Техническая информация
Для обеспечения автозапуска и распространения
Устанавливает следующие настройки сервисов
- [HKLM\System\CurrentControlSet\Services\StateftpService] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\StateftpService] 'ImagePath' = '"%HOMEPATH%\HelpPane.exe"'
Создает следующие сервисы
- 'StateftpService' "%HOMEPATH%\HelpPane.exe"
- 'StateftpService' %HOMEPATH%\HelpPane.exe
Вредоносные функции
Запускает на исполнение
- '%WINDIR%\syswow64\taskkill.exe' /pid 1032 /f
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram %HOMEPATH%\HelpPane.exe "MyApp" ENABLE
Завершает или пытается завершить
следующие системные процессы:
- <SYSTEM32>\spoolsv.exe
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\_mei29042\crypto.cipher._aes.pyd
- %TEMP%\_mei26882\xmrig.exe
- %TEMP%\_mei26882\httplib2\cacerts.txt
- %TEMP%\_mei26882\config.json
- %TEMP%\_mei26882\certifi\cacert.pem
- %TEMP%\_mei26882\back.jpg
- %TEMP%\_mei26882\include\pyconfig.h
- %TEMP%\_mei26882\win32service.pyd
- %TEMP%\_mei26882\win32evtlog.pyd
- %TEMP%\_mei26882\win32event.pyd
- %TEMP%\_mei26882\win32api.pyd
- %TEMP%\_mei26882\unicodedata.pyd
- %TEMP%\_mei26882\servicemanager.pyd
- %TEMP%\_mei26882\select.pyd
- %WINDIR%\temp\_mei17282\crypto.cipher._aes.pyd
- %TEMP%\_mei26882\pywintypes27.dll
- %TEMP%\_mei26882\pyexpat.pyd
- %TEMP%\_mei26882\psutil._psutil_windows.pyd
- %TEMP%\_mei26882\perfmon.pyd
- %TEMP%\_mei26882\netifaces.pyd
- %TEMP%\_mei26882\msvcr90.dll
- %TEMP%\_mei26882\msvcp90.dll
- %TEMP%\_mei26882\msvcm90.dll
- %TEMP%\_mei26882\ftpcrack.exe.manifest
- %TEMP%\_mei26882\bz2.pyd
- %TEMP%\_mei26882\_win32sysloader.pyd
- %TEMP%\_mei26882\_ssl.pyd
- %TEMP%\_mei26882\_socket.pyd
- %TEMP%\_mei26882\_hashlib.pyd
- %TEMP%\_mei26882\python27.dll
- %WINDIR%\temp\_mei17282\microsoft.vc90.crt.manifest
- %WINDIR%\temp\_mei17282\_ctypes.pyd
- %WINDIR%\temp\_mei17282\_hashlib.pyd
- %WINDIR%\temp\config.json
- %WINDIR%\temp\xmrig.exe
- %WINDIR%\temp\_mei17282\xmrig.exe
- %WINDIR%\temp\_mei17282\httplib2\cacerts.txt
- %WINDIR%\temp\_mei17282\config.json
- %WINDIR%\temp\_mei17282\certifi\cacert.pem
- %WINDIR%\temp\_mei17282\back.jpg
- %WINDIR%\temp\_mei17282\include\pyconfig.h
- %WINDIR%\temp\_mei17282\win32service.pyd
- %WINDIR%\temp\_mei17282\win32evtlog.pyd
- %WINDIR%\temp\_mei17282\win32event.pyd
- %WINDIR%\temp\_mei17282\win32api.pyd
- %WINDIR%\temp\_mei17282\unicodedata.pyd
- %WINDIR%\temp\_mei17282\servicemanager.pyd
- %WINDIR%\temp\_mei17282\select.pyd
- %WINDIR%\temp\_mei17282\pywintypes27.dll
