Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'app' = '%APPDATA%\MoneroMining\mupdate.exe'
- '' (downloaded from the Internet)
- %APPDATA%\moneromining\mupdate.exe
- %TEMP%\client.exe
- %APPDATA%\moneromining\mupdate.exe
- 'cl####.subwayseo.com':5879
- 're##tiv.art':80
- http://www.re##tiv.art/client.exe
- 'cl####.subwayseo.com':5879
- DNS ASK cl####.subwayseo.com
- DNS ASK re##tiv.art
- '%APPDATA%\moneromining\mupdate.exe'
- '%TEMP%\client.exe'
- '%TEMP%\client.exe' ' (with hidden window)