File name:	20389c7d417ec512e18bb246a693ce37e041390b6cf1cdd5dca0728b709f910d.exe
Full analysis:	https://app.any.run/tasks/a7f7d18d-3a9a-44f1-8147-e2bd91461069
Verdict:	Malicious activity
Threats:	Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	July 08, 2025, 08:21:02
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg auto-startup miner vmprotect
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	32F21AB8CF9B96E8BA86395A0EDC2E4F
SHA1:	2A5B3C07E32B3B2B0C1EF33A10685027703440EC
SHA256:	20389C7D417EC512E18BB246A693CE37E041390B6CF1CDD5DCA0728B709F910D
SSDEEP:	98304:8cef4lNcsqzlrrVUU2FIgW/Ctt/1VIymxMEDefdZlfpizKYtubio+6MlfsGHIZhe:PXuO05

.exe	\|	NSIS - Nullsoft Scriptable Install System (94.8)
.exe	\|	Win32 Executable MS Visual C++ (generic) (3.4)
.dll	\|	Win32 Dynamic Link Library (generic) (0.7)
.exe	\|	Win32 Executable (generic) (0.5)
.exe	\|	Generic Win/DOS Executable (0.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2009:12:05 22:50:52+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	24064
InitializedDataSize:	164864
UninitializedDataSize:	1024
EntryPoint:	0x30fa
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	2.0.0.4
ProductVersionNumber:	2.0.0.4
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Windows, Latin1
Comments:	FOLDER
CompanyName:
FileDescription:	Folder
FileVersion:	0.4
LegalCopyright:	Copyright © 2014
LegalTrademarks:
ProductName:	Images folder (x86-x64)
ProductVersion:	0.2


(PID) Process:	(2972) 20389c7d417ec512e18bb246a693ce37e041390b6cf1cdd5dca0728b709f910d.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2972) 20389c7d417ec512e18bb246a693ce37e041390b6cf1cdd5dca0728b709f910d.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2972) 20389c7d417ec512e18bb246a693ce37e041390b6cf1cdd5dca0728b709f910d.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2368) image.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2368) image.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2368) image.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2368) image.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Coin
Value: C:\Users\admin\AppData\Roaming\Images\image.exe
(PID) Process:	(1328) load.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1328) load.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1328) load.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
2368	image.exe	C:\Users\admin\AppData\Roaming\Images\NsCpuCNMiner64.exe		executable
		MD5:EEDB9D86AE8ABC65FA7AC7C6323D4E8F	SHA256:D0326F0DDCE4C00F93682E3A6F55A3125F6387E959E9ED6C5E5584E78E737078
2972	20389c7d417ec512e18bb246a693ce37e041390b6cf1cdd5dca0728b709f910d.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\test5[1].htm		html
		MD5:4F8E702CC244EC5D4DE32740C0ECBD97	SHA256:9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
1328	load.exe	C:\Users\admin\AppData\Local\Temp\nss2E4F.tmp\inetc.dll		executable
		MD5:D7A3FA6A6C738B4A3C40D5602AF20B08	SHA256:67EFF17C53A78C8EC9A28F392B9BB93DF3E74F96F6ECD87A333A482C36546B3E
2368	image.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\test7[1].htm		html
		MD5:4F8E702CC244EC5D4DE32740C0ECBD97	SHA256:9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
2368	image.exe	C:\Users\admin\AppData\Roaming\Images\NsGpuCNMiner.exe		executable
		MD5:35D2C42B6EE0ACBCE9DFE8CC418FE5D8	SHA256:7A2A860BB344526E8546ACD172522B4D276A4647F43DD4720281D40E390B283E
2368	image.exe	C:\Users\admin\AppData\Roaming\Images\tmp.ini		ini
		MD5:ACAF5EFC532BC6402BBFC03AD1C5F40C	SHA256:85AC75D560D635313A88FD2CAFDBBEE84EC9A4263D40B138E1F0C52E3DBDCA36
2368	image.exe	C:\Users\admin\AppData\Roaming\Images\Data.bin		binary
		MD5:54EF305626A0EA8B3EB8B28B331E73E2	SHA256:932055827D87637BA7E11565F22DDA3F09CC9457769788D94413E96CF346A6E4
2368	image.exe	C:\Users\admin\AppData\Roaming\Images\NsCpuCNMiner32.exe		executable
		MD5:3AFEB8E9AF02A33FF71BF2F6751CAE3A	SHA256:A0EBA3FDA0D7B22A5D694105EC700DF7C7012DDC4AE611C3071EF858E2C69F08
1328	load.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\test6[1].htm		html
		MD5:4F8E702CC244EC5D4DE32740C0ECBD97	SHA256:9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
2368	image.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.lnk		lnk
		MD5:9221E56BBECD29F07EFDD5EEAB0386A7	SHA256:B12FAC9DB6F2740FA28FED307D77412330B2D1DADDA3FEAD6F39BBAD9CDB5355

