XMRig and OPSEC Fail
An attacker logged into the honeypot, dropped XMRig and mimikatz, and then ran XMRig. XMRig installed Netshta to maintain persistence and then started mining Monero. When the attacker dropped mimikatz, they accidentally dropped a list of usernames and passwords. See below for info on XMRig, the intrusion summary, an OPSEC fail, and the IOCs.