user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Linux/CoinMiner!MSR
Trojan:Linux/CoinMiner!MSR - Windows Defender threat signature analysis

Trojan:Linux/CoinMiner!MSR - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Linux/CoinMiner!MSR
Classification:
Type:Trojan
Platform:Linux
Family:CoinMiner
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!MSR
High-priority threat flagged by Microsoft Security Response
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Linux platform, family CoinMiner

Summary:

This is a concrete detection for a cryptocurrency miner, likely XMRig, designed to operate on Windows systems despite the `Linux` classification in the threat name. It leverages system processes to mine various cryptocurrencies, connects to multiple mining pools, and communicates with command-and-control servers, potentially interacting with Bitcoin wallet files.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - -o http://rr.btcmp.com:8332 -u (PEHSTR_EXT)
 - s\Java (PEHSTR_EXT)
 -   http:// (PEHSTR_EXT)
 - C:\Work\Xmrig\Release\Setup_v2.03.pdb (PEHSTR_EXT)
 - mscomosc.exe (PEHSTR_EXT)
 - tcp://pool.minexmr.com: (PEHSTR_EXT)
 - cmd.exe /c taskkill.exe /f /im mscomsys.exe (PEHSTR_EXT)
 - socks=1jbftp.no-ip.org (PEHSTR_EXT)
 - http://mine.pool-x.eu (PEHSTR_EXT)
 - socks=1jbftp.no-ip.orgd (PEHSTR_EXT)
 - socks=mpxy.hopto.org (PEHSTR_EXT)
 - mine.pool-x.eu (PEHSTR_EXT)
 - pool.dlunch.net:9327 (PEHSTR_EXT)
 - lite.coin-pool.com:8339 (PEHSTR_EXT)
 - 7get shell("start /b /separate TibanneSocket.exe quick") (PEHSTR)
 - SsW ($APPDATA&"\"&base64Decode("Qml0Y29pbg==")&"\"&base64Decode("d2FsbGV0LmRhdA==")) (PEHSTR)
 - RsC ($APPDATA&"\"&base64Decode("Qml0Y29pbg==")&"\"&base64Decode("Yml0Y29pbi5jb25m") (PEHSTR)
 - +put "POST /cgi-bin/sync.cgi HTTP/1.1"& CR & (PEHSTR)
 - cmd /c (PEHSTR_EXT)
 - http://g-s.cool/dir.php (PEHSTR_EXT)
 - http://g-s.cool/ver (PEHSTR_EXT)
 - -o stratum+tcp://mine.moneropool.com:3333 -t 0 -u (PEHSTR_EXT)
 - E:\CryptoNight\bitmonero-master\src\miner\Release\Crypto.pdb (PEHSTR_EXT)
 - \NsCpuCNMiner64.exe (PEHSTR_EXT)
 - Electrum\electrum.dat (PEHSTR_EXT)
 - multibit.wallet (PEHSTR_EXT)
 - Bitcoin\wallet.dat (PEHSTR_EXT)
 - Wallet Stealer\BWS-Stub\Release\BWS-Stub.pdb (PEHSTR_EXT)
 - g.disgogoweb.com/ (PEHSTR_EXT)
 - taskkill /f /im msiexev.exe (PEHSTR_EXT)
 - scripts\miner.lua (PEHSTR_EXT)
 - \svchost\obj\Debug\svchost.pdb (PEHSTR_EXT)
 - /c "timeout /T 4 /NOBREAK & move /Y "%s" "%s" & start "" "%s"" (PEHSTR_EXT)
