MD5: b0d2d14872b304bd59055f502f87e35b
SHA1: 7cb06c2e348a8dd29f3bdeca051e48dcbd568394
SHA256: a36f2960d63d28ae09b5a7c58a1acf39fa3d5a4adc1e3a7a64ad8bd12f7298fd
SSDeep: 24576:UD Ab3lZNUo3apSVrvFN7pp/YPMLhw57Ca3:UblOyTVd2GhwtCS
Size: 805888 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-09-08 13:16:50
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2876

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2876 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\TMP\qapt.exe (711 bytes)

Registry activity

The process %original file name%.exe:2876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"%original file name%.exe" = "c:\%original file name%.exe /S"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
xmr.pool.minergate.com	136.243.94.27

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

`.rsrc

-U}K7

t$(SSh

|$D.tm

~%UVW

u$SShe

iu2.iu

K(.wS

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

c:\ProgramData\TMP

C:\ProgramData\TMP

C:\ProgramData

C:\ProgramData\TMP\

-o xmr.pool.minergate.com:45560 -uxmrwakuang@hotmail.com -p x -k -R 1

cmd /c c:\ProgramData\TMP\

c:\ProgramData\TMP\

.text

P`.data

.rdata

`@.pdata

0@.xdata

0@.bss

.idata

.rsrc

\\?\pipe1

8MZuRL

"%s" hash self-test failed.

[%d-d-d d:d:d]%s %s%s

[%d-d-d d:d:d]

[%s:%u] duplicate job received, ignore

{"id":%lld,"jsonrpc":"2.0","method":"keepalived","params":{"id":"%s"}}

[%s:%u] getaddrinfo error: "%s"

{"id":%llu,"jsonrpc":"2.0","method":"submit","params":{"id":"%s","job_id":"%s","nonce":"%s","result":"%s"}}

[%s:%u] error: "%s", code: %lld

[%s:%u] unsupported method: "%s"

[%s:%u] login error code: %d

[%s:%u] JSON decode failed: "%s"

[%s:%u] read error: "%s"

login

[%s:%u] connect error: "%s"

[%s:%u] DNS error: "%s"

[%s:%u] DNS error: "No IPv4 records found"

[01;36m%s:%d

[01;30m%s

use pool %s:%d %s

[01;37m%u

[31m"%s"

rejected (%lld/%lld) diff %u "%s" (%llu ms)

accepted (%lld/%lld) diff %u (%llu ms)

[01;37m%s:%d

[01;37m%d

new job from %s:%d diff %d

fee.xmrig.com

stratum tcp://

.nicehash.com

XMRig 2.3.0

%d.%d.%d

libuv/%s

libjansson/%s

unable to open %s: %s

%s:%d: %s

%s: unsupported non-option argument '%s'

No pool URL supplied. Exiting.

userpass

-o, --url=URL URL of mining server

-O, --userpass=U:P username:password pair for mining server

-p, --pass=PASSWORD password for mining server

-k, --keepalive send keepalived for prevent timeout (need pool support)

--no-huge-pages disable huge pages support

--nicehash enable nicehash support

--print-time=N print hashrate report every N seconds

[01;36mXMRig/%s

[01;37m libuv/%s%s

* VERSIONS: XMRig/%s libuv/%s%s

[01;36m%d

[01;37m, %s, av=%d, %sdonate=%d%%%s

* THREADS: %d, %s, av=%d, %sdonate=%d%%%s

gcc/%d.%d.%d

2.3.0

[01;37mHUGE PAGES: %s, %s

* HUGE PAGES: %s, %s

[01;37mCPU: %s (%d) %sx64 %sAES-NI

* CPU: %s (%d) %sx64 %sAES-NI

* POOL #%d: %s:%d

[01;37mPOOL #%d:

[01;36m%s:%d

[01;36m%s

[22;36m%s %s

[01;36m%s H/s

speed 2.5s/60s/15m %s %s %s H/s max: %s H/s

Huge pages support was successfully enabled, but reboot required to use it

%s/%s (Windows NT %lu.%lu

; Win64; x64) libuv/%s

tX4Fr.rh.46Aw-wl-6

.eK9K\9.

\uX

\uX\uX

%s near '%s'

%s near end of file

unable to decode byte 0x%x

control character 0x%x

invalid Unicode '\uX\uX'

invalid Unicode '\uX'

NUL byte in object key not supported

duplicate object key

pipe

[%c%c%c] %-8s %p

Unknown system error %d

EAFNOSUPPORT

EMSGSIZE

EPIPE

EPROTONOSUPPORT

ESPIPE

address family not supported

ai_family not supported

socket type not supported

operation canceled

illegal operation on a directory

socket operation on non-socket

operation not supported on socket

operation not permitted

broken pipe

protocol not supported

cannot send after transport endpoint shutdown

1.14.0

!loop->wq_async.async_sent

((uv_shutdown_t*) req)->handle->type == UV_NAMED_PIPE

%s: (%d) %s

(%d) %s

src/win/pipe.c

pipe->flags & UV_HANDLE_CONNECTION

pipe->u.fd == -1 || pipe->u.fd > 2

req->pipeHandle == INVALID_HANDLE_VALUE

req->pipeHandle != INVALID_HANDLE_VALUE

handle->type == UV_NAMED_PIPE

hThread == handle->pipe.conn.readfile_thread

req->write_buffer.base

!(handle->flags & UV_HANDLE_PIPESERVER)

pipe->type == UV_NAMED_PIPE

pipe->flags & UV_HANDLE_READ_PENDING

!(handle->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)

\\?\pipe\uv\%p-%lu

handle->pipe.serv.accept_reqs

handle->pipe.serv.accept_reqs[0].pipeHandle != INVALID_HANDLE_VALUE

avail >= sizeof(ipc_frame.header)

bytes == sizeof(ipc_frame.header)

ipc_frame.header.flags <= (UV_IPC_TCP_SERVER | UV_IPC_RAW_DATA | UV_IPC_TCP_CONNECTION)

avail - sizeof(ipc_frame.header) >= sizeof(ipc_frame.socket_info_ex)

bytes == sizeof(ipc_frame) - sizeof(ipc_frame.header)

handle->pipe.conn.remaining_ipc_rawdata_bytes >= bytes

handle->write_queue_size >= req->u.io.queued_bytes

handle->stream.conn.write_reqs_pending > 0

pipe->pipe.conn.eof_timer == NULL

!(pipe->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)

pipe->pipe.conn.ipc_pid != -1

rfds.fd_count == 1

rfds.fd_array[0] == handle->socket

wfds.fd_count == 1

wfds.fd_array[0] == handle->socket

efds.fd_count == 1

efds.fd_array[0] == handle->socket

!(options->flags & ~(UV_PROCESS_DETACHED | UV_PROCESS_SETGID | UV_PROCESS_SETUID | UV_PROCESS_WINDOWS_HIDE | UV_PROCESS_WINDOWS_VERBATIM_ARGUMENTS))

src/win/tcp.c

server->flags & UV_HANDLE_TCP_SINGLE_ACCEPT

handle->type == UV_TCP

(tcp)->activecnt >= 0

!((tcp)->flags & UV__HANDLE_CLOSING)

.Asrc/win/timer.c

handle->tty.rd.read_line_buffer.base != NULL

handle->tty.rd.read_line_buffer.len > 0

handle->u.fd == -1 || handle->u.fd > 2

!(handle->flags & UV_HANDLE_TTY_READABLE) || handle->tty.rd.read_raw_wait == NULL

src/win/udp.c

handle->type == UV_UDP

handle->send_queue_size >= req->u.io.queued_bytes

len > 0 && len < ARRAY_SIZE(key_name)

ntdll.dll

kernel32.dll

powrprof.dll

0.0.0.0

0123456789

%u.%u.%u.%u

fdopt.data.stream->type == UV_NAMED_PIPE

!(fdopt.data.stream->flags & UV_HANDLE_CONNECTION)

!(fdopt.data.stream->flags & UV_HANDLE_PIPESERVER)

mode == (PIPE_READMODE_BYTE | PIPE_WAIT)

0.4.0

operator

operator

global constructors keyed to

global destructors keyed to

operator""

_matherr(): %s in %s(%g, %g) (retval=%g)