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2972	20389c7d417ec512e18bb246a693ce37e041390b6cf1cdd5dca0728b709f910d.exe	GET	301	81.28.12.12:80	http://testswork.ru/test5.txt	unknown	—	—	unknown
—	—	POST	200	20.190.160.64:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	400	20.190.160.66:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.216.77.21:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	404	81.28.12.12:443	https://testswork.ru/test5.txt	unknown	html	196 b	—
2368	image.exe	GET	301	81.28.12.12:80	http://testswork.ru/test5.txt	unknown	—	—	unknown
5560	RUXIMICS.exe	GET	200	23.216.77.21:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	400	20.190.160.66:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	20.190.160.2:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5560	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5944	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2972	20389c7d417ec512e18bb246a693ce37e041390b6cf1cdd5dca0728b709f910d.exe	81.28.12.12:80	testswork.ru	G-Core Labs S.A.	LU	unknown
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2972	20389c7d417ec512e18bb246a693ce37e041390b6cf1cdd5dca0728b709f910d.exe	81.28.12.12:443	testswork.ru	G-Core Labs S.A.	LU	unknown
4156	svchost.exe	40.126.32.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5944	MoUsoCoreWorker.exe	23.216.77.21:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
google.com	172.217.18.110	whitelisted
testswork.ru	81.28.12.12	unknown
login.live.com	40.126.32.68 20.190.160.128 20.190.160.4 40.126.32.74 20.190.160.132 40.126.32.133 20.190.160.5 20.190.160.66	whitelisted
crl.microsoft.com	23.216.77.21 23.216.77.11 23.216.77.23 23.216.77.36 23.216.77.25 23.216.77.15 23.216.77.16 23.216.77.24 23.216.77.40 23.216.77.33 23.216.77.18 23.216.77.17 23.216.77.29	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
nexusrules.officeapps.live.com	52.111.229.19	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted
activation-v2.sls.microsoft.com	13.77.207.86 40.91.76.224	whitelisted

PID	Process	Class	Message
2972	20389c7d417ec512e18bb246a693ce37e041390b6cf1cdd5dca0728b709f910d.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
—	—	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
2368	image.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2368	image.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
—	—	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
1328	load.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
1328	load.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
—	—	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
2368	image.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))

General Info

20389c7d417ec512e18bb246a693ce37e041390b6cf1cdd5dca0728b709f910d.exe

32F21AB8CF9B96E8BA86395A0EDC2E4F

2A5B3C07E32B3B2B0C1EF33A10685027703440EC

20389C7D417EC512E18BB246A693CE37E041390B6CF1CDD5DCA0728B709F910D

98304:8cef4lNcsqzlrrVUU2FIgW/Ctt/1VIymxMEDefdZlfpizKYtubio+6MlfsGHIZhe:PXuO05

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Create files in the Startup directory

Looks like the application has launched a miner

Changes the autorun value in the registry

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Starts itself from another location

There is functionality for taking screenshot (YARA)

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

Creates file in the systems drive root

Connects to unusual port

INFO

Checks supported languages

Create files in a temporary directory

The sample compiled with english language support

Reads the computer name

Checks proxy server information

Creates files or folders in the user directory

Reads the software policy settings

Reads the machine GUID from the registry

Process checks computer location settings

Launching a file from the Startup directory

Launching a file from a Registry key

Manual execution by a user

VMProtect protector has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings