259.0000020B57E19000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE12000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC82000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E100000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306592448609.000001A56DC7C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E1F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E1E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305892444259.0000020B57E19000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE12000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC82000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E100000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306592448609.000001A56DC7C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E1F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/b
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/p
Source: SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC8A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E1F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/x

System Summary

barindex
Drops large PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeFile dump: SppExtComObj.exe.0.dr 706740224Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF93F5930E92_2_00007FF93F5930E9
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E8B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B58063000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
Source: classification engineClassification label: mal80.evad.winEXE@22/6@0/0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2428:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4524:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4780:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4524:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2428:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4780:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nwy0oost.mwj.ps1Jump to behavior
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "wusa /uninstall /kb:890830 /quiet /norestart"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "del /f /q %SystemRoot%\System32\MRT.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe "C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe "C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "wusa /uninstall /kb:890830 /quiet /norestart"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "del /f /q %SystemRoot%\System32\MRT.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe "C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe "C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeSection loaded: perfos.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exeSection loaded: apphelp.dllJump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exeSection loaded: netapi32.dllJump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exeSection loaded: pdh.dllJump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exeSection loaded: powrprof.dllJump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exeSection loaded: secur32.dllJump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exeSection loaded: netutils.dllJump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exeSection loaded: samcli.dllJump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exeSection loaded: sspicli.dllJump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeSection loaded: perfos.dllJump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeStatic file information: File size 30691840 > 1048576
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1ce7000
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeStatic PE information: section name: _RDATA
Source: SppExtComObj.exe.0.drStatic PE information: section name: .xdata
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF93F3AD2A5 pushad ; iretd 2_2_00007FF93F3AD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF93F4C242D push E95B4B93h; ret 2_2_00007FF93F4C2539
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF93F4C37FA pushad ; iretd 2_2_00007FF93F4C3811
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeFile created: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeFile created: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exeJump to dropped file