VirtualQuery failed for %d bytes at address %p

VirtualProtect failed with code 0x%x

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

.pdata

unknown option -- %s

unknown option -- %c

option requires an argument -- %s

option requires an argument -- %c

Error cleaning up spin_keys for thread

once %p is %d

T%p %d %s

T%p %d V=%0X H=%p %s

Assertion failed: (%s), file %s, line %d

RWL%p %d %s

RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s

C%p %d %s

C%p %d V=%0X w=%ld %s

GCC: (Rev2, Built by MSYS2 project) 7.1.0

GCC: (Rev1, Built by MSYS2 project) 7.2.0

RegCloseKey

RegOpenKeyExW

ConnectNamedPipe

CreateIoCompletionPort

CreateNamedPipeA

CreateNamedPipeW

GetNamedPipeHandleStateA

PeekNamedPipe

SetNamedPipeHandleState

WaitNamedPipeW

_acmdln

_amsg_exit

MapVirtualKeyW

ADVAPI32.dll

IPHLPAPI.DLL

KERNEL32.dll

msvcrt.dll

PSAPI.DLL

USER32.dll

USERENV.dll

WS2_32.dll

<requestedExecutionLevel level="asInvoker"/>

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--The ID below indicates application support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--The ID below indicates application support for Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!--The ID below indicates application support for Windows 10 -->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

`@.eh_fram

%UUUU

UUUU%UUUU

libgcc_s_dw2-1.dll

) libuv/%s

_ntdll.dll

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

user32.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

WinExec

GetProcessHeap

GetCPInfo

RegOpenKeyExA

RegCreateKeyA

RegCreateKeyExA

GetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

ShellExecuteA

GetKeyState

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

`.rdata

@.data

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

KERNEL32.DLL

COMCTL32.dll

comdlg32.dll

GDI32.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

WINMM.dll

WINSPOOL.DRV

advapi32.dll

%s\%.*s

\\?\UNC\

eHARDWARE\DESCRIPTION\System\CentralProcessor\%d

File: %ws, Line %u

VVV.xmrig.com

Copyright (C) 2016-2017 xmrig.com

xmrig.exe

Cadvapi32.dll

tmsvcrt.dll

(*.*)

%original file name%.exe_2876_rwx_00401000_001FB000:

t$(SSh

|$D.tm

~%UVW

u$SShe

iu2.iu

K(.wS

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

c:\ProgramData\TMP

C:\ProgramData\TMP

C:\ProgramData

C:\ProgramData\TMP\

-o xmr.pool.minergate.com:45560 -uxmrwakuang@hotmail.com -p x -k -R 1

cmd /c c:\ProgramData\TMP\

c:\ProgramData\TMP\

.text

P`.data

.rdata

`@.pdata

0@.xdata

0@.bss

.idata

.rsrc

\\?\pipe1

8MZuRL

"%s" hash self-test failed.

[%d-d-d d:d:d]%s %s%s

[%d-d-d d:d:d]

[%s:%u] duplicate job received, ignore

{"id":%lld,"jsonrpc":"2.0","method":"keepalived","params":{"id":"%s"}}

[%s:%u] getaddrinfo error: "%s"

{"id":%llu,"jsonrpc":"2.0","method":"submit","params":{"id":"%s","job_id":"%s","nonce":"%s","result":"%s"}}

[%s:%u] error: "%s", code: %lld

[%s:%u] unsupported method: "%s"

[%s:%u] login error code: %d

[%s:%u] JSON decode failed: "%s"

[%s:%u] read error: "%s"

login

[%s:%u] connect error: "%s"

[%s:%u] DNS error: "%s"

[%s:%u] DNS error: "No IPv4 records found"

[01;36m%s:%d

[01;30m%s

use pool %s:%d %s

[01;37m%u

[31m"%s"

rejected (%lld/%lld) diff %u "%s" (%llu ms)

accepted (%lld/%lld) diff %u (%llu ms)

[01;37m%s:%d

[01;37m%d

new job from %s:%d diff %d

fee.xmrig.com

stratum tcp://

.nicehash.com

XMRig 2.3.0

%d.%d.%d

libuv/%s

libjansson/%s

unable to open %s: %s

%s:%d: %s

%s: unsupported non-option argument '%s'

No pool URL supplied. Exiting.

userpass

-o, --url=URL URL of mining server

-O, --userpass=U:P username:password pair for mining server

-p, --pass=PASSWORD password for mining server

-k, --keepalive send keepalived for prevent timeout (need pool support)

--no-huge-pages disable huge pages support

--nicehash enable nicehash support

--print-time=N print hashrate report every N seconds

[01;36mXMRig/%s

[01;37m libuv/%s%s

* VERSIONS: XMRig/%s libuv/%s%s

[01;36m%d

[01;37m, %s, av=%d, %sdonate=%d%%%s

* THREADS: %d, %s, av=%d, %sdonate=%d%%%s

gcc/%d.%d.%d

2.3.0

[01;37mHUGE PAGES: %s, %s

* HUGE PAGES: %s, %s

[01;37mCPU: %s (%d) %sx64 %sAES-NI

* CPU: %s (%d) %sx64 %sAES-NI

* POOL #%d: %s:%d

[01;37mPOOL #%d:

[01;36m%s:%d

[01;36m%s

[22;36m%s %s

[01;36m%s H/s

speed 2.5s/60s/15m %s %s %s H/s max: %s H/s

Huge pages support was successfully enabled, but reboot required to use it

%s/%s (Windows NT %lu.%lu

; Win64; x64) libuv/%s

tX4Fr.rh.46Aw-wl-6

.eK9K\9.

\uX

\uX\uX

%s near '%s'

%s near end of file

unable to decode byte 0x%x

control character 0x%x

invalid Unicode '\uX\uX'

invalid Unicode '\uX'

NUL byte in object key not supported

duplicate object key

pipe

[%c%c%c] %-8s %p

Unknown system error %d

EAFNOSUPPORT

EMSGSIZE

EPIPE

EPROTONOSUPPORT

ESPIPE

address family not supported

ai_family not supported

socket type not supported

operation canceled

illegal operation on a directory

socket operation on non-socket

operation not supported on socket

operation not permitted

broken pipe

protocol not supported

cannot send after transport endpoint shutdown

1.14.0

!loop->wq_async.async_sent

((uv_shutdown_t*) req)->handle->type == UV_NAMED_PIPE

%s: (%d) %s

(%d) %s

src/win/pipe.c

pipe->flags & UV_HANDLE_CONNECTION

pipe->u.fd == -1 || pipe->u.fd > 2

req->pipeHandle == INVALID_HANDLE_VALUE

req->pipeHandle != INVALID_HANDLE_VALUE

handle->type == UV_NAMED_PIPE

hThread == handle->pipe.conn.readfile_thread

req->write_buffer.base

!(handle->flags & UV_HANDLE_PIPESERVER)

pipe->type == UV_NAMED_PIPE

pipe->flags & UV_HANDLE_READ_PENDING

!(handle->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)

\\?\pipe\uv\%p-%lu

handle->pipe.serv.accept_reqs

handle->pipe.serv.accept_reqs[0].pipeHandle != INVALID_HANDLE_VALUE

avail >= sizeof(ipc_frame.header)

bytes == sizeof(ipc_frame.header)

ipc_frame.header.flags <= (UV_IPC_TCP_SERVER | UV_IPC_RAW_DATA | UV_IPC_TCP_CONNECTION)

avail - sizeof(ipc_frame.header) >= sizeof(ipc_frame.socket_info_ex)

bytes == sizeof(ipc_frame) - sizeof(ipc_frame.header)

handle->pipe.conn.remaining_ipc_rawdata_bytes >= bytes

handle->write_queue_size >= req->u.io.queued_bytes

handle->stream.conn.write_reqs_pending > 0

pipe->pipe.conn.eof_timer == NULL

!(pipe->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)

pipe->pipe.conn.ipc_pid != -1

rfds.fd_count == 1

rfds.fd_array[0] == handle->socket

wfds.fd_count == 1

wfds.fd_array[0] == handle->socket

efds.fd_count == 1

efds.fd_array[0] == handle->socket

!(options->flags & ~(UV_PROCESS_DETACHED | UV_PROCESS_SETGID | UV_PROCESS_SETUID | UV_PROCESS_WINDOWS_HIDE | UV_PROCESS_WINDOWS_VERBATIM_ARGUMENTS))

src/win/tcp.c

server->flags & UV_HANDLE_TCP_SINGLE_ACCEPT

handle->type == UV_TCP

(tcp)->activecnt >= 0

!((tcp)->flags & UV__HANDLE_CLOSING)