- %WINDIR%\temp\_mei17282\python27.dll
- %WINDIR%\temp\_mei17282\pyexpat.pyd
- %WINDIR%\temp\_mei17282\psutil._psutil_windows.pyd
- %WINDIR%\temp\_mei17282\perfmon.pyd
- %WINDIR%\temp\_mei17282\netifaces.pyd
- %WINDIR%\temp\_mei17282\msvcr90.dll
- %WINDIR%\temp\_mei17282\msvcp90.dll
- %WINDIR%\temp\_mei17282\msvcm90.dll
- %WINDIR%\temp\_mei17282\ftpcrack.exe.manifest
- %WINDIR%\temp\_mei17282\bz2.pyd
- %WINDIR%\temp\_mei17282\_win32sysloader.pyd
- %WINDIR%\temp\_mei17282\_ssl.pyd
- %WINDIR%\temp\_mei17282\_socket.pyd
- %TEMP%\_mei26882\_ctypes.pyd
- %WINDIR%\temp\link.txt
- %TEMP%\_mei26882\microsoft.vc90.crt.manifest
- %TEMP%\_mei12962\xmrig.exe
- %TEMP%\_mei29042\config.json
- %TEMP%\_mei29042\certifi\cacert.pem
- %TEMP%\_mei29042\back.jpg
- %TEMP%\_mei29042\include\pyconfig.h
- %TEMP%\_mei29042\win32service.pyd
- %TEMP%\_mei29042\win32evtlog.pyd
- %TEMP%\_mei29042\win32event.pyd
- %TEMP%\_mei29042\win32api.pyd
- %TEMP%\_mei29042\unicodedata.pyd
- %TEMP%\_mei29042\servicemanager.pyd
- %TEMP%\_mei29042\select.pyd
- %TEMP%\_mei29042\pywintypes27.dll
- %TEMP%\_mei29042\python27.dll
- %TEMP%\_mei29042\httplib2\cacerts.txt
- %TEMP%\_mei29042\pyexpat.pyd
- %TEMP%\_mei29042\perfmon.pyd
- %TEMP%\_mei29042\netifaces.pyd
- %TEMP%\_mei29042\msvcr90.dll
- %TEMP%\_mei29042\msvcp90.dll
- %TEMP%\_mei29042\msvcm90.dll
- %TEMP%\_mei29042\ftpcrack.exe.manifest
- %TEMP%\_mei29042\bz2.pyd
- %TEMP%\_mei29042\_win32sysloader.pyd
- %TEMP%\_mei29042\_ssl.pyd
- %TEMP%\_mei29042\_socket.pyd
- %TEMP%\_mei29042\_hashlib.pyd
- %TEMP%\_mei29042\_ctypes.pyd
- %TEMP%\_mei29042\microsoft.vc90.crt.manifest
- %TEMP%\_mei29042\psutil._psutil_windows.pyd
- %TEMP%\_mei29042\xmrig.exe
- %HOMEPATH%\helppane.exe
- %TEMP%\_mei12962\crypto.cipher._aes.pyd
- %TEMP%\_mei12962\httplib2\cacerts.txt
- %TEMP%\_mei12962\config.json
- %TEMP%\_mei12962\certifi\cacert.pem
- %TEMP%\_mei12962\back.jpg
- %TEMP%\_mei12962\include\pyconfig.h
- %TEMP%\_mei12962\win32service.pyd
- %TEMP%\_mei12962\win32evtlog.pyd
- %TEMP%\_mei12962\win32event.pyd
- %TEMP%\_mei12962\win32api.pyd
- %TEMP%\_mei12962\unicodedata.pyd
- %TEMP%\_mei12962\servicemanager.pyd
- %TEMP%\_mei12962\select.pyd
- %TEMP%\_mei12962\pywintypes27.dll
- %TEMP%\_mei12962\python27.dll
- %TEMP%\_mei12962\pyexpat.pyd
- %TEMP%\_mei12962\psutil._psutil_windows.pyd
- %TEMP%\_mei12962\perfmon.pyd
- %TEMP%\_mei12962\netifaces.pyd
- %TEMP%\_mei12962\msvcr90.dll
- %TEMP%\_mei12962\msvcp90.dll
- %TEMP%\_mei12962\msvcm90.dll
- %TEMP%\_mei12962\ftpcrack.exe.manifest
- %TEMP%\_mei12962\bz2.pyd
- %TEMP%\_mei12962\_win32sysloader.pyd
- %TEMP%\_mei12962\_ssl.pyd
- %TEMP%\_mei12962\_socket.pyd
- %TEMP%\_mei12962\_hashlib.pyd
- %TEMP%\_mei12962\_ctypes.pyd
- %TEMP%\_mei12962\microsoft.vc90.crt.manifest
- %TEMP%\_mei26882\crypto.cipher._aes.pyd
- %WINDIR%\temp\config
Удаляет следующие файлы
- %TEMP%\_mei12962\back.jpg
- %TEMP%\_mei29042\crypto.cipher._aes.pyd
- %TEMP%\_mei29042\config.json
- %TEMP%\_mei29042\certifi\cacert.pem
- %TEMP%\_mei29042\bz2.pyd
- %TEMP%\_mei29042\back.jpg
- %TEMP%\_mei26882\_win32sysloader.pyd
- %TEMP%\_mei26882\_ssl.pyd
- %TEMP%\_mei26882\_socket.pyd
- %TEMP%\_mei26882\_hashlib.pyd
- %TEMP%\_mei26882\_ctypes.pyd
- %TEMP%\_mei26882\xmrig.exe
- %TEMP%\_mei26882\win32service.pyd
- %TEMP%\_mei26882\win32evtlog.pyd
- %TEMP%\_mei26882\win32event.pyd
- %TEMP%\_mei26882\win32api.pyd
- %TEMP%\_mei26882\unicodedata.pyd
- %TEMP%\_mei26882\servicemanager.pyd
- %TEMP%\_mei26882\select.pyd
- %TEMP%\_mei26882\pywintypes27.dll
- %TEMP%\_mei29042\ftpcrack.exe.manifest
- %TEMP%\_mei29042\httplib2\cacerts.txt
- %TEMP%\_mei29042\include\pyconfig.h
- %TEMP%\_mei29042\microsoft.vc90.crt.manifest
- %TEMP%\_mei29042\_socket.pyd
- %TEMP%\_mei29042\_hashlib.pyd
- %TEMP%\_mei29042\_ctypes.pyd
- %TEMP%\_mei29042\xmrig.exe
- %TEMP%\_mei29042\win32service.pyd
- %TEMP%\_mei29042\win32evtlog.pyd
- %TEMP%\_mei29042\win32event.pyd
- %TEMP%\_mei29042\win32api.pyd
- %TEMP%\_mei29042\unicodedata.pyd
- %TEMP%\_mei29042\select.pyd
- %TEMP%\_mei29042\servicemanager.pyd
- %TEMP%\_mei29042\pywintypes27.dll
- %TEMP%\_mei29042\python27.dll
- %TEMP%\_mei29042\pyexpat.pyd
- %TEMP%\_mei29042\psutil._psutil_windows.pyd
- %TEMP%\_mei29042\perfmon.pyd
- %TEMP%\_mei29042\netifaces.pyd
- %TEMP%\_mei29042\msvcr90.dll
- %TEMP%\_mei29042\msvcp90.dll
- %TEMP%\_mei29042\msvcm90.dll
- %TEMP%\_mei29042\_ssl.pyd
- %TEMP%\_mei26882\python27.dll
- %TEMP%\_mei26882\pyexpat.pyd
- %TEMP%\_mei26882\psutil._psutil_windows.pyd
- %TEMP%\_mei12962\servicemanager.pyd
- %TEMP%\_mei12962\select.pyd
- %TEMP%\_mei12962\pywintypes27.dll
- %TEMP%\_mei12962\python27.dll
- %TEMP%\_mei12962\pyexpat.pyd
- %TEMP%\_mei12962\psutil._psutil_windows.pyd
- %TEMP%\_mei12962\perfmon.pyd
- %TEMP%\_mei12962\netifaces.pyd
- %TEMP%\_mei12962\msvcr90.dll
- %TEMP%\_mei12962\msvcp90.dll
- %TEMP%\_mei12962\msvcm90.dll
- %TEMP%\_mei12962\microsoft.vc90.crt.manifest
- %TEMP%\_mei12962\include\pyconfig.h
- %TEMP%\_mei12962\httplib2\cacerts.txt
- %TEMP%\_mei12962\ftpcrack.exe.manifest
- %TEMP%\_mei12962\crypto.cipher._aes.pyd
- %TEMP%\_mei12962\config.json