 - stratum+tcp://mine.moneropool.com:3333& (PEHSTR_EXT)
 - stratum+tcp://monero.crypto-pool.fr:3333& (PEHSTR_EXT)
 - stratum+tcp://xmr.prohash.net:7777& (PEHSTR_EXT)
 - stratum+tcp://pool.minexmr.com:5555)> %TEMP%\ (PEHSTR_EXT)
 - http://whatami.us.to/tc (PEHSTR_EXT)
 - tracking.huijang.com/api.php (PEHSTR_EXT)
 - nvsrvc32.exe (PEHSTR_EXT)
 - realsched.exe (PEHSTR_EXT)
 - jusched.exe (PEHSTR_EXT)
 - mcshield.exe (PEHSTR_EXT)
 - %s://%s%s%s:%hu%s%s%s (PEHSTR_EXT)
 - svchost.exe install Windows "C:\Windows\csrss.exe" (PEHSTR_EXT)
 - http://82.146.54.187/ (PEHSTR_EXT)
 - 0.zip (PEHSTR_EXT)
 - -l zec. (PEHSTR_EXT)
 - http:// (PEHSTR_EXT)
 - 0.onion/ (PEHSTR_EXT)
 - Task Manager.exe (PEHSTR_EXT)
 - google123.txt (PEHSTR_EXT)
 - leebond986@gmail.com (PEHSTR)
 - leebond986@gmail.com:x (PEHSTR)
 - 150.8.121.99 (PEHSTR)
 - *stratum+tcp://xmr.pool.minergate.com:45560 (PEHSTR)
 - SFX script commands (PEHSTR_EXT)
 - miner\ (PEHSTR_EXT)
 - .vbs" (PEHSTR_EXT)
 - reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - -o stratum+tcp://xmr.minercircle.com:80 -u  (PEHSTR_EXT)
 - I+s4/4 (SNID)
 - /tr "rundll32.exe url.dll,OpenURLA (PEHSTR_EXT)
 - schtasks /create /tn \Systasks\ServiceRun /tr "C:\ProgramData\ (PEHSTR_EXT)
 - taskkill /f /im attrib.exe (PEHSTR_EXT)
 - attrib +s +h %userprofile%\AppData\Roaming (PEHSTR_EXT)
 - Taskmgr.exe (PEHSTR_EXT)
 - taskmgr.exe (PEHSTR_EXT)
 - ProcessHacker.exe (PEHSTR_EXT)
 - iplogger.com (PEHSTR_EXT)
 - xmr.pool.minergate.com (PEHSTR_EXT)
 - \WindowsTask\ (PEHSTR_EXT)
 - .exe /ri 1 /st 00:00 /du 9999:59 /sc daily /f (PEHSTR_EXT)
 - D:\priv\work\lololo\malwmmm (PEHSTR_EXT)
 -  .pdb (PEHSTR_EXT)
 - zec-eu1.nanopool.org:6633 (PEHSTR_EXT)
 - powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit (PEHSTR_EXT)
 - svchost.exe install Windows (PEHSTR)
 - <-a cryptonight-lite -o stratum+tcp://aeon.pool.minergate.com (PEHSTR)
 - pool.supportxmr.com (PEHSTR_EXT)
 - pool.minexmr.com (PEHSTR_EXT)
 - Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - Microsoft\Network\Connections\hostdl.exe (PEHSTR_EXT)
 - miner.Start (PEHSTR_EXT)
 - /Microsoft/Network/Connections/hostdl.exe (PEHSTR_EXT)
 - defender.Kill() (PEHSTR_EXT)
 - DownloadDLL (PEHSTR_EXT)
 - \win_x86.vbs (PEHSTR_EXT)
 - \RUN-X11-x86.bat (PEHSTR_EXT)
 - Path=C:\Windows\Temp (PEHSTR_EXT)
 - XMRig/%s libuv/%s%s (PEHSTR_EXT)
 - stratum+tcp://xmr.pool.minergate.com: (PEHSTR_EXT)
 - schtasks /create /tn (PEHSTR_EXT)