Boot Survival

barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview64.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview64.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GlassWireSetup.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GlassWireSetup.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview64.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GlassWireSetup.exe MinimumStackCommitInBytesJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9797Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1908Thread sleep count: 9797 > 30Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: SgrmBroker.exe, 0000000E.00000003.306568332512.000001A56BE1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hype
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57E2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition0
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57E2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCC0000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE50000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305867242122.0000020B55CE9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305868692231.0000020B55CE9000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306578136932.000001A56D84A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306578310501.000001A56D88F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Tim
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306664152503.000001A56DE1D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE1D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DC8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Servicee Z
Source: SgrmBroker.exe, 0000000E.00000003.306664152503.000001A56DE1D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE1D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DC8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root PartitioncoR
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57E2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition
Source: SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition
Source: SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus PipesC:\Program Filesx [
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305866096591.0000020B576E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305866914754.0000020B576E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305867364112.0000020B576E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305866440634.0000020B576E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305865795783.0000020B576E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305866355243.0000020B576E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305866010520.0000020B576E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec
Source: SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCC0000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE50000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partitiony8
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57E2A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: SgrmBroker.exe, 0000000E.00000003.306566218581.000001A56BE1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time48
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
Source: SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor^
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57E2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual Processoru
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processorx
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor{
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipeslk
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processorwm
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305877912239.0000020B576E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus
Source: SgrmBroker.exe, 0000000E.00000003.306664152503.000001A56DE1D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE1D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DC8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partitionll
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus{
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCC0000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE50000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305867242122.0000020B55CD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual P
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305870765408.0000020B576DD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305870488983.0000020B576DD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305870708726.0000020B576DD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305870930560.0000020B576C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot|
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306664152503.000001A56DE1D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE1D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DC8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor
Source: SgrmBroker.exe, 0000000E.00000003.306566176706.000001A56D859000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306569214033.000001A56D860000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306564832420.000001A56D860000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306563826086.000001A56D84E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Tim
Source: SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V HypervisorQ
Source: SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DD4A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306644289443.000001A56BE09000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306636288128.000001A56DEDA000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306613321274.000001A56BE09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot9/^
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57E2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisord
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid PartitionQ
Source: SgrmBroker.exe, 0000000E.00000003.306577819213.000001A56D935000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305869689037.0000020B55CEA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305867143409.0000020B55CEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evictions/sec5080Page Table Reclamations/sec5082Page Table Resets/sec5084Page Table Validations/sec5086APIC TPR Accesses/sec5088Page Table Write Intercepts/sec5090Synthetic Interrupts/sec5092Virtual Interrupts/sec5094APIC IPIs Sent/sec5096APIC Self IPIs Sent/sec5098GPA Space Hypercalls/sec5100Logical Processor Hypercalls/sec5102Long Spin Wait
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305871195703.0000020B5776C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mpted discoveries9600Local Cache: Cache complete file segments9602Local Cache: Cache partial file segments9604Hosted Cache: Client file segment offers made9606Retrieval: Average branch rate9608Discovery: Successful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes?
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305884641149.0000020B58008000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305938250782.0000020B5802D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306618086324.000001A56E93D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305878018631.0000020B576D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot||
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305867143409.0000020B55CEA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305868692231.0000020B55CED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot Err00
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root PartitionlRk
Source: SgrmBroker.exe, 0000000E.00000003.306578626050.000001A56D936000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: erage Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020Exter
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57E2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partitionsk_
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57E2A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCC0000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE50000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processor.mui
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipesw
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisorfn
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration ServiceN
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305907391418.0000020B57EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partition.dll
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305877787106.0000020B57738000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec
Source: SgrmBroker.exe, 0000000E.00000003.306664152503.000001A56DEDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot9/^
Source: SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipesb [
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305868203224.0000020B57716000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305870385586.0000020B5772F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305870343476.0000020B5772F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1
Source: SgrmBroker.exe, 0000000E.00000003.306663088731.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306634038214.000001A56DE5C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306609514960.000001A56DCCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force"Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeNtQueryInformationProcess: Indirect: 0x7FF79E55B7AFJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeNtQueryInformationProcess: Indirect: 0x7FF6E1B0E88EJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeNtQueryInformationProcess: Indirect: 0x7FF6E1B0FAFCJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeNtQueryInformationProcess: Indirect: 0x7FF6E1B0FB95Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeNtQueryInformationProcess: Indirect: 0x7FF6E1B0E9EFJump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeNtQueryInformationProcess: Indirect: 0x7FF79E55B64FJump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeNtQuerySystemInformation: Indirect: 0x7FF79E561615Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeNtQueryInformationProcess: Indirect: 0x7FF79E55C9A1Jump to behavior
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeNtQueryInformationProcess: Indirect: 0x7FF79E55C91CJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "wusa /uninstall /kb:890830 /quiet /norestart"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "del /f /q %SystemRoot%\System32\MRT.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe "C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeProcess created: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe "C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /fJump to behavior
Source: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305899234435.0000020B57D27000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305899234435.0000020B57DA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeQueries volume information: C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeQueries volume information: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts321
Windows Management Instrumentation		1
Registry Run Keys / Startup Folder		12
Process Injection		1
Modify Registry		OS Credential Dumping321
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Abuse Elevation Control Mechanism		12
Virtualization/Sandbox Evasion		LSASS Memory12
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Image File Execution Options Injection		1
Registry Run Keys / Startup Folder		11
Disable or Modify Tools		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		12
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
Image File Execution Options Injection		1
Abuse Elevation Control Mechanism		LSA Secrets12
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543312 Sample: SecuriteInfo.com.Win64.Troj... Startdate: 27/10/2024 Architecture: WINDOWS Score: 80 36 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->36 38 Sigma detected: Execution from Suspicious Folder 2->38 7 SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe 5 6 2->7         started        process3 file4 34 C:\ProgramData\...\SppExtComObj.exe, PE32+ 7->34 dropped 40 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 7->40 42 Creates an undocumented autostart registry key 7->42 44 Drops large PE files 7->44 46 3 other signatures 7->46 11 SgrmBroker.exe 7->11         started        14 powershell.exe 23 7->14         started        16 cmd.exe 1 7->16         started        18 3 other processes 7->18 signatures5 process6 signatures7 48 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 11->48 50 Queries memory information (via WMI often done to detect virtual machines) 11->50 52 Found direct / indirect Syscall (likely to bypass EDR) 11->52 54 Loading BitLocker PowerShell Module 14->54 20 WmiPrvSE.exe 14->20         started        22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 reg.exe 1 1 16->26         started        28 conhost.exe 18->28         started        30 conhost.exe 18->30         started        32 wusa.exe 18->32         started        process8

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe5%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.msn.com/v1/news/Feed/Windows?SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305884641149.0000020B58008000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305938250782.0000020B5802D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306618086324.000001A56E93D000.00000004.00000020.00020000.00000000.sdmpfalse
    		unknown
    https://gameplayapi.intel.com/api/games/downloadthumbnail/XSecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmpfalse
      		unknown
      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.306152783655.0000021A814F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.306168142673.0000021A9006D000.00000004.00000800.00020000.00000000.sdmpfalse
        		unknown
        https://gameplayapi.intel.com/api/games/getagsgames2/CRT4.dllSecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC8A000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmpfalse
            		unknown
            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmpfalse
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/xSecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC8A000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://gameplayapi.intel.com/api/games/getagsgamesettings2/DSecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://api.msn.com:443/v1/news/Feed/Windows?SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305884641149.0000020B58008000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305938250782.0000020B5802D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306618086324.000001A56E93D000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://tst-gameplayapi.intel.com/api/games/getagsgames2/bSecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E1E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305892444259.0000020B57E19000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE12000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC82000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E100000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306592448609.000001A56DC7C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E1F5000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 00000002.00000002.306168142673.0000021A9006D000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 00000002.00000002.306168142673.0000021A9006D000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://gameplayapi.intel.com/api/games/getagsgamesettings2/QSecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E1E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305892444259.0000020B57E19000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE12000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC82000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E100000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306592448609.000001A56DC7C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E1F5000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://gameplayapi.intel.com/api/games/getagsgamesettings2/SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/fSecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://tst-gameplayapi.intel.com/api/games/getagsgames2/pSecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://pesterbdd.com/images/Pester.pngXzwpowershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlXzwpowershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://github.com/Pester/PesterXzwpowershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.306152783655.0000021A8022C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://contoso.com/powershell.exe, 00000002.00000002.306168142673.0000021A9006D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.306152783655.0000021A814F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.306168142673.0000021A9006D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://gameplayapi.intel.com/api/games/downloadthumbnail/SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC8A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://tst-gameplayapi.intel.com/api/games/getagsgames2/SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E1E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305892444259.0000020B57E19000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE12000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC82000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E100000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306592448609.000001A56DC7C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E1F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://api.msn.com/SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305938250782.0000020B57F4C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305884641149.0000020B57F27000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306647230166.000001A56E85D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306618086324.000001A56E85C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306589926692.000001A56E05F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://aka.ms/pscore68powershell.exe, 00000002.00000002.306152783655.0000021A80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://www.intel.com/support/gfx_feedbackSecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305892444259.0000020B57E75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305892444259.0000020B57EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B58081000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B5804D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DD19000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE69000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCD9000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E28D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E28D000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DEA9000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E24D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.306152783655.0000021A80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://gameplayapi.intel.com/api/games/getagsgamesettings2/4SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/NSecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC8A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E1F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://gameplayapi.intel.com/api/games/getagsgames2/SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC8A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E1F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305946317042.0000020B57FFD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305894766096.0000020B57E1E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe, 00000000.00000003.305892444259.0000020B57E19000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E1FE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE12000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DCA5000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC82000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306651882230.000001A56E100000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306620080706.000001A56DE1A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306592448609.000001A56DC7C000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306593142329.000001A56DC8A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000000E.00000003.306653296362.000001A56E1F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown

                                                                        World Map of Contacted IPs

                                                                        No contacted IP infos

                                                                        General Information

                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1543312
                                                                        Start date and time:2024-10-27 17:01:19 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 9m 25s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                        Run name:Suspected VM Detection
                                                                        Number of analysed new started processes analysed:15
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe
                                                                        Detection:MAL
                                                                        Classification:mal80.evad.winEXE@22/6@0/0
                                                                        EGA Information:Failed
                                                                        HCA Information:
                                                                        • Successful, ratio: 57%
                                                                        • Number of executed functions: 10
                                                                        • Number of non-executed functions: 3
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): dllhost.exe
                                                                        • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, nexusrules.officeapps.live.com
                                                                        • Execution Graph export aborted for target SppExtComObj.exe, PID 4936 because there are no executed function
                                                                        • Execution Graph export aborted for target powershell.exe, PID 1332 because it is empty
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                        • Report size getting too big, too many NtOpenKey calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                        • VT rate limit hit for: SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        12:04:25API Interceptor12x Sleep call for process: powershell.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        No context

                                                                        Domains

                                                                        No context

                                                                        ASNs

                                                                        No context

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe
                                                                        File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                        Category:modified
                                                                        Size (bytes):706740224
                                                                        Entropy (8bit):0.5545932108481512
                                                                        Encrypted:false
                                                                        SSDEEP:
                                                                        MD5:9102BCFA11AE0DCE708EFA689B3A15CC
                                                                        SHA1:206FA0934755AE3DF4975C4AFEC0E8701B9C6899
                                                                        SHA-256:C563BAC8CB09FEDFE8DE8FA3C021850D2F1565C8B1D045E01742835D1572061D
                                                                        SHA-512:C784C725A71BE65D337BDD861E5BD00203C32665C09AD40DBF8CE5310EC543247DF0C62E68AD7E6CE5613049F377FB0EDA41EF8D2DEB69E174CE6482CC1CB8E4
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f...............*.&%....................@....................................}.....`... ................................................l%...............q........... ...b..............................(...................@...............................text...h$%......&%.................`..`.data... ....@%......*%.............@....rdata..`0...P%..2....%.............@..@.pdata...q.......r...`..............@..@.xdata.............................@..@.bss....`................................idata..l%......&...x..............@....CRT....h...........................@....tls................................@....reloc...b... ...d..................@..B................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:modified
                                                                        Size (bytes):64
                                                                        Entropy (8bit):1.1510207563435464
                                                                        Encrypted:false
                                                                        SSDEEP:3:NlllulgkLZ:NllU
                                                                        MD5:C1AA1D28144A13E317F3F4D85AC26B7D
                                                                        SHA1:2ADF74F16F1031DA80E1E096946EB8872F716876
                                                                        SHA-256:EB50A98ECA168B1B64C7DB0C33AE77B83B84F492032BD1BCB26AFE571DBE2839
                                                                        SHA-512:B92300874DD39C4304C852D59177D0E33A3A39D6ABB8DE5C86E9A2EC46268BC9E4AFD2BF3F1441D37F97E217EA296556EF2F9F62B346D0DDBF2EA9DB978B4CBE
                                                                        Malicious:false
                                                                        Preview:@...e.................................,..............@..........

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kfyydpdn.sbp.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nwy0oost.mwj.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w3wrlkw2.pjz.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnearrf2.ms1.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                        Entropy (8bit):7.998741148323218
                                                                        TrID:
                                                                        • Win64 Executable GUI (202006/5) 92.65%
                                                                        • Win64 Executable (generic) (12005/4) 5.51%
                                                                        • Generic Win/DOS Executable (2004/3) 0.92%
                                                                        • DOS Executable Generic (2002/1) 0.92%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe
                                                                        File size:30'691'840 bytes
                                                                        MD5:5360ec27f015cc0662710451f7084303
                                                                        SHA1:992317242e0acae6cdfaffa812a867d858bbc13a
                                                                        SHA256:d2bd84b83282597a8106aa18b38902262cbe81efce426a55e6cd50725556d0c5
                                                                        SHA512:9009ab873ae1599c10d7b974448e12069be3fd465a29e2cd2d3b547dc82cd7fe484a3786001a068825b48c24f7a254a1e50585e59f85ab8408a0c8663ac3f948
                                                                        SSDEEP:786432:bwA5amFQr6XMeODI6xwq2XSBpsJOGLrDbLNOnPXjv:8A5hq+Mlxv2XZFD0Pj
                                                                        TLSH:5F67336AE5371465D07DC57019E5A632EBEABC969B383EE70394CE713E19BD00238F09
                                                                        File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...zq.f.........."............................@..........................................`........................................

                                                                        File Icon

                                                                        Icon Hash:90cececece8e8eb0

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x14004a4b0
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x140000000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x66C7717A [Thu Aug 22 17:12:26 2024 UTC]
                                                                        TLS Callbacks:0x40032d10, 0x1
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:6
                                                                        OS Version Minor:0
                                                                        File Version Major:6
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:6
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:93849df8f2c477394e648db26fa23fe0

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        dec eax
                                                                        sub esp, 28h
                                                                        call 00007FD9848F1DA0h
                                                                        dec eax
                                                                        add esp, 28h
                                                                        jmp 00007FD9848F19C7h
                                                                        int3
                                                                        int3
                                                                        dec eax
                                                                        sub esp, 28h
                                                                        call 00007FD9848F1B64h
                                                                        dec eax
                                                                        neg eax
                                                                        sbb eax, eax
                                                                        neg eax
                                                                        dec eax
                                                                        dec eax
                                                                        add esp, 28h
                                                                        ret
                                                                        int3
                                                                        inc eax
                                                                        push ebx
                                                                        dec eax
                                                                        sub esp, 20h
                                                                        dec eax
                                                                        cmp dword ptr [01CF9556h], FFFFFFFFh
                                                                        dec eax
                                                                        mov ebx, ecx
                                                                        jne 00007FD9848F1B59h
                                                                        call 00007FD9848F2FD5h
                                                                        jmp 00007FD9848F1B61h
                                                                        dec eax
                                                                        mov edx, ebx
                                                                        dec eax
                                                                        lea ecx, dword ptr [01CF9540h]
                                                                        call 00007FD9848F2F40h
                                                                        xor edx, edx
                                                                        test eax, eax
                                                                        dec eax
                                                                        cmove edx, ebx
                                                                        dec eax
                                                                        mov eax, edx
                                                                        dec eax
                                                                        add esp, 20h
                                                                        pop ebx
                                                                        ret
                                                                        int3
                                                                        int3
                                                                        dec eax
                                                                        sub esp, 18h
                                                                        dec esp
                                                                        mov eax, ecx
                                                                        mov eax, 00005A4Dh
                                                                        cmp word ptr [FFFB5AD5h], ax
                                                                        jne 00007FD9848F1BCAh
                                                                        dec eax
                                                                        arpl word ptr [FFFB5B08h], cx
                                                                        dec eax
                                                                        lea edx, dword ptr [FFFB5AC5h]
                                                                        dec eax
                                                                        add ecx, edx
                                                                        cmp dword ptr [ecx], 00004550h
                                                                        jne 00007FD9848F1BB1h
                                                                        mov eax, 0000020Bh
                                                                        cmp word ptr [ecx+18h], ax
                                                                        jne 00007FD9848F1BA6h
                                                                        dec esp
                                                                        sub eax, edx
                                                                        movzx edx, word ptr [ecx+14h]
                                                                        dec eax
                                                                        add edx, 18h
                                                                        dec eax
                                                                        add edx, ecx
                                                                        movzx eax, word ptr [ecx+06h]
                                                                        dec eax
                                                                        lea ecx, dword ptr [eax+eax*4]
                                                                        dec esp
                                                                        lea ecx, dword ptr [edx+ecx*8]
                                                                        dec eax
                                                                        mov dword ptr [esp], edx
                                                                        dec ecx
                                                                        cmp edx, ecx
                                                                        je 00007FD9848F1B6Ah
                                                                        mov ecx, dword ptr [edx+0Ch]

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1d3fca80x104.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1d450000x1c38.pdata
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1d4a0000x728.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x1d3fb800x1c.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x1d3d3f00x28.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1d385b00x140.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x1d403180x568.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x5a6360x5a800f8d710b8c9f2e0ddf11b63a0515c9cc1False0.5067010531767956data6.448421919299211IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x5c0000x1ce6e5c0x1ce70008209e8ed657a63d6e6d02eff0e4527d5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0x1d430000x1bc00xa00e99773e627dff38ab5546693c29e2e75False0.14453125, Bytes/sector 320, FATs 117, root entries 152, sectors 65280 (volumes <=32 MB), Media descriptor 0xff, sectors/FAT 65535, sectors/track 1, dos < 4.0 BootSector (0), FAT (12 bit by descriptor)1.8825109457030427IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .pdata0x1d450000x1c380x1e004427e0fcb2f221b765b9ccbd95ed98a6False0.4842447916666667data5.632961948272826IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .gfids0x1d470000x800x20015cc680d760ca2978bd9a69c74bf4339False0.21484375data1.4621721394702356IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .tls0x1d480000xa10x20040c549400c0a6c7cf1a3b38a839502fbFalse0.037109375data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        _RDATA0x1d490000x1f40x200ab29795298bb29b8a4f92258a2d3634fFalse0.509765625data4.161058205400472IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0x1d4a0000x7280x800816efd5fd8bedc7ec66539b14276cdddFalse0.56005859375data5.237173017380551IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Imports

                                                                        DLLImport
                                                                        KERNEL32.dllAddVectoredExceptionHandler, CheckRemoteDebuggerPresent, CloseHandle, CompareStringOrdinal, CompareStringW, CreateDirectoryW, CreateFileW, CreateNamedPipeW, CreateProcessW, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DeleteProcThreadAttributeList, DuplicateHandle, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileExA, FindFirstFileW, FindNextFileA, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetComputerNameExW, GetConsoleCP, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileType, GetFullPathNameW, GetLastError, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetProcessIoCounters, GetProcessTimes, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetSystemTimePreciseAsFileTime, GetSystemTimes, GetTickCount64, GetWindowsDirectoryW, GlobalMemoryStatusEx, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeProcThreadAttributeList, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, K32GetPerformanceInfo, LCMapStringW, LeaveCriticalSection, LoadLibraryExA, LoadLibraryExW, LocalFree, MultiByteToWideChar, OpenProcess, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadFileEx, ReadProcessMemory, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetEnvironmentVariableA, SetFileInformationByHandle, SetFilePointerEx, SetLastError, SetStdHandle, SetThreadExecutionState, SetThreadStackGuarantee, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SleepEx, SwitchToThread, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, UpdateProcThreadAttribute, VirtualQueryEx, WaitForSingleObject, WideCharToMultiByte, WriteConsoleW, WriteFile, WriteFileEx
                                                                        bcryptprimitives.dllProcessPrng
                                                                        api-ms-win-core-synch-l1-2-0.dllWaitOnAddress, WakeByAddressAll, WakeByAddressSingle
                                                                        ntdll.dllNtQueryInformationProcess, NtQuerySystemInformation, NtWriteFile, RtlGetVersion, RtlNtStatusToDosError
                                                                        ADVAPI32.dllCopySid, GetLengthSid, GetTokenInformation, IsValidSid, OpenProcessToken, RegCloseKey, RegCreateKeyExW, RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, SystemFunction036
                                                                        bcrypt.dllBCryptGenRandom
                                                                        powrprof.dllCallNtPowerInformation
                                                                        ole32.dllCoCreateInstance, CoInitializeEx, CoInitializeSecurity, CoSetProxyBlanket
                                                                        shell32.dllCommandLineToArgvW, ShellExecuteExW
                                                                        oleaut32.dllGetErrorInfo, SafeArrayAccessData, SafeArrayDestroy, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayUnaccessData, SysAllocStringLen, SysFreeString, SysStringLen, VariantClear
                                                                        psapi.dllGetModuleFileNameExW
                                                                        pdh.dllPdhAddEnglishCounterW, PdhCloseQuery, PdhCollectQueryData, PdhGetFormattedCounterValue, PdhOpenQueryA, PdhRemoveCounter