.Asrc/win/timer.c

handle->tty.rd.read_line_buffer.base != NULL

handle->tty.rd.read_line_buffer.len > 0

handle->u.fd == -1 || handle->u.fd > 2

!(handle->flags & UV_HANDLE_TTY_READABLE) || handle->tty.rd.read_raw_wait == NULL

src/win/udp.c

handle->type == UV_UDP

handle->send_queue_size >= req->u.io.queued_bytes

len > 0 && len < ARRAY_SIZE(key_name)

ntdll.dll

kernel32.dll

powrprof.dll

0.0.0.0

0123456789

%u.%u.%u.%u

fdopt.data.stream->type == UV_NAMED_PIPE

!(fdopt.data.stream->flags & UV_HANDLE_CONNECTION)

!(fdopt.data.stream->flags & UV_HANDLE_PIPESERVER)

mode == (PIPE_READMODE_BYTE | PIPE_WAIT)

0.4.0

operator

operator

global constructors keyed to

global destructors keyed to

operator""

_matherr(): %s in %s(%g, %g) (retval=%g)

VirtualQuery failed for %d bytes at address %p

VirtualProtect failed with code 0x%x

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

.pdata

unknown option -- %s

unknown option -- %c

option requires an argument -- %s

option requires an argument -- %c

Error cleaning up spin_keys for thread

once %p is %d

T%p %d %s

T%p %d V=%0X H=%p %s

Assertion failed: (%s), file %s, line %d

RWL%p %d %s

RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s

C%p %d %s

C%p %d V=%0X w=%ld %s

GCC: (Rev2, Built by MSYS2 project) 7.1.0

GCC: (Rev1, Built by MSYS2 project) 7.2.0

RegCloseKey

RegOpenKeyExW

ConnectNamedPipe

CreateIoCompletionPort

CreateNamedPipeA

CreateNamedPipeW

GetNamedPipeHandleStateA

PeekNamedPipe

SetNamedPipeHandleState

WaitNamedPipeW

_acmdln

_amsg_exit

MapVirtualKeyW

ADVAPI32.dll

IPHLPAPI.DLL

KERNEL32.dll

msvcrt.dll

PSAPI.DLL

USER32.dll

USERENV.dll

WS2_32.dll

<requestedExecutionLevel level="asInvoker"/>

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--The ID below indicates application support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--The ID below indicates application support for Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!--The ID below indicates application support for Windows 10 -->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

`@.eh_fram

%UUUU

UUUU%UUUU

libgcc_s_dw2-1.dll

) libuv/%s

_ntdll.dll

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

user32.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

WinExec

GetProcessHeap

GetCPInfo

RegOpenKeyExA

RegCreateKeyA

RegCreateKeyExA

GetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

ShellExecuteA

GetKeyState

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

`.rdata

@.data

advapi32.dll

%s\%.*s

\\?\UNC\

eHARDWARE\DESCRIPTION\System\CentralProcessor\%d

File: %ws, Line %u

VVV.xmrig.com

Copyright (C) 2016-2017 xmrig.com

xmrig.exe

Cadvapi32.dll

tmsvcrt.dll

(*.*)

conhost.exe_2948:

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

qapt.exe_3724:

.text

P`.data

.rdata

`@.eh_fram

0@.bss

.idata

.rsrc

%UUUU

UUUU%UUUU

pipe

libgcc_s_dw2-1.dll

"%s" hash self-test failed.

[%d-d-d d:d:d]%s %s%s

[%d-d-d d:d:d]

[%s:%u] duplicate job received, ignore

{"id":%lld,"jsonrpc":"2.0","method":"keepalived","params":{"id":"%s"}}

[%s:%u] getaddrinfo error: "%s"

[%s:%u] error: "%s", code: %lld

[%s:%u] unsupported method: "%s"

[%s:%u] login error code: %d

[%s:%u] JSON decode failed: "%s"

[%s:%u] read error: "%s"

login

[%s:%u] connect error: "%s"

[%s:%u] DNS error: "%s"

[%s:%u] DNS error: "No IPv4 records found"

{"id":%llu,"jsonrpc":"2.0","method":"submit","params":{"id":"%s","job_id":"%s","nonce":"%s","result":"%s"}}

[01;36m%s:%d

[01;30m%s

use pool %s:%d %s

[01;37m%u

[31m"%s"

rejected (%lld/%lld) diff %u "%s" (%llu ms)

accepted (%lld/%lld) diff %u (%llu ms)

[01;37m%s:%d

[01;37m%d

new job from %s:%d diff %d

fee.xmrig.com

stratum tcp://

.nicehash.com

XMRig 2.3.0

%d.%d.%d

libuv/%s

libjansson/%s

unable to open %s: %s

%s:%d: %s

%s: unsupported non-option argument '%s'

No pool URL supplied. Exiting.

userpass

-o, --url=URL URL of mining server

-O, --userpass=U:P username:password pair for mining server

-p, --pass=PASSWORD password for mining server

-k, --keepalive send keepalived for prevent timeout (need pool support)

--no-huge-pages disable huge pages support

--nicehash enable nicehash support

--print-time=N print hashrate report every N seconds

[01;36mXMRig/%s

[01;37m libuv/%s%s

* VERSIONS: XMRig/%s libuv/%s%s

[01;36m%d

[01;37m, %s, av=%d, %sdonate=%d%%%s

* THREADS: %d, %s, av=%d, %sdonate=%d%%%s

gcc/%d.%d.%d

2.3.0

[01;37mHUGE PAGES: %s, %s

* HUGE PAGES: %s, %s

[01;37mCPU: %s (%d) %sx64 %sAES-NI

* CPU: %s (%d) %sx64 %sAES-NI

* POOL #%d: %s:%d

[01;37mPOOL #%d:

[01;36m%s:%d

[01;36m%s

[22;36m%s %s

[01;36m%s H/s

speed 2.5s/60s/15m %s %s %s H/s max: %s H/s

Huge pages support was successfully enabled, but reboot required to use it

%s/%s (Windows NT %lu.%lu

) libuv/%s

tX4Fr.rh.46Aw-wl-6

.eK9K\9.

\uX

\uX\uX

%s near '%s'

%s near end of file

unable to decode byte 0x%x

control character 0x%x

invalid Unicode '\uX\uX'

invalid Unicode '\uX'

NUL byte in object key not supported

duplicate object key

[%c%c%c] %-8s %p

Unknown system error %d

EAFNOSUPPORT

EMSGSIZE

EPIPE

EPROTONOSUPPORT

ESPIPE

address family not supported

ai_family not supported

socket type not supported

operation canceled

illegal operation on a directory

socket operation on non-socket

operation not supported on socket

operation not permitted

broken pipe

protocol not supported

cannot send after transport endpoint shutdown

1.14.0

!loop->wq_async.async_sent

((uv_shutdown_t*) req)->handle->type == UV_NAMED_PIPE

%s: (%d) %s

(%d) %s

src/win/pipe.c

pipe->flags & UV_HANDLE_CONNECTION

pipe->u.fd == -1 || pipe->u.fd > 2

req->pipeHandle == INVALID_HANDLE_VALUE

req->pipeHandle != INVALID_HANDLE_VALUE

handle->type == UV_NAMED_PIPE

hThread == handle->pipe.conn.readfile_thread

req->write_buffer.base

!(handle->flags & UV_HANDLE_PIPESERVER)

pipe->type == UV_NAMED_PIPE

pipe->flags & UV_HANDLE_READ_PENDING

!(handle->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)