 - C:\Windows\System32\attrib.exe (PEHSTR_EXT)
 - schtasks /create /tn \Windows\ServiceRun /tr (PEHSTR_EXT)
 - stratum+tcp:// (PEHSTR_EXT)
 - attrib +s +h "C:\ (PEHSTR_EXT)
 - @.exe" (PEHSTR_EXT)
 - .exe -o pool.minexmr.com (PEHSTR_EXT)
 - Supreme.exe (PEHSTR_EXT)
 - CoreDll (PEHSTR_EXT)
 - utkiubludki.bit (PEHSTR_EXT)
 - \wksz.ini (PEHSTR_EXT)
 - stratum+tcp://get.bi-chi.com:3333 -u (PEHSTR_EXT)
 - set_UseShellExecute (PEHSTR_EXT)
 - stratum+tcp://workpc.biz (PEHSTR_EXT)
 - advstat777.com:3333 (PEHSTR_EXT)
 - \WindowsTask&powershell -NoProfile -Command (New-Object System.Net.WebClient).DownloadFile( (PEHSTR_EXT)
 - schtasks /create /tn  (PEHSTR_EXT)
 - \WindowsTask\upd (PEHSTR_EXT)
 - http (PEHSTR_EXT)
 - .down0116.info (PEHSTR_EXT)
 - del /F /ARHS "%s" (PEHSTR_EXT)
 - /C ping 127.0.0.1 -n 6 & taskkill -f /im conime.exe /im (PEHSTR_EXT)
 - -o stratum+tcp://%s -u %s (PEHSTR_EXT)
 - ://%s:8888/md5.txt (PEHSTR_EXT)
 - ://%s:8888/xmrok.txt (PEHSTR_EXT)
 - pubyun.com/dyndns/getip (PEHSTR_EXT)
 - 17.3.7131.115 (PEHSTR_EXT)
 - %s/%s (Windows NT %lu.%lu (PEHSTR_EXT)
 - ) libuv/%s (PEHSTR_EXT)
 - Software\Microsoft\Windows NT\CurrentVersion\Winlogon (PEHSTR_EXT)
 - Z5^V. (SNID)
 - rybaikolbasa.bit (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - C:\_work\miner\playerinstall\Release\ (PEHSTR_EXT)
 - -o pool.supportxmr.com:5555 -u (PEHSTR_EXT)
 - explorer.exe (PEHSTR_EXT)
 - \MicrosoftCorporation\Windows\Helpers (PEHSTR_EXT)
 - \MicrosoftCorporation\Windows\System32 (PEHSTR_EXT)
 - \WindowsAppCertification (PEHSTR_EXT)
 - \{4FCEED6C-B7D9-405B-A844-C3DBF418BF87} (PEHSTR_EXT)
 - \{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8} (PEHSTR_EXT)
 - /method/blacklist (PEHSTR_EXT)
 - /method/checkConnection (PEHSTR_EXT)
 - /method/cores (PEHSTR_EXT)
 - /method/delay (PEHSTR_EXT)
 - /method/install (PEHSTR_EXT)
 - /method/modules (PEHSTR_EXT)
 - /method/setOnline (PEHSTR_EXT)
 - /method/update (PEHSTR_EXT)
 - {EXE_PATH} (PEHSTR_EXT)
 - "url": "pool.minexmr.to:4444" (PEHSTR_EXT)
 - v=1&tid=%s&cid=%s&t=event&ec=exec (PEHSTR_EXT)
 - ://%s.%s/%d/%d/?o=%d&v=%s&ts=%llu&tl=%llu&i=%lu&ec=%d&uc=%d (PEHSTR_EXT)
 - WindowsUpdater.exe -l luckpool.org (PEHSTR_EXT)
 - $try "" --help' for more information. (PEHSTR)
 - fee.xmrig.com (PEHSTR)
 - .nicehash.com (PEHSTR_EXT)
 - .minergate.com (PEHSTR_EXT)
 - /vxxv (PEHSTR_EXT)
 - CurrentVersion\Policies\Explorer\Run\ADSL Dial (PEHSTR_EXT)
 - CPU.exe -a cryptonight -o stratum+tcp (PEHSTR_EXT)
 - ftphosting.pw/ (PEHSTR_EXT)
 - RANDOM=CreateObject("Scripting.FileSystemObject") (PEHSTR_EXT)
 - RANDOM=CreateObject("WinHttp.WinHttpRequest.5.1") (PEHSTR_EXT)
 - -o stratum+tcp://s.antminepool.com:6234 (PEHSTR_EXT)
 - -o stratum+tcp://wk5.cybtc.info:6688 -u (PEHSTR_EXT)
 - cmd /c icacls c:\ /setintegritylevel M (PEHSTR_EXT)
 - del /f /a /q "c:\windows\system32\drivers (PEHSTR_EXT)
 - copy c:\windows\system32\drivers (PEHSTR_EXT)
 - \Fonts\1sass.exe (PEHSTR_EXT)
 - \MSBuild\Services.exe (PEHSTR_EXT)
 - \Microsoft\Windows\Start Menu\Programs\Startup\ (PEHSTR_EXT)
 - http://pmxmrnull.dynu.net: (PEHSTR_EXT)
 - /tasks/getTask (PEHSTR_EXT)
 - REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v (PEHSTR_EXT)
 - schtasks /create /sc minute  /mo 1 /tn (PEHSTR_EXT)
 - taskkill /f /im (PEHSTR_EXT)
 - \Form1\Form1\obj\ (PEHSTR_EXT)
 - DebugRelease\Form1.pdb (PEHSTR_EXT)
 - net.exe stop (PEHSTR_EXT)
 - http://zz.8282.space/nw/ss/ (PEHSTR_EXT)
 - C:\Windows\SysWOW64 (PEHSTR_EXT)
 - obj\Debug\WinCalendar.pdb (PEHSTR_EXT)
 - sgvhosts -c sgminerzcash.conf --gpu-reorder (PEHSTR_EXT)
 - explores.exe -a cryptonight -o stratum+tcp: (PEHSTR_EXT)
 - AutoRunApp.vbs (PEHSTR_EXT)
 - \XMRig Starter\obj\Release\updg (PEHSTR_EXT)
 - windows\system\com4.{241d7c96-f8bf-4f85-b01f-e2b043341a4b} (PEHSTR_EXT)
 - svchost.exe -k netsvcs (PEHSTR_EXT)
 - @gmail.com (PEHSTR_EXT)
 - EternalBlue\EmptyProject (PEHSTR_EXT)
 - inheritance:e /deny "SYSTEM:(R,REA,RA,RD) (PEHSTR_EXT)
 - https://2no.co (PEHSTR_EXT)
 - Program Files\Windows Defender Advanced Threat Protection\MsSense.exe (PEHSTR_EXT)
 - Program Files\Windows Defender\ConfigSecurityPolicy.exe (PEHSTR_EXT)
 - SCHTASKS /Create /SC MINUTE /MO (PEHSTR_EXT)
 - powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object System.Net.WebClient).DownloadFile (PEHSTR_EXT)
 - $env:APPDATA\update\ (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - 4.program-iq.com/uploads/ (PEHSTR_EXT)
 -  .jpg (PEHSTR_EXT)
 - g4rm0n.had.su (PEHSTR_EXT)
 - config.txt (PEHSTR_EXT)
 - nvidia.txt (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\nwqoixxldqceeavvmyaue (REGKEY)
 - %cmd /c taskkill /im taskmgr.exe /f /T (PEHSTR)
 - &cmd /c taskkill /im rundll32.exe /f /T (PEHSTR)
 - &cmd /c taskkill /im autoruns.exe /f /T (PEHSTR)
 - %cmd /c taskkill /im perfmon.exe /f /T (PEHSTR)
 - %cmd /c taskkill /im procexp.exe /f /T (PEHSTR)
 - +cmd /c taskkill /im ProcessHacker.exe /f /T (PEHSTR)