                                                                        Network Behavior

                                                                        No network behavior found

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:12:03:22
                                                                        Start date:27/10/2024
                                                                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win64.Trojan.Coinminer.XGAC6C.9310.7687.exe"
                                                                        Imagebase:0x7ff6e1ad0000
                                                                        File size:30'691'840 bytes
                                                                        MD5 hash:5360EC27F015CC0662710451F7084303
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:12:04:25
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force"
                                                                        Imagebase:0x7ff6dfd30000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:12:04:25
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6b1490000
                                                                        File size:875'008 bytes
                                                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:4
                                                                        Start time:12:04:26
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                        Imagebase:0x7ff79dff0000
                                                                        File size:496'640 bytes
                                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:5
                                                                        Start time:12:04:30
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\cmd.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"cmd.exe" /c "wusa /uninstall /kb:890830 /quiet /norestart"
                                                                        Imagebase:0x7ff6eb5e0000
                                                                        File size:289'792 bytes
                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:6
                                                                        Start time:12:04:30
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6b1490000
                                                                        File size:875'008 bytes
                                                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:7
                                                                        Start time:12:04:30
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\wusa.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                        Imagebase:0x7ff7aea20000
                                                                        File size:316'416 bytes
                                                                        MD5 hash:E43499EE2B4CF328A81BACE9B1644C5D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:8
                                                                        Start time:12:04:31
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\cmd.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"cmd.exe" /c "del /f /q %SystemRoot%\System32\MRT.exe"
                                                                        Imagebase:0x7ff6eb5e0000
                                                                        File size:289'792 bytes
                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:9
                                                                        Start time:12:04:31
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6b1490000
                                                                        File size:875'008 bytes
                                                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:10
                                                                        Start time:12:04:31
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\cmd.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"cmd.exe" /c "reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f"
                                                                        Imagebase:0x7ff6eb5e0000
                                                                        File size:289'792 bytes
                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:11
                                                                        Start time:12:04:31
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6b1490000
                                                                        File size:875'008 bytes
                                                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:12
                                                                        Start time:12:04:31
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\reg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
                                                                        Imagebase:0x7ff63bba0000
                                                                        File size:77'312 bytes
                                                                        MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:13
                                                                        Start time:12:05:01
                                                                        Start date:27/10/2024
                                                                        Path:C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\ProgramData\Documents_1\Documents_2\SppExtComObj.exe"
                                                                        Imagebase:0x7ff684cd0000
                                                                        File size:706'740'224 bytes
                                                                        MD5 hash:9102BCFA11AE0DCE708EFA689B3A15CC
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:14
                                                                        Start time:12:05:06
                                                                        Start date:27/10/2024
                                                                        Path:C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\Public\AppData_Temp\Videos_Temp\SgrmBroker.exe"
                                                                        Imagebase:0x7ff79e470000
                                                                        File size:706'740'224 bytes
                                                                        MD5 hash:FE61B23A827523EF5C5E77B0FCA6E5A5
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >

                                                                          Executed Functions

                                                                          Function 00007FF93F596605 Relevance: 6.6, Strings: 5, Instructions: 400COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.306182259733.00007FF93F590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF93F590000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff93f590000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: (B}?$(B}?$(B}?$(B}?$(B}?
                                                                          • API String ID: 0-1639894310
                                                                          • Opcode ID: 2b9540601ab151702e5bae1e026988d6f1d6737fdf1f8f1f824955a33a8fc9c7
                                                                          • Instruction ID: b2d1986bb220b1f0aae062d6bacacd207afa721e123f70b4e605ad617f8d671d
                                                                          • Opcode Fuzzy Hash: 2b9540601ab151702e5bae1e026988d6f1d6737fdf1f8f1f824955a33a8fc9c7
                                                                          • Instruction Fuzzy Hash: A9C1F72291EA8A0FE7A9DB2858556767FE9EF05318B0901BED44CCB093D95ABC09C351
                                                                          Function 00007FF93F5964D3 Relevance: 5.3, Strings: 4, Instructions: 334COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.306182259733.00007FF93F590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF93F590000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff93f590000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: (B}?$(B}?$(B}?$(B}?
                                                                          • API String ID: 0-20246457
                                                                          • Opcode ID: 33952cbe6b3628569d9dccbc80b41de566eda07de385ebefbd691b63ccf074b3
                                                                          • Instruction ID: 3a5bf9c0b6e0c4b2167c9eb4cb529037000c6751d505285224584628893391cd
                                                                          • Opcode Fuzzy Hash: 33952cbe6b3628569d9dccbc80b41de566eda07de385ebefbd691b63ccf074b3
                                                                          • Instruction Fuzzy Hash: 10A15932D0EA890FEB9DEB28585567A7BD9FF05318B0901BED04CC7083DA5ABC09C351
                                                                          Function 00007FF93F4C9F63 Relevance: .3, Instructions: 343COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.306181683970.00007FF93F4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF93F4C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff93f4c0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8c086802297851bd4d63c7848a264a7ebb513efda3c62800e845ec980dc3ef7b
                                                                          • Instruction ID: 6cb124c3d6223d9843c05c11d057ae1929377b4c6c3d87474528631874e29cb3
                                                                          • Opcode Fuzzy Hash: 8c086802297851bd4d63c7848a264a7ebb513efda3c62800e845ec980dc3ef7b
                                                                          • Instruction Fuzzy Hash: 0AA10C67D1D6921BE755EF1CB8EE2E53B94EF92728B0A00B3D0C8CA0A3FC4978459355
                                                                          Function 00007FF93F4C9828 Relevance: .1, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.306181683970.00007FF93F4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF93F4C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff93f4c0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 040c890b4d274af75b5c0f5115e909ac8cb7b2e46a5f4526c524ab7f13fea519
                                                                          • Instruction ID: 560f704b350d8da3cf145e399a04c9b45fa1cb97f67ed2bc781b01f767def6e0
                                                                          • Opcode Fuzzy Hash: 040c890b4d274af75b5c0f5115e909ac8cb7b2e46a5f4526c524ab7f13fea519
                                                                          • Instruction Fuzzy Hash: D941F472D1CA885FDB1CDB5CA84A7A87FE0FB94314F04416FE049C3292DA60A855CBD2
                                                                          Function 00007FF93F3AEB80 Relevance: .1, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.306181090490.00007FF93F3AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF93F3AD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff93f3ad000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 84786d21dec0597e2fac532a54845db5537baf93370ebf86a8910339c84d73ad
                                                                          • Instruction ID: d161ec9b295da4bff2c600d3579a55ae9113236dddb1aacef5c38b7706ea5a7a
                                                                          • Opcode Fuzzy Hash: 84786d21dec0597e2fac532a54845db5537baf93370ebf86a8910339c84d73ad
                                                                          • Instruction Fuzzy Hash: 5041393080EBC44FD75ACB2A9845A523FF0EF46264B1505EFD489CF1A3D66AB846C793
                                                                          Function 00007FF93F4CA57C Relevance: .1, Instructions: 102COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.306181683970.00007FF93F4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF93F4C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff93f4c0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4d99af3d5f4b356a69ab92bccdf164308b3cbc160a74352f2e70e26a66e1d83b
                                                                          • Instruction ID: 4726d326fe7930ed63a8db58f3153c559205b7b09bbfdb79a056d2354c35c028
                                                                          • Opcode Fuzzy Hash: 4d99af3d5f4b356a69ab92bccdf164308b3cbc160a74352f2e70e26a66e1d83b
                                                                          • Instruction Fuzzy Hash: 30314B3090CB4C4FEB59DF6C984A7E97FF0EB96321F04416BD048C7152DA74A416CB91
                                                                          Function 00007FF93F4C33A5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.306181683970.00007FF93F4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF93F4C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff93f4c0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: eefe6ab09e8845b4c05240772d5b2ce4003d70f8a84eab389c23fc30afd342b3
                                                                          • Instruction ID: ba6e704be752fbeb6a00174a1330fb4b652f0f9fffcf1155ceaa4adb912c23b3
                                                                          • Opcode Fuzzy Hash: eefe6ab09e8845b4c05240772d5b2ce4003d70f8a84eab389c23fc30afd342b3
                                                                          • Instruction Fuzzy Hash: 4D01677111CB0C4FD758EF0CE495AB5B7E0FB95324F10056EE58AC3661DA36E881CB45
                                                                          Function 00007FF93F59414D Relevance: .0, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.306182259733.00007FF93F590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF93F590000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff93f590000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2b6eda725d713832c7a8696ba9ce215f02df703673a3224ec15b239df18a00c4
                                                                          • Instruction ID: af33a4146a5684976f08c2f40d69969f72f3a147e783fa5fd16b9814bd075a8a
                                                                          • Opcode Fuzzy Hash: 2b6eda725d713832c7a8696ba9ce215f02df703673a3224ec15b239df18a00c4
                                                                          • Instruction Fuzzy Hash: 7EF0BE32A0C5088FD76CEB0CE441AA973E9FF5432171140BBE15DC7163CA2AFC428780
                                                                          Function 00007FF93F594400 Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.306182259733.00007FF93F590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF93F590000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff93f590000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 01136917a9a4bea4046fc2e8aa5dd461a1bb06ab33e012a35bee7a05fc3fab32
                                                                          • Instruction ID: 3d911d7e1a049a046a86768bc2817022964523540a53de5d462698894b296e3d
                                                                          • Opcode Fuzzy Hash: 01136917a9a4bea4046fc2e8aa5dd461a1bb06ab33e012a35bee7a05fc3fab32
                                                                          • Instruction Fuzzy Hash: 70F05832A0C9488FDB68EB1CE481AA877E4FF45325B5640B6E14DCB463DA66BC518790
                                                                          Function 00007FF93F5941D1 Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.306182259733.00007FF93F590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF93F590000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff93f590000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                          • Instruction ID: 650f70d1f6d428e960d0874cd59ea4b5d32c46c6ae6a6365667a1e70036efa2f
                                                                          • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                          • Instruction Fuzzy Hash: 23E0123170C4048FD66CDA0CE040DB973E6EB9832571141B7D14EC7561C626FC529B80

                                                                          Non-executed Functions

                                                                          Function 00007FF93F5930E9 Relevance: .7, Instructions: 657COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.306182259733.00007FF93F590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF93F590000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff93f590000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7e27837886893c6f90d2ac8e87f7124b97fb0f423184d21ec33e4f4a7ebca0ad
                                                                          • Instruction ID: fa720d93668415eaac336565f83cdc88521c07557b972ba85f68f22071534f5a
                                                                          • Opcode Fuzzy Hash: 7e27837886893c6f90d2ac8e87f7124b97fb0f423184d21ec33e4f4a7ebca0ad
                                                                          • Instruction Fuzzy Hash: B8122622A0DB854FE7AADB2C58552B13FDAEF66224B0901FBC04DC71A3DD4ABC46D351
                                                                          Function 00007FF93F4C844D Relevance: 11.7, Strings: 9, Instructions: 414COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.306181683970.00007FF93F4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF93F4C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff93f4c0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: T_^$T_^$T_^$T_^$T_^$T_^$T_^$T_^$T_^
                                                                          • API String ID: 0-2437181015
                                                                          • Opcode ID: db6d3e346511dd75c74d23409c1af576accc88283530bf8d8067085b77cb8af5
                                                                          • Instruction ID: cee2088f57f6cb484f6429fcbaef8c2bd283d961e5afd2d1667903e7e48afeb7
                                                                          • Opcode Fuzzy Hash: db6d3e346511dd75c74d23409c1af576accc88283530bf8d8067085b77cb8af5
                                                                          • Instruction Fuzzy Hash: 2AD18B67E0D6C32FF75A8A2D6D5D2E53F94EF9321870F11B6C0C8CB093E95938069255
                                                                          Function 00007FF93F4C8B62 Relevance: 5.1, Strings: 4, Instructions: 82COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.306181683970.00007FF93F4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF93F4C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff93f4c0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: T_^'$T_^($T_^7$T_^8
                                                                          • API String ID: 0-2165326250
                                                                          • Opcode ID: 1f690a63f4d2e1eddb0f2281e98dd95595a846d3d4d2b850b2e4fb05139f78b9
                                                                          • Instruction ID: d11ad562d5410c087ede7fc07099dfa721b457a784bd8411538c81570d793263
                                                                          • Opcode Fuzzy Hash: 1f690a63f4d2e1eddb0f2281e98dd95595a846d3d4d2b850b2e4fb05139f78b9
                                                                          • Instruction Fuzzy Hash: B821C8A3A152255AD654BB3CB4CA3E53788DF9A730751017AD0DCCF063AD5938CB86E8