\\?\pipe\uv\%p-%lu

handle->pipe.serv.accept_reqs

handle->pipe.serv.accept_reqs[0].pipeHandle != INVALID_HANDLE_VALUE

avail >= sizeof(ipc_frame.header)

bytes == sizeof(ipc_frame.header)

ipc_frame.header.flags <= (UV_IPC_TCP_SERVER | UV_IPC_RAW_DATA | UV_IPC_TCP_CONNECTION)

avail - sizeof(ipc_frame.header) >= sizeof(ipc_frame.socket_info_ex)

bytes == sizeof(ipc_frame) - sizeof(ipc_frame.header)

handle->pipe.conn.remaining_ipc_rawdata_bytes >= bytes

handle->write_queue_size >= req->u.io.queued_bytes

handle->stream.conn.write_reqs_pending > 0

pipe->pipe.conn.eof_timer == NULL

!(pipe->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)

pipe->pipe.conn.ipc_pid != -1

rfds.fd_count == 1

rfds.fd_array[0] == handle->socket

wfds.fd_count == 1

wfds.fd_array[0] == handle->socket

efds.fd_count == 1

efds.fd_array[0] == handle->socket

!(options->flags & ~(UV_PROCESS_DETACHED | UV_PROCESS_SETGID | UV_PROCESS_SETUID | UV_PROCESS_WINDOWS_HIDE | UV_PROCESS_WINDOWS_VERBATIM_ARGUMENTS))

src/win/tcp.c

server->flags & UV_HANDLE_TCP_SINGLE_ACCEPT

handle->type == UV_TCP

(tcp)->activecnt >= 0

!((tcp)->flags & UV__HANDLE_CLOSING)

handle->tty.rd.read_line_buffer.base != NULL

handle->tty.rd.read_line_buffer.len > 0

handle->u.fd == -1 || handle->u.fd > 2

!(handle->flags & UV_HANDLE_TTY_READABLE) || handle->tty.rd.read_raw_wait == NULL

src/win/udp.c

handle->type == UV_UDP

handle->send_queue_size >= req->u.io.queued_bytes

len > 0 && len < ARRAY_SIZE(key_name)

_ntdll.dll

kernel32.dll

powrprof.dll

0.0.0.0

0123456789

%u.%u.%u.%u

fdopt.data.stream->type == UV_NAMED_PIPE

!(fdopt.data.stream->flags & UV_HANDLE_CONNECTION)

!(fdopt.data.stream->flags & UV_HANDLE_PIPESERVER)

mode == (PIPE_READMODE_BYTE | PIPE_WAIT)

0.4.0

operator

operator

global constructors keyed to

global destructors keyed to

operator""

_matherr(): %s in %s(%g, %g) (retval=%g)

VirtualQuery failed for %d bytes at address %p

VirtualProtect failed with code 0x%x

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

unknown option -- %s

unknown option -- %c

option requires an argument -- %s

option requires an argument -- %c

Error cleaning up spin_keys for thread

once %p is %d

T%p %d %s

T%p %d V=%0X H=%p %s

Assertion failed: (%s), file %s, line %d

RWL%p %d %s

RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s

C%p %d %s

C%p %d V=%0X w=%ld %s

GCC: (Rev2, Built by MSYS2 project) 7.1.0

GCC: (Rev1, Built by MSYS2 project) 7.2.0

5fe7f74c-6929-49d1-b7d8-c5280a7beafe

RegCloseKey

RegOpenKeyExW

ConnectNamedPipe

CreateIoCompletionPort

CreateNamedPipeA

CreateNamedPipeW

GetNamedPipeHandleStateA

PeekNamedPipe

SetNamedPipeHandleState

WaitNamedPipeW

_acmdln

_amsg_exit

MapVirtualKeyW

ADVAPI32.dll

IPHLPAPI.DLL

KERNEL32.dll

msvcrt.dll

PSAPI.DLL

USER32.dll

USERENV.dll

WS2_32.dll

<requestedExecutionLevel level="asInvoker"/>

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--The ID below indicates application support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--The ID below indicates application support for Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!--The ID below indicates application support for Windows 10 -->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

ntdll.dll

Cadvapi32.dll

%s\%.*s

\\?\UNC\

eHARDWARE\DESCRIPTION\System\CentralProcessor\%d

File: %ws, Line %u

tmsvcrt.dll

VVV.xmrig.com

Copyright (C) 2016-2017 xmrig.com

xmrig.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\ProgramData\TMP\qapt.exe (711 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "%original file name%.exe" = "c:\%original file name%.exe /S"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.