Windows Analysis Report
bypass.exe

Overview

General Information

Sample name: bypass.exe
Analysis ID: 1541816
MD5: 755b835b4741c9aa725f0680a59ecbfc
SHA1: ce808536fe1ef247e322391dd71dabf95d42f799
SHA256: 254c09dce00035867f2fe2862b53e788dad34323744101b969e5f3270c9f982e
Infos:

Detection

Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspect Svchost Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Creates driver files
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
Multi AV Scanner detection for domain / URL
Source: pool.hashvault.pro Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for submitted file
Source: bypass.exe ReversingLabs: Detection: 86%
Source: bypass.exe Virustotal: Detection: 58% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 11.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.2950853523.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7576, type: MEMORYSTR
Detected Stratum mining protocol
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 45.76.89.70:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 37 45 35 6e 45 67 51 4b 41 67 43 70 68 56 66 4b 31 4b 42 66 41 53 72 5a 56 6e 79 78 6b 68 73 46 45 75 57 75 45 63 61 39 4c 6e 58 56 62 46 79 48 74 71 31 63 43 75 45 6b 56 4c 55 62 34 73 76 52 7a 41 79 6a 4b 48 79 55 65 37 66 53 67 63 70 71 75 57 63 4e 53 74 48 53 47 68 31 75 32 78 22 2c 22 70 61 73 73 22 3a 22 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 31 39 2e 33 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 32 32 22 2c 22 72 69 67 69 64 22 3a 22 22 2c 22 61 6c 67 6f 22 3a 5b 22 72 78 2f 30 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 63 6e 2f 7a 6c 73 22 2c 22 63 6e 2f 64 6f 75 62 6c 65 22 2c 22 63 6e 2f 63 63 78 22 2c 22 63 6e 2d 6c 69 74 65 2f 31 22 2c 22 63 6e 2d 68 65 61 76 79 2f 30 22 2c 22 63 6e 2d 68 65 61 76 79 2f 74 75 62 65 22 2c 22 63 6e 2d 68 65 61 76 79 2f 78 68 76 22 2c 22 63 6e 2d 70 69 63 6f 22 2c 22 63 6e 2d 70 69 63 6f 2f 74 6c 6f 22 2c 22 63 6e 2f 75 70 78 32 22 2c 22 63 6e 2f 67 70 75 22 2c 22 63 6e 2f 31 22 2c 22 72 78 2f 77 6f 77 22 2c 22 72 78 2f 61 72 71 22 2c 22 72 78 2f 67 72 61 66 74 22 2c 22 72 78 2f 73 66 78 22 2c 22 72 78 2f 6b 65 76 61 22 2c 22 70 61 6e 74 68 65 72 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 76 32 22 2c 22 61 72 67 6f 6e 32 2f 6e 69 6e 6a 61 22 2c 22 67 68 6f 73 74 72 69 64 65 72 22 5d 7d 7d 0a data ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47e5negqkagcphvfk1kbfasrzvnyxkhsfeuwueca9lnxvbfyhtq1ccuekvlub4svrzayjkhyue7fsgcpquwcnsthsgh1u2x","pass":"","agent":"xmrig/6.19.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","panthera","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}
Found strings related to Crypto-Mining
Source: svchost.exe, 0000000B.00000002.2950853523.0000000140001000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: stratum+tcp://
Source: svchost.exe String found in binary or memory: cryptonight-monerov7
Source: svchost.exe, 0000000B.00000002.2950853523.0000000140001000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: -o, --url=URL URL of mining server
Source: svchost.exe, 0000000B.00000002.2950853523.0000000140001000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: stratum+tcp://
Source: svchost.exe, 0000000B.00000002.2950853523.0000000140001000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: Usage: xmrig [OPTIONS]
Source: svchost.exe, 0000000B.00000002.2950853523.0000000140001000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: Usage: xmrig [OPTIONS]
Source: bypass.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: bypass.exe, 00000000.00000003.1699005516.0000014AEA650000.00000004.00000001.00020000.00000000.sdmp, pluplcmhlbmi.sys.0.dr
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.76.89.70 45.76.89.70
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.4:63549 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.4:49730 -> 45.76.89.70:80
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: pool.hashvault.pro
Source: bypass.exe, 00000000.00000003.1699005516.0000014AEA650000.00000004.00000001.00020000.00000000.sdmp, pluplcmhlbmi.sys.0.dr String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: bypass.exe, 00000000.00000003.1699005516.0000014AEA650000.00000004.00000001.00020000.00000000.sdmp, pluplcmhlbmi.sys.0.dr String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: bypass.exe, 00000000.00000003.1699005516.0000014AEA650000.00000004.00000001.00020000.00000000.sdmp, pluplcmhlbmi.sys.0.dr String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: bypass.exe, 00000000.00000003.1699005516.0000014AEA650000.00000004.00000001.00020000.00000000.sdmp, pluplcmhlbmi.sys.0.dr String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: svchost.exe, 0000000B.00000002.2950853523.0000000140001000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: https://172.94.1q
Source: svchost.exe, 0000000B.00000002.2950853523.0000000140001000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: https://xmrig.com/docs/algorithms

