Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
windows.ps1

Overview

General Information

Sample name:windows.ps1
Analysis ID:1612125
MD5:8d936cf5288919e1bd4fe58cb81b9d69
SHA1:5bae228225fcae1067a99c2b128e13dcac715f21
SHA256:1d49f594b4f8a9f48eb657a20a157f220a157fd995ea651726b42a3b7e07803f
Tags:ps1user-Bastian455_
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected Xmrig cryptocurrency miner
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Detected TCP or UDP traffic on non-standard ports
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 5852 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 7156 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 6420 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 2412 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 788 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 7888 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 6504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\windows.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • xmrig.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exe" -a rx/0 -o gulf.moneroocean.stream:10001 -u 45MBTQ27xo1LJmAi6sNFTyZhgTdoF45XCRsLUtmL7Lo376nNuxcaSxAa3JUkUV4xHEVSpsEA6nwL5S28g1fCa1RwPfXpwnH -p All-In-One --cpu-priority 5 -t 1 1 MD5: F6D520AE125F03056C4646C508218D16)
  • svchost.exe (PID: 3964 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
windows.ps1JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\Desktop\xmrig\xmrig-6.22.2\config.jsonJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeMacOS_Cryptominer_Xmrig_241780a1unknownunknown
          • 0x586958:$a1: mining.set_target
          • 0x581428:$a2: XMRIG_HOSTNAME
          • 0x583500:$a3: Usage: xmrig [OPTIONS]
          • 0x581400:$a4: XMRIG_VERSION
          C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
          • 0x58d3a8:$x1: donate.ssl.xmrig.com
          • 0x58d951:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
          C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
          • 0x58de98:$s1: %s/%s (Windows NT %lu.%lu
          • 0x58ef00:$s3: \\.\WinRing0_
          • 0x5856f8:$s4: pool_wallet
          • 0x580c68:$s5: cryptonight
          • 0x580c78:$s5: cryptonight
          • 0x580c88:$s5: cryptonight
          • 0x580c98:$s5: cryptonight
          • 0x580cb0:$s5: cryptonight
          • 0x580cc0:$s5: cryptonight
          • 0x580cd0:$s5: cryptonight
          • 0x580ce8:$s5: cryptonight
          • 0x580cf8:$s5: cryptonight
          • 0x580d10:$s5: cryptonight
          • 0x580d28:$s5: cryptonight
          • 0x580d38:$s5: cryptonight
          • 0x580d48:$s5: cryptonight
          • 0x580d58:$s5: cryptonight
          • 0x580d70:$s5: cryptonight
          • 0x580d88:$s5: cryptonight
          • 0x580d98:$s5: cryptonight
          • 0x580da8:$s5: cryptonight

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000005.00000002.3744518078.000001F66537A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            0000000A.00000003.1396932548.000001EE5268B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              0000000A.00000000.1396455107.00007FF7C4750000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                00000005.00000002.3744518078.000001F66538E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                  00000005.00000002.3744518078.000001F66534A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                    Click to see the 13 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    10.0.xmrig.exe.7ff7c3ea0000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                      10.0.xmrig.exe.7ff7c3ea0000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
                      • 0x586958:$a1: mining.set_target
                      • 0x581428:$a2: XMRIG_HOSTNAME
                      • 0x583500:$a3: Usage: xmrig [OPTIONS]
                      • 0x581400:$a4: XMRIG_VERSION
                      10.0.xmrig.exe.7ff7c3ea0000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
                      • 0x58d3a8:$x1: donate.ssl.xmrig.com
                      • 0x58d951:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
                      10.0.xmrig.exe.7ff7c3ea0000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
                      • 0x58de98:$s1: %s/%s (Windows NT %lu.%lu
                      • 0x58ef00:$s3: \\.\WinRing0_
                      • 0x5856f8:$s4: pool_wallet
                      • 0x580c68:$s5: cryptonight
                      • 0x580c78:$s5: cryptonight
                      • 0x580c88:$s5: cryptonight
                      • 0x580c98:$s5: cryptonight
                      • 0x580cb0:$s5: cryptonight
                      • 0x580cc0:$s5: cryptonight
                      • 0x580cd0:$s5: cryptonight
                      • 0x580ce8:$s5: cryptonight
                      • 0x580cf8:$s5: cryptonight
                      • 0x580d10:$s5: cryptonight
                      • 0x580d28:$s5: cryptonight
                      • 0x580d38:$s5: cryptonight