 - F:\calculator\Hasher\hasher-ng\bin\Win32\Release\dssec.pdb (PEHSTR_EXT)
 - http://185.219.223.119/stats/?arh= (PEHSTR_EXT)
 - SOFTWARE\WOW6432Node\Shortcuter\ (PEHSTR_EXT)
 - SOFTWARE\Shortcuter\ (PEHSTR_EXT)
 - SchTasks /Create /SC ONLOGON /TN " (PEHSTR_EXT)
 - Set fRANDOM=CreateObject("Scripting.FileSystemObject") (PEHSTR_EXT)
 - Set pRANDOM=CreateObject("WinHttp.WinHttpRequest.5.1") (PEHSTR_EXT)
 - .ftphosting.pw/user81249/4918/ (PEHSTR_EXT)
 - delxmr.bat (PEHSTR_EXT)
 - svchost.exe (PEHSTR_EXT)
 - stratum+tcp://pool.minexmr.com:7777 -u (PEHSTR_EXT)
 - minergate.com (PEHSTR_EXT)
 - nicehash.com (PEHSTR_EXT)
 - !stratum+tcp://pool.supportxmr.com (PEHSTR)
 - \taskmgr.exe.lnk (PEHSTR)
 - svchost.exe (PEHSTR)
 - http://owwwc.com/mm/ (PEHSTR_EXT)
 - 0.exe (PEHSTR_EXT)
 - mine.c3pool.com (PEHSTR_EXT)
 - xmr.f2pool.com (PEHSTR_EXT)
 - XMRig.exe|XMR.exe| (PEHSTR_EXT)
 - 49hnmvTh3gHFZVQjMXpFWfKuvF1SgDGWCQRMhStgEg6vhtJfQ8RdSAf3TYr3FoZCYyDyNainwwzRmPanT1ucBx1y5vaRXBM.r9n (PEHSTR_EXT)
 - \Miner\obj\Release\Otmivatelnites.pdb (PEHSTR_EXT)
 - \Microsofter\svchost.exe (PEHSTR_EXT)
 - ;/github.com/Bendr0id/CmrcServiceCC/wiki/Coin-configurations (PEHSTR)
 - -a yescrypt -o (PEHSTR_EXT)
 - stratum+tcp://yescrypt.na.mine.zpool.ca:6233 (PEHSTR_EXT)
 - 127.0.0.1&del (PEHSTR_EXT)
 - cscript //b //nologo %tmp%/ (PEHSTR_EXT)
 -  .vbs (PEHSTR_EXT)
 - cmd.exe /c del (PEHSTR_EXT)
 - stratum+tcp://pool.minexmr.com:80 -u (PEHSTR_EXT)
 - taskkill /im dllhot.exe /f (PEHSTR_EXT)
 - dllhot.exe --auto --any --forever --keepalive (PEHSTR_EXT)
 - api.foxovsky.ru (PEHSTR_EXT)
 - /gate/connection.php (PEHSTR_EXT)
 - System32\drivers\cspsvc.pdb (PEHSTR_EXT)
 - http://gey.moy.su/ammyy.zip (PEHSTR_EXT)
 - http://gey.moy.su/temp.zip (PEHSTR_EXT)
 - \system\svchost.exe (PEHSTR_EXT)
 - updata.reboot@gmail.com (PEHSTR_EXT)
 - http://178.159.37.113/ (PEHSTR_EXT)
 -  .exe (PEHSTR_EXT)
 - http://194.63.143.226/ (PEHSTR_EXT)
 - http://217.147.169.179/ (PEHSTR_EXT)
 - electrum_data\wallets (PEHSTR_EXT)
 - /nologo %tmp%/delay.vbs (PEHSTR_EXT)
 - taskkill /im wscript.exe /f (PEHSTR)
 - \tao.vbs (PEHSTR)
 - \ls.vbs (PEHSTR)
 - %Wscript.CreateObject("Wscript.Shell") (PEHSTR)
 - WshShell.Run (PEHSTR)
 - chromea.exe (PEHSTR)
 - chromes.exe (PEHSTR)
 - /\CurrentVersion\Policies\Explorer\Run\ADSL Dial (PEHSTR)
 - C:\start.cmd (PEHSTR)
 - @taskmgr.exe (PEHSTR)
 - Jhash self-test failed. This might be caused by bad compiler optimizations. (PEHSTR)
 - /create /f /sc ONLOGON /RL HIGHEST /tn (PEHSTR_EXT)
 - \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS (PEHSTR_EXT)
 - schtasks.exe (PEHSTR_EXT)
 - SELECT CommandLine FROM Win32_Process WHERE ProcessId =  (PEHSTR_EXT)
 - log.boreye.com (PEHSTR)
 - ESoftware\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location (PEHSTR)
 - 4SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost (PEHSTR)
 - $SYSTEM\CurrentControlSet\Services\%s (PEHSTR)
 - \Desktop\Miner\FULLMINER\WindowsHub (PEHSTR_EXT)
 - WindowsSecurityService.pdb (PEHSTR_EXT)
 - Select CommandLine from Win32_Process where Name='{0}' (PEHSTR_EXT)
 - \root\cimv2 (PEHSTR_EXT)
 - +2ZJqaN7cCKZJayunaqoY0t4JXe4SCvoyWXklM2of/5gaPK+G4R6xU9bp55ItU9+ (PEHSTR_EXT)
 - /C ping 127.0.0.1 -n 2 && taskmgr && (PEHSTR_EXT)
 - cfg.txt (PEHSTR_EXT)
 - \AppData\Roaming\Sysfiles\ (PEHSTR_EXT)
 - win32_logicaldisk.deviceid= (PEHSTR_EXT)
 - schtasks /create /tn \ (PEHSTR_EXT)
 - /st 00:00 /du 9999:59 /sc once /ri 1 /f (PEHSTR_EXT)
 - choice /C Y /N /D Y /T (PEHSTR_EXT)
 - byk\:2L (PEHSTR_EXT)
 - c:\windo (PEHSTR_EXT)
 - m32\cm (PEHSTR_EXT)
 - d.exe (PEHSTR_EXT)
 - .boot (PEHSTR_EXT)
 - /showcode2 (PEHSTR_EXT)
 - /logstatus (PEHSTR_EXT)
 - /bugcheck2 (PEHSTR_EXT)
 - /skipactivexreg (PEHSTR_EXT)
 - Software\WLkt (PEHSTR_EXT)
 - /bugcheckfull (PEHSTR_EXT)
 - /deactivate (PEHSTR_EXT)
 - \POWR (PEHSTR_EXT)
 - newMinerProxy/proxy (PEHSTR_EXT)
 - proxy.process (PEHSTR_EXT)
 - http://185.172.128.11 (PEHSTR_EXT)
 - xmrig-cuda.dll (PEHSTR_EXT)
 - stc.bat (PEHSTR_EXT)
 - stratum+ssl:// (PEHSTR_EXT)
 - mining.submit (PEHSTR_EXT)
 - --url pool.hashvault.pro:80 (PEHSTR_EXT)
 - Software\Classes\mscfile\Shell\Open\command (PEHSTR_EXT)
 - miner.exe (PEHSTR_EXT)
 - schtasks.exe /create /f /sc MINUTE (PEHSTR_EXT)
 - --cinit-stealth-targets=Taskmgr.exe, (PEHSTR_EXT)
 - ,procexp.exe,procexp64.exe (PEHSTR_EXT)
 - --cinit-api=http (PEHSTR_EXT)
 - WindowsFormsApp3.Form1.resources (PEHSTR_EXT)
 - WindowsFormsApp3.exe (PEHSTR_EXT)
 - DESCryptoServiceProvider (PEHSTR_EXT)
 - C3554254475.C1255198513.resources (PEHSTR_EXT)
 - requestedExecutionLevel level="requireAdministrator" (PEHSTR_EXT)
 - Windows\WinS\xcopy.exe (PEHSTR_EXT)
 - -o xmr.pool.minergate.com:45701  (PEHSTR_EXT)
 - %18\SamuraiVandalism.exe (PEHSTR_EXT)
 - SYSTEM\ControlSet001\services\WMS\Parameters\AppExit (PEHSTR_EXT)
 - DllImportAttribute (PEHSTR_EXT)
 - System.Security.Cryptography (PEHSTR_EXT)
 - Desktop\NO.txt (PEHSTR_EXT)
 - /create /sc MINUTE /mo 1 /tn "Dragon" /tr (PEHSTR_EXT)
 - \AppData\dragon.exe (PEHSTR_EXT)
 - \AppData\xmrig.exe (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - \AppData\logs\wallets\ (PEHSTR_EXT)
 - \AppData\logs\chrome extension wallets\ (PEHSTR_EXT)
 - testonata.free.beeceptor (PEHSTR_EXT)
 - etc.2miners.com:1010 (PEHSTR_EXT)
 - TripleDESCryptoServiceProvider (PEHSTR_EXT)
 - tools/regwrite.raum_encrypted (PEHSTR_EXT)
 - Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.5 (like Gecko) (PEHSTR_EXT)
 - a0694063.xsph.ru/GPU6.zip (PEHSTR_EXT)
 - a0694063.xsph.ru/UpSys.exe (PEHSTR_EXT)
 - C:\ProgramData\Data\GPU.zip (PEHSTR_EXT)
 - C:\ProgramData\UpSys.exe (PEHSTR_EXT)
 - method/wall.get.xml (PEHSTR_EXT)
 - GM.Properties.Resources (PEHSTR_EXT)
 - Ui,C\ (SNID)
 - mining.subscribe (PEHSTR_EXT)
 - cpuminer/1.0.4 (PEHSTR_EXT)
 - ShellExecuteExW (PEHSTR_EXT)
 - start abc.vbs (PEHSTR_EXT)
 - start ethereum-classic-f2pool.bat (PEHSTR_EXT)
 - WinMedia.WinMedia_ (PEHSTR_EXT)
 - E:\CryptoNight\bitmonero-master\src\miner\x64\CPU-Release\Crypto.pdb (PEHSTR_EXT)
 - C:\AppCache\x86\svchost.exe (PEHSTR_EXT)
 - -a m7 -o stratum+tcp://xcnpool.1gh.com:7333 -u CJJkVzjx8GNtX4z395bDY4GFWL6Ehdf8kJ.SERVER%RANDOM% -p x (PEHSTR_EXT)
 - api.telegram.org/bot (PEHSTR_EXT)
 - api.ipify.org (PEHSTR_EXT)
 - 51.75.36.184 (PEHSTR_EXT)
 - /create /sc MINUTE /mo 1 /tn (PEHSTR_EXT)
 - \Windows Folder (PEHSTR_EXT)
 - RogueMarket\Products\Rogue Miner V2\Review Backup\Er minator\obj\Release\OmegaMiner.pdb (PEHSTR_EXT)
 - loadstring(game:HttpGet("https://cdn.wearedevs.net/scripts/Fly.txt"))() (PEHSTR_EXT)
 - FaQuMAQiyxyQgPrACtCRGvJQJStecOuHSBPjmhew (PEHSTR_EXT)
 - Wana Girlfirend DecryptOr 2.0 (PEHSTR_EXT)
 - software\microsoft\windows\CurrentVersion\Run\Syste2.exe (PEHSTR_EXT)
 - Girlfriend.txt (PEHSTR_EXT)
 - FK/o O (PEHSTR_EXT)
 - del /f /s /q (PEHSTR_EXT)
 - Ytguvxm. (PEHSTR_EXT)
 - yescryptr32 (PEHSTR_EXT)
 - nWVAcot9AoqNSFEQA5.6WjyXKh6KK0v95eJSi (PEHSTR_EXT)
 - 47.96.86.81 (PEHSTR_EXT)
 - wmic process  get Name,ExecutablePath,ProcessId,ParentProcessId /value (PEHSTR_EXT)
 - C:\Windows\System32\taskkill.exe /T /F /PID (PEHSTR_EXT)
 - c:\windows\process.txt (PEHSTR_EXT)
 - !http://file.hitler.fans/xmrig.exe (PEHSTR)
 - Release\XmrigMonitor.pdb (PEHSTR)
 - taskkill /f /t /im  (PEHSTR)
 - .text (PEHSTR_EXT)
 - `.data (PEHSTR_EXT)
 - F.DNH(J (PEHSTR_EXT)
 - :/data/app.exe (PEHSTR_EXT)
 - .CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\xmrig.lnk") (PEHSTR_EXT)
