AP

[Toxenskiy]

Have you thought about the admin panel, for example, taking AsyncRat as the source? P.S. and yes you have a good stealth. to bypass it, it is not enough to rename the program itself

[UnamSanctam]

The miner is made in C++ and AsyncRat is made in C# so the code is not even close to compatible, I don't have nearly enough time to make an admin panel myself but you can technically use the built-in XMRig HTTP API if you want an admin panel.

And well if I understand you correctly then I have to say that it's not renamed, it's injected through process hollowing and injecting the program is nearly as good as it can get, that's the reason nearly all crypters do it as well.

[Toxenskiy]

what complexity of encryption are you using in ConfuserEx

[UnamSanctam]

I usually set my own options but Normal or Minimum usually work.

[Toxenskiy]

use precompiled build

[Toxenskiy]

[UnamSanctam]

Hmm weird, the normal miner usually gets detected since the program is public so many use it irresponsibly but the watchdog usually won't get detected and I haven't been able to get it detected myself. Try running it on another computer to see if it gets detected.

Also try setting the 'Save Path' to Temp or something since Windows Defender can be a bit sensitive about the UserProfile sometimes.

[Toxenskiy]

after the start of the detect program, that is, the drop was successful

[UnamSanctam]

Well yeah but that could be because it got started in the UserProfile which WD sometimes won't like. And what 'Start Delay' did you use?

[Toxenskiy]

15 seconds and I changed the install path to "temp"

[UnamSanctam]

And if you try running it on another computer it gets detected as well?

[Toxenskiy]

do not have 1 more computer for the test