                      • 0x580d48:$s5: cryptonight
                      • 0x580d58:$s5: cryptonight
                      • 0x580d70:$s5: cryptonight
                      • 0x580d88:$s5: cryptonight
                      • 0x580d98:$s5: cryptonight
                      • 0x580da8:$s5: cryptonight

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\windows.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\windows.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\windows.ps1", ProcessId: 6504, ProcessName: powershell.exe
                      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6504, TargetFilename: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\benchmark_10M.cmd
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\windows.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\windows.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\windows.ps1", ProcessId: 6504, ProcessName: powershell.exe
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5852, ProcessName: svchost.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-02-11T15:14:11.207550+010028269302Crypto Currency Mining Activity Detected192.168.2.749703152.53.121.610001TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-02-11T15:14:21.409313+010018100002Potentially Bad Traffic192.168.2.749700140.82.121.3443TCP
                      2025-02-11T15:14:22.147979+010018100002Potentially Bad Traffic192.168.2.749701185.199.109.133443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for dropped file
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeAvira: detection malicious, Label: HEUR/AGEN.1311679
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\config.jsonAvira: detection malicious, Label: PUA/CoinMiner.PF
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeReversingLabs: Detection: 60%
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeJoe Sandbox ML: detected

                      Bitcoin Miner

                      barindex
                      Yara detected Xmrig cryptocurrency miner
                      Source: Yara matchFile source: windows.ps1, type: SAMPLE
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 10.0.xmrig.exe.7ff7c3ea0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.3744518078.000001F66537A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.1396932548.000001EE5268B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000000.1396455107.00007FF7C4750000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3744518078.000001F66538E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3744518078.000001F66534A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000000.1396154577.00007FF7C42C7000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3742711634.00000210315EA000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3742213855.000001EE52668000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3742213855.000001EE52640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3742213855.000001EE5267B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3742213855.000001EE5264C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3744518078.000001F663449000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3744518078.000001F663BBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6504, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 5084, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: xmrig.exe PID: 7332, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\config.json, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exe, type: DROPPED
                      Detected Stratum mining protocol
                      Source: global trafficTCP traffic: 192.168.2.7:49703 -> 152.53.121.6:10001 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"45mbtq27xo1ljmai6snftyzhgtdof45xcrslutml7lo376nnuxcasxaa3jukuv4xhevspsea6nwl5s28g1fca1rwpfxpwnh","pass":"all-in-one","agent":"xmrig/6.22.2 (windows nt 10.0; win64; x64) libuv/1.49.2 msvc/2019","algo":["rx/0","cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/0","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/yada","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
                      Found strings related to Crypto-Mining
                      Source: xmrig.exe, 0000000A.00000000.1396154577.00007FF7C42C7000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: stratum+tcp://
                      Source: xmrig.exe, 0000000A.00000000.1396154577.00007FF7C42C7000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: cryptonight/0
                      Source: xmrig.exe, 0000000A.00000000.1396154577.00007FF7C42C7000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: stratum+tcp://
                      Source: xmrig.exe, 0000000A.00000000.1396154577.00007FF7C42C7000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: -o, --url=URL URL of mining server
                      Source: xmrig.exe, 0000000A.00000000.1396154577.00007FF7C42C7000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F663BBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: FileDescriptionXMRig miner.
                      Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49700 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49701 version: TLS 1.2
                      Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: powershell.exe, 00000005.00000002.3744518078.000001F663BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3744518078.000001F663B7B000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.5.dr
                      Source: global trafficTCP traffic: 192.168.2.7:49703 -> 152.53.121.6:10001
                      Source: Joe Sandbox ViewIP Address: 185.199.109.133 185.199.109.133
                      Source: Joe Sandbox ViewIP Address: 185.199.109.133 185.199.109.133
                      Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
                      Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: Network trafficSuricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.7:49703 -> 152.53.121.6:10001
                      Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49701 -> 185.199.109.133:443
                      Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49700 -> 140.82.121.3:443
                      Source: global trafficHTTP traffic detected: GET /xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-msvc-win64.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/88327406/cbb07403-ee0c-4c81-9ded-5d5497635b93?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250211T141421Z&X-Amz-Expires=300&X-Amz-Signature=fa0c7e92a2cfeaff8701b6efd7239e2acc98129ea575778783b38c7cc4933185&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dxmrig-6.22.2-msvc-win64.zip&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-msvc-win64.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/88327406/cbb07403-ee0c-4c81-9ded-5d5497635b93?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250211T141421Z&X-Amz-Expires=300&X-Amz-Signature=fa0c7e92a2cfeaff8701b6efd7239e2acc98129ea575778783b38c7cc4933185&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dxmrig-6.22.2-msvc-win64.zip&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: time.windows.com
                      Source: global trafficDNS traffic detected: DNS query: github.com
                      Source: global trafficDNS traffic detected: DNS query: objects.githubusercontent.com
                      Source: global trafficDNS traffic detected: DNS query: gulf.moneroocean.stream
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F663BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3744518078.000001F663B7B000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.5.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F663BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3744518078.000001F663B7B000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.5.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F663BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3744518078.000001F663B7B000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.5.drString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F663BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3744518078.000001F663B7B000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.5.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0
                      Source: powershell.exe, 00000005.00000002.3767031635.000001F673291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F663449000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3772396973.000001F67B28B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F6636E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3744518078.000001F663E06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F663221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F6636E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3744518078.000001F663E06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F663449000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3772396973.000001F67B28B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: svchost.exe, 00000000.00000002.1366808738.0000021DA2213000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F663221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F6636E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3774416050.000001F67B3B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F664541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
                      Source: svchost.exe, 00000000.00000002.1366920147.0000021DA2258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366365820.0000021DA2257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: powershell.exe, 00000005.00000002.3767031635.000001F673291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000005.00000002.3767031635.000001F673291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000005.00000002.3767031635.000001F673291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: svchost.exe, 00000000.00000002.1366920147.0000021DA2258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366365820.0000021DA2257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
                      Source: svchost.exe, 00000000.00000003.1365967171.0000021DA226E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1366991961.0000021DA2270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1366956160.0000021DA2263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366146491.0000021DA225F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366077791.0000021DA2262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366302632.0000021DA225A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000000.00000003.1365967171.0000021DA226E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1366991961.0000021DA2270000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000000.00000002.1366920147.0000021DA2258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366365820.0000021DA2257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 00000000.00000002.1366975453.0000021DA2268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366057155.0000021DA2267000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 00000000.00000002.1367012757.0000021DA2277000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365873486.0000021DA2275000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 00000000.00000002.1366920147.0000021DA2258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366365820.0000021DA2257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000000.00000002.1366956160.0000021DA2263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366077791.0000021DA2262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366302632.0000021DA225A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000000.00000002.1366920147.0000021DA2258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366365820.0000021DA2257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 00000000.00000002.1366975453.0000021DA2268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366057155.0000021DA2267000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1366833766.0000021DA222B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 00000000.00000002.1366920147.0000021DA2258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366365820.0000021DA2257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 00000000.00000002.1366920147.0000021DA2258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366365820.0000021DA2257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 00000000.00000002.1366920147.0000021DA2258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366365820.0000021DA2257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 00000000.00000002.1366833766.0000021DA222B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1366956160.0000021DA2263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366077791.0000021DA2262000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000000.00000002.1366872323.0000021DA2242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 00000000.00000002.1366920147.0000021DA2258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366365820.0000021DA2257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000000.00000002.1366956160.0000021DA2263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366342816.0000021DA2241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1366872323.0000021DA2242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366077791.0000021DA2262000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000000.00000003.1366383063.0000021DA2232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.dit
                      Source: svchost.exe, 00000000.00000003.1366383063.0000021DA2232000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1366956160.0000021DA2263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366077791.0000021DA2262000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000000.00000002.1366872323.0000021DA2242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000000.00000002.1366956160.0000021DA2263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366077791.0000021DA2262000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.1366342816.0000021DA2241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1366872323.0000021DA2242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366146491.0000021DA225F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.1366077791.0000021DA2262000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 00000000.00000002.1366920147.0000021DA2258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366365820.0000021DA2257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 00000000.00000003.1366342816.0000021DA2241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
                      Source: svchost.exe, 00000000.00000002.1366975453.0000021DA2268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366057155.0000021DA2267000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1366833766.0000021DA222B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F663449000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F663449000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3772396973.000001F67B28B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F663449000.00000004.00000800.00020000.00000000.sdmp, windows.ps1String found in binary or memory: https://github.com/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-msvc-win64.zip
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F6653C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3744518078.000001F66538E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3744518078.000001F6653D6000.00000004.00000800.00020000.00000000.sdmp, pool_mine_example.cmd.5.drString found in binary or memory: https://miningpoolstats.stream/monero
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F663AB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3744518078.000001F663A9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3744518078.000001F663925000.00000004.00000800.00020000.00000000.sdmp, rtm_ghostrider_example.cmd.5.drString found in binary or memory: https://miningpoolstats.stream/raptoreum
                      Source: powershell.exe, 00000005.00000002.3767031635.000001F673291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F66367A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com
                      Source: powershell.exe, 00000005.00000002.3744518078.000001F663669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/88327406/cbb07403-ee0c-
                      Source: svchost.exe, 00000000.00000003.1366342816.0000021DA2241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1366872323.0000021DA2242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtu
                      Source: svchost.exe, 00000000.00000003.1366342816.0000021DA2241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 00000000.00000002.1366872323.0000021DA2242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000000.00000002.1366872323.0000021DA2242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.1365852797.0000021DA2236000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000000.00000002.1366833766.0000021DA222B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 00000000.00000002.1366920147.0000021DA2258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366365820.0000021DA2257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 00000000.00000002.1366920147.0000021DA2258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366365820.0000021DA2257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