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 11.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 11.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 11.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0000000B.00000002.2950853523.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7576, type: MEMORYSTR Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\bypass.exe Code function: 0_2_00007FF68BE21394 NtWaitForKeyedEvent, 0_2_00007FF68BE21394
Creates driver files
Source: C:\Users\user\Desktop\bypass.exe File created: C:\Users\user\AppData\Local\Temp\pluplcmhlbmi.sys Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\bypass.exe Code function: 0_2_00007FF68BE23460 0_2_00007FF68BE23460
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\pluplcmhlbmi.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
Sample file is different than original file name gathered from version info
Source: bypass.exe, 00000000.00000003.1699005516.0000014AEA650000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWinRing0.sys2 vs bypass.exe
Yara signature match
Source: 11.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 11.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 11.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0000000B.00000002.2950853523.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: svchost.exe PID: 7576, type: MEMORYSTR Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: pluplcmhlbmi.sys.0.dr Binary string: \Device\WinRing0_1_2_0
Source: classification engine Classification label: mal100.evad.mine.winEXE@18/1@1/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\System32\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\rmcuxmbqqvwccwdx
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
Source: C:\Users\user\Desktop\bypass.exe File created: C:\Users\user\AppData\Local\Temp\pluplcmhlbmi.sys Jump to behavior
Source: bypass.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Users\user\Desktop\bypass.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: bypass.exe ReversingLabs: Detection: 86%
Source: bypass.exe Virustotal: Detection: 58%
Source: unknown Process created: C:\Users\user\Desktop\bypass.exe "C:\Users\user\Desktop\bypass.exe"
Source: C:\Users\user\Desktop\bypass.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bypass.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bypass.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bypass.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bypass.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bypass.exe Process created: C:\Windows\System32\svchost.exe svchost.exe
Source: C:\Users\user\Desktop\bypass.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc Jump to behavior
Source: C:\Users\user\Desktop\bypass.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc Jump to behavior
Source: C:\Users\user\Desktop\bypass.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv Jump to behavior
Source: C:\Users\user\Desktop\bypass.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits Jump to behavior
Source: C:\Users\user\Desktop\bypass.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc Jump to behavior
Source: C:\Users\user\Desktop\bypass.exe Process created: C:\Windows\System32\svchost.exe svchost.exe Jump to behavior
Source: C:\Users\user\Desktop\bypass.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: bypass.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: bypass.exe Static file information: File size 2604032 > 1048576
Source: bypass.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x273a00
Source: bypass.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: bypass.exe, 00000000.00000003.1699005516.0000014AEA650000.00000004.00000001.00020000.00000000.sdmp, pluplcmhlbmi.sys.0.dr
PE file contains sections with non-standard names
Source: bypass.exe Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\bypass.exe Code function: 0_2_00007FF68BE21394 push qword ptr [00007FF68BE29004h]; ret 0_2_00007FF68BE21403

