Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
The malware uses your PC for Bitcoin mining by running a freely avaialble Bitcoin mining application that it carries in its installer. The trojan checks whether your PC is running a 32-bit or 64-bit version of Windows and runs either a 32-bit or 64-bit Bitcoin miner.
The bitcoin miner is run using the process name "svchost.exe" and periodically contacts a often legitimate mining server where the malicious hacker has setup an account.
We have seen this threat contact the following mining servers:
auschwitz-2.com:7777
sdjuuytw7udw.ru:7777
Stops services
This threat can stop a number of processes from running on your PC. These processes might belong to other malware or legitimate Windows applications, such as:
CheckServer.exe
cmd.exe
exceptionfilter.exe
ssyncer.exe
WerFault.exe
It also stops and deletes the following services if they are installed and active on your PC:
