Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\System] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\System] 'ImagePath' = '%WINDIR%\temp\svchost.exe'
- %WINDIR%\Temp\runminer.bat
- %WINDIR%\Temp\svchost.exe
- %WINDIR%\Temp\System.exe
- %WINDIR%\Temp\run.bat
- 'po##.##ki.hashvault.pro':5555
- DNS ASK po##.##ki.hashvault.pro
- ClassName: 'EDIT' WindowName: ''
- '%WINDIR%\Temp\svchost.exe' install "System" "%WINDIR%\temp\runminer.bat"
- '%WINDIR%\Temp\svchost.exe' start System
- '%WINDIR%\Temp\svchost.exe'
- '%WINDIR%\Temp\System.exe' -a cryptonight-heavy -B --donate-level 1 -o pool.loki.hashvault.pro:5555 -u LDAvrVKCFDMR3VKL31TrfSAAq4tMdTKeU32TSnEyQt6F5weU7L3gL5ZepA6G4jZshpUguqNrk3GAxYEuTtg7UK547ma11Vx -p GETMONEYTEAM -k
- '<SYSTEM32>\cmd.exe' /c ""%WINDIR%\temp\run.bat" "
- '<SYSTEM32>\cmd.exe' /c ""%WINDIR%\temp\runminer.bat" "
- '<SYSTEM32>\sc.exe' delete Systemss
- '<SYSTEM32>\sc.exe' delete Service
- '<SYSTEM32>\sc.exe' delete TeamServers