 - Get-ChildItem -Path '\xmrig-*\xmrig.exe' | Move-Item -Destination '\svchost.exe (PEHSTR_EXT)
 - USERPROFILE\ (PEHSTR_EXT)
 - a-zA-Z.exe (PEHSTR_EXT)
 - .CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\ (PEHSTR_EXT)
 - a-zA-Z.lnk") (PEHSTR_EXT)
 - .CreateShortcut([System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup\ (PEHSTR_EXT)
 - a-zA-Z.lnk')); (PEHSTR_EXT)
 - .Save() (PEHSTR_EXT)
 - Phttps://pastebin.com/raw/ (PEHSTR_EXT)
 - \xmrig.exe (PEHSTR_EXT)
 - http://46.8.78.172/minir.zip (PEHSTR)
 - "taskkill /f /im browser_broker.exe (PEHSTR)
 - taskkill /f /im python.exe (PEHSTR)
 - minerlol.zip (PEHSTR)
 - \Sapphire_Miner_Source\SapphireClient\x64\Release\SapphireClient.pdb (PEHSTR_EXT)
 - powershell -Command "Add-MpPreference -ExclusionProcess 'cmd.exe'; Add-MpPreference -ExclusionPath 'C:\'" (PEHSTR_EXT)
 - xai830k.com (PEHSTR_EXT)
 - powershell -Command Add-MpPreference -ExclusionProcess 'C:\ (PEHSTR_EXT)
 - \config.json' (PEHSTR_EXT)
 - +2\(8 (SNID)
 - poolstate.bin (PEHSTR)
 - bfgminer.exe (PEHSTR_EXT)
 - cryptonote_format_utils.cpp (PEHSTR_EXT)
 - miner_conf.json (PEHSTR_EXT)
 - cryptonote_protocol_handler.inl (PEHSTR_EXT)
 - miner.cpp (PEHSTR_EXT)
 - qt/crowdcoin.cpp (PEHSTR_EXT)
 - crowdcoind.pid (PEHSTR_EXT)
 - "method": "mining.subscribe" (PEHSTR_EXT)
 - "method": "mining.authorize" (PEHSTR_EXT)
 - "agent": "cpuminer-multi/0.1" (PEHSTR_EXT)
 - mining.set_difficulty (PEHSTR_EXT)
 - donate.v2.xmrig.com (PEHSTR)
 - stratum+tcp:// (PEHSTR)
 - F{"id":%lld,"jsonrpc":"2.0","method":"keepalived","params":{"id":"%s"}} (PEHSTR)
 - o-pBh/ (SNID)
 - JsG (SNID)
 - \&l|Z (SNID)
 - )Vq\=.K (SNID)
 - /l$rS (SNID)
 - us'.& (SNID)
 - C.$!o (SNID)
 - [LW4\ (SNID)
 - {L\*8 (SNID)
 - 3v}M\B (SNID)
 - qB"}/ (SNID)
 - F)NC. (SNID)
 - ).9${wQ (SNID)
 - /88J3 (SNID)
 - a\Vxi$ (SNID)
 - $6\Ujg (SNID)
 - \-DS!s (SNID)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: init
8ae786bad6b2a17a392520ad1d0a1fcdafa899802c866c38f9228f3205b80de9
27/01/2026
VirusTotalDownload Sample
Remediation Steps:
Isolate the infected system immediately. Perform a full system scan with updated antivirus software to remove all detected malicious components. Monitor system performance for unusual resource consumption and consider changing credentials for any cryptocurrency accounts or services accessed from the compromised machine.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 27/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$