                      Source: xmrig.exe, 0000000A.00000000.1396154577.00007FF7C42C7000.00000002.00000001.01000000.00000009.sdmp, xmrig.exe.5.drString found in binary or memory: https://xmrig.com/benchmark/%s
                      Source: xmrig.exe, 0000000A.00000000.1396154577.00007FF7C42C7000.00000002.00000001.01000000.00000009.sdmp, xmrig.exe.5.drString found in binary or memory: https://xmrig.com/docs/algorithms
                      Source: xmrig.exe, 0000000A.00000000.1396154577.00007FF7C42C7000.00000002.00000001.01000000.00000009.sdmp, xmrig.exe.5.drString found in binary or memory: https://xmrig.com/wizard
                      Source: xmrig.exe, 0000000A.00000000.1396154577.00007FF7C42C7000.00000002.00000001.01000000.00000009.sdmp, xmrig.exe.5.drString found in binary or memory: https://xmrig.com/wizard%s
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                      Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49700 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49701 version: TLS 1.2

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 10.0.xmrig.exe.7ff7c3ea0000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                      Source: 10.0.xmrig.exe.7ff7c3ea0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                      Source: 10.0.xmrig.exe.7ff7c3ea0000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                      Source: 0000000A.00000000.1396154577.00007FF7C42C7000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                      Source: Process Memory Space: xmrig.exe PID: 7332, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exe, type: DROPPEDMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exe, type: DROPPEDMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exe, type: DROPPEDMatched rule: Detects coinmining malware Author: ditekSHen
                      Powershell drops PE file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\WinRing0x64.sysJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeJump to dropped file
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeProcess Stats: CPU usage > 49%
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\WinRing0x64.sysJump to behavior
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                      Source: 10.0.xmrig.exe.7ff7c3ea0000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                      Source: 10.0.xmrig.exe.7ff7c3ea0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                      Source: 10.0.xmrig.exe.7ff7c3ea0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                      Source: 0000000A.00000000.1396154577.00007FF7C42C7000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                      Source: Process Memory Space: xmrig.exe PID: 7332, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exe, type: DROPPEDMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exe, type: DROPPEDMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exe, type: DROPPEDMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                      Source: WinRing0x64.sys.5.drBinary string: \Device\WinRing0_1_2_0
                      Source: classification engineClassification label: mal100.evad.mine.winPS1@13/22@4/4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\xmrig.zipJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5084:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7896:120:WilError_03
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0150swer.ly3.ps1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\windows.ps1"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exe "C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exe" -a rx/0 -o gulf.moneroocean.stream:10001 -u 45MBTQ27xo1LJmAi6sNFTyZhgTdoF45XCRsLUtmL7Lo376nNuxcaSxAa3JUkUV4xHEVSpsEA6nwL5S28g1fCa1RwPfXpwnH -p All-In-One --cpu-priority 5 -t 1 1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exe "C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exe" -a rx/0 -o gulf.moneroocean.stream:10001 -u 45MBTQ27xo1LJmAi6sNFTyZhgTdoF45XCRsLUtmL7Lo376nNuxcaSxAa3JUkUV4xHEVSpsEA6nwL5S28g1fCa1RwPfXpwnH -p All-In-One --cpu-priority 5 -t 1 1Jump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: explorerframe.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: powershell.exe, 00000005.00000002.3744518078.000001F663BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3744518078.000001F663B7B000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.5.dr
                      Source: xmrig.exe.5.drStatic PE information: section name: _RANDOMX
                      Source: xmrig.exe.5.drStatic PE information: section name: _TEXT_CN
                      Source: xmrig.exe.5.drStatic PE information: section name: _TEXT_CN
                      Source: xmrig.exe.5.drStatic PE information: section name: _RDATA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFAAC85354F push ebp; iretd 5_2_00007FFAAC853552
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFAAC8500BD pushad ; iretd 5_2_00007FFAAC8500C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFAAC858123 push ebx; ret 5_2_00007FFAAC85816A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFAAC85FABE push esp; retf 5_2_00007FFAAC85FABF
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFAAC85B41C push ds; retf 5_2_00007FFAAC85B43F

                      Persistence and Installation Behavior

                      barindex
                      Sample is not signed and drops a device driver
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\WinRing0x64.sysJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\WinRing0x64.sysJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeJump to dropped file
                      Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\ConfigJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Query firmware table information (likely to detect VMs)
                      Source: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4868Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4987Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\WinRing0x64.sysJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6216Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: svchost.exe, 00000003.00000002.3742405843.000002C87484B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 00000003.00000002.3742405843.000002C87484B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                      Source: svchost.exe, 00000003.00000002.3742189551.000002C87482B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: xmrig.exe, 0000000A.00000002.3742213855.000001EE5267B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000003.00000002.3741946190.000002C874802000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                      Source: powershell.exe, 00000005.00000002.3774887638.000001F67B5A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
                      Source: svchost.exe, 00000003.00000002.3742553284.000002C874864000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000e1}
                      Source: svchost.exe, 00000003.00000002.3742798802.000002C874902000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: xmrig.exe, 0000000A.00000002.3742213855.000001EE5267B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0bhR
                      Source: svchost.exe, 00000003.00000002.3742405843.000002C87484B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 00000003.00000002.3742405843.000002C87484B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\\?\Volume{1a4b1382-eeb5-4d59-b0fa-b93f83a518e1}\
                      Source: svchost.exe, 00000008.00000002.3740847558.0000018904032000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: xmrig.exe, 0000000A.00000002.3742213855.000001EE5267B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exe "C:\Users\user\Desktop\xmrig\xmrig-6.22.2\xmrig.exe" -a rx/0 -o gulf.moneroocean.stream:10001 -u 45MBTQ27xo1LJmAi6sNFTyZhgTdoF45XCRsLUtmL7Lo376nNuxcaSxAa3JUkUV4xHEVSpsEA6nwL5S28g1fCa1RwPfXpwnH -p All-In-One --cpu-priority 5 -t 1 1Jump to behavior
                      Source: conhost.exe, 00000006.00000002.3742643475.0000021030121000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: conhost.exe, 00000006.00000002.3742643475.0000021030121000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: conhost.exe, 00000006.00000002.3742643475.0000021030121000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                      Source: conhost.exe, 00000006.00000002.3742643475.0000021030121000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
                      Source: svchost.exe, 00000004.00000002.3742071445.000002407E502000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
                      Source: svchost.exe, 00000004.00000002.3742071445.000002407E502000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                      Windows Management Instrumentation                      		2
                      Windows Service                      		2
                      Windows Service                      		1
                      Masquerading                      		OS Credential Dumping251
                      Security Software Discovery                      		Remote ServicesData from Local System1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      PowerShell                      		1
                      DLL Side-Loading                      		12
                      Process Injection                      		1
                      Disable or Modify Tools                      		LSASS Memory2
                      Process Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		151
                      Virtualization/Sandbox Evasion                      		Security Account Manager151
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Ingress Tool Transfer                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Obfuscated Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeylogging13
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials23
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1612125 Sample: windows.ps1 Startdate: 11/02/2025 Architecture: WINDOWS Score: 100 35 twc.trafficmanager.net 2->35 37 time.windows.com 2->37 39 4 other IPs or domains 2->39 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for dropped file 2->51 53 Yara detected Xmrig cryptocurrency miner 2->53 55 2 other signatures 2->55 8 powershell.exe 14 45 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 dnsIp5 43 github.com 140.82.121.3, 443, 49700 GITHUBUS United States 8->43 45 objects.githubusercontent.com 185.199.109.133, 443, 49701 FASTLYUS Netherlands 8->45 29 C:\Users\user\Desktop\xmrig\...\xmrig.exe, PE32+ 8->29 dropped 31 C:\Users\user\Desktop\...\WinRing0x64.sys, PE32+ 8->31 dropped 33 C:\Users\user\Desktop\xmrig\...\config.json, JSON 8->33 dropped 67 Found strings related to Crypto-Mining 8->67 69 Sample is not signed and drops a device driver 8->69 71 Loading BitLocker PowerShell Module 8->71 73 Powershell drops PE file 8->73 19 xmrig.exe 1 8->19         started        23 conhost.exe 8->23         started        75 Changes security center settings (notifications, updates, antivirus, firewall) 13->75 25 MpCmdRun.exe 2 13->25         started        47 twc.trafficmanager.net 104.40.149.189, 123 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->47 file6 signatures7 process8 dnsIp9 41 monerooceans.stream 152.53.121.6, 10001, 49703 NCRENUS United States 19->41 57 Antivirus detection for dropped file 19->57 59 Multi AV Scanner detection for dropped file 19->59 61 Query firmware table information (likely to detect VMs) 19->61 65 2 other signatures 19->65 27 conhost.exe 25->27         started        signatures10 63 Detected Stratum mining protocol 41->63 process11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.