Persistence and Installation Behavior
barindex
Sample is not signed and drops a device driver
Source: C:\Users\user\Desktop\bypass.exe File created: C:\Users\user\AppData\Local\Temp\pluplcmhlbmi.sys Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\bypass.exe File created: C:\Users\user\AppData\Local\Temp\pluplcmhlbmi.sys Jump to dropped file
Source: C:\Users\user\Desktop\bypass.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\System32\svchost.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: svchost.exe, 0000000B.00000002.2951724426.000001960B22F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSHACKER.EXE
Source: svchost.exe, 0000000B.00000002.2951724426.000001960B22F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
Source: svchost.exe, 0000000B.00000002.2951724426.000001960B22F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSHACKER.EXE'
Source: svchost.exe, 0000000B.00000002.2951724426.000001960B22F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SVCHOST.EXE--ALGO=RX/0--URL=POOL.HASHVAULT.PRO:80--USER=47E5NEGQKAGCPHVFK1KBFASRZVNYXKHSFEUWUECA9LNXVBFYHTQ1CCUEKVLUB4SVRZAYJKHYUE7FSGCPQUWCNSTHSGH1U2X--PASS=--CPU-MAX-THREADS-HINT=60--CINIT-WINRING=PLUPLCMHLBMI.SYS--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-VERSION=3.4.0--CINIT-IDLE-WAIT=5--CINIT-IDLE-CPU=80--CINIT-ID=RMCUXMBQQVWCCWDX
Source: svchost.exe, 0000000B.00000003.1700136874.000001960B26A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXERMCUXMBQQVWCCWDX
Source: svchost.exe, 0000000B.00000002.2951800590.000001960B27D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\SYSTEM32\WBEM\WBEMPROX.DLLLTASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE@
Source: svchost.exe, 0000000B.00000002.2951724426.000001960B22F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X/0 --URL=POOL.HASHVAULT.PRO:80 --USER="47E5NEGQKAGCPHVFK1KBFASRZVNYXKHSFEUWUECA9LNXVBFYHTQ1CCUEKVLUB4SVRZAYJKHYUE7FSGCPQUWCNSTHSGH1U2X" --PASS="" --CPU-MAX-THREADS-HINT=60 --CINIT-WINRING="PLUPLCMHLBMI.SYS" --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-VERSION="3.4.0" --CINIT-IDLE-WAIT=5 --CINIT-IDLE-CPU=80 --CINIT-ID="RMCUXMBQQVWCCWDX"
Source: svchost.exe, 0000000B.00000002.2951724426.000001960B22F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TX/0 --URL=POOL.HASHVAULT.PRO:80 --USER="47E5NEGQKAGCPHVFK1KBFASRZVNYXKHSFEUWUECA9LNXVBFYHTQ1CCUEKVLUB4SVRZAYJKHYUE7FSGCPQUWCNSTHSGH1U2X" --PASS="" --CPU-MAX-THREADS-HINT=60 --CINIT-WINRING="PLUPLCMHLBMI.SYS" --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-VERSION="3.4.0" --CINIT-IDLE-WAIT=5 --CINIT-IDLE-CPU=80 --CINIT-ID="RMCUXMBQQVWCCWDX"+
Source: svchost.exe, 0000000B.00000003.1700136874.000001960B26A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2951800590.000001960B27D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2951724426.000001960B22F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
Source: svchost.exe, 0000000B.00000002.2951724426.000001960B22F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSHACKER.EXEV
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\bypass.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pluplcmhlbmi.sys Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\bypass.exe API coverage: 5.0 %
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: svchost.exe, 0000000B.00000002.2951782091.000001960B26A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWMSAFD RfComm [Bluetooth]RSVP UDPv6 Service Provider
Source: svchost.exe, 0000000B.00000002.2951724426.000001960B25F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000B.00000002.2951688631.000001960B213000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\bypass.exe Code function: 0_2_00007FF68BE21160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit, 0_2_00007FF68BE21160

HIPS / PFW / Operating System Protection Evasion
barindex
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\bypass.exe Thread register set: target process: 7576 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\bypass.exe Process created: C:\Windows\System32\svchost.exe svchost.exe Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000B.00000002.2951820912.000001960B299000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: procexp.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541816 Sample: bypass.exe Startdate: 25/10/2024 Architecture: WINDOWS Score: 100 34 pool.hashvault.pro 2->34 38 Multi AV Scanner detection for domain / URL 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 5 other signatures 2->44 8 bypass.exe 1 2->8         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\pluplcmhlbmi.sys, PE32+ 8->32 dropped 46 Modifies the context of a thread in another process (thread injection) 8->46 48 Sample is not signed and drops a device driver 8->48 12 svchost.exe 8->12         started        16 sc.exe 1 8->16         started        18 sc.exe 1 8->18         started        20 3 other processes 8->20 signatures6 process7 dnsIp8 36 45.76.89.70, 49730, 80 AS-CHOOPAUS United States 12->36 50 Query firmware table information (likely to detect VMs) 12->50 52 Found strings related to Crypto-Mining 12->52 54 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->54 22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        28 conhost.exe 20->28         started        30 conhost.exe 20->30         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.76.89.70
 unknown United States
20473 AS-CHOOPAUS true

Contacted Domains

Name IP Active
pool.hashvault.pro 95.179.241.203 true