- %TEMP%\_mei12962\certifi\cacert.pem
- %TEMP%\_mei12962\bz2.pyd
- %TEMP%\_mei12962\unicodedata.pyd
- %TEMP%\_mei12962\win32api.pyd
- %TEMP%\_mei12962\win32event.pyd
- %TEMP%\_mei12962\win32evtlog.pyd
- %TEMP%\_mei26882\netifaces.pyd
- %TEMP%\_mei26882\msvcr90.dll
- %TEMP%\_mei26882\msvcp90.dll
- %TEMP%\_mei26882\msvcm90.dll
- %TEMP%\_mei26882\microsoft.vc90.crt.manifest
- %TEMP%\_mei26882\include\pyconfig.h
- %TEMP%\_mei26882\httplib2\cacerts.txt
- %TEMP%\_mei26882\ftpcrack.exe.manifest
- %TEMP%\_mei26882\crypto.cipher._aes.pyd
- %TEMP%\_mei26882\certifi\cacert.pem
- %TEMP%\_mei26882\config.json
- %TEMP%\_mei26882\bz2.pyd
- %TEMP%\_mei26882\back.jpg
- %TEMP%\_mei12962\_win32sysloader.pyd
- %TEMP%\_mei12962\_ssl.pyd
- %TEMP%\_mei12962\_socket.pyd
- %TEMP%\_mei12962\_hashlib.pyd
- %TEMP%\_mei12962\_ctypes.pyd
- %TEMP%\_mei12962\xmrig.exe
- %TEMP%\_mei12962\win32service.pyd
- %TEMP%\_mei26882\perfmon.pyd
- %TEMP%\_mei29042\_win32sysloader.pyd
Сетевая активность
Подключается к
- '21#.#19.255.187':21
- '15#.#24.105.196':21
- '15#.#24.105.196':2121
- '18#.#28.137.173':21
- '18#.#28.137.173':2121
- '12#.#7.88.144':21
- '12#.#7.88.144':2121
- '23.##0.189.246':21
- '23.##0.189.246':2121
- '97.#0.15.20':2121
- '97.#0.15.20':21
- '42.##6.191.66':21
- '34.##2.55.43':21
- '42.##6.191.66':2121
- '34.##2.55.43':2121
- '73.#2.98.73':21
- '73.#2.98.73':2121
- '19#.#1.166.174':21
- '73.##.210.249':2121
- '17#.#34.48.226':2121
- '73.##.210.249':21
- '10#.#45.99.60':21
- '71.##.240.21':2121
- '73.##5.231.99':21
- '73.##5.231.99':2121
- '83.##5.72.251':21
- '83.##5.72.251':2121
- '24.##.198.38':21
- '24.##.198.38':2121
- '12#.#30.4.79':21
- '12#.#30.4.79':2121
- '15#.#48.158.191':21
- '15#.#48.158.191':2121
- '18#.#89.109.212':21
- '18#.#89.109.212':2121
- '83.##7.86.141':21
- '83.##7.86.141':2121
- '87.##.144.85':21
- '87.##.144.85':2121
- '10#.#45.99.60':2121
- '71.##.240.21':21
- '18#.#42.144.95':21
- '10#.#49.29.197':2121
- '99.##3.29.189':21
- '99.##3.29.189':2121
- '11#.#3.70.26':21
- '11#.#3.70.26':2121
- '11#.#37.125.91':21
- '11#.#37.125.91':2121
- '20#.#67.21.46':21
- '61.##.39.156':21
- '20#.#67.21.46':2121
- '80.##.148.134':2121
- '67.##4.204.161':2121
- '67.##4.204.161':21
- '95.##0.227.231':21
- '95.##0.227.231':2121
- '10#.#28.102.236':21
- '10#.#28.102.236':2121
- '17#.#3.100.112':21
- '17#.#3.100.112':2121
- '19#.#1.166.174':2121
- '18#.#42.144.95':2121
- '11#.#60.25.75':2121
- '81.##3.250.99':21
- '81.##3.250.99':2121
- '14#.#61.239.92':21
- '14#.#61.239.92':2121
- '20#.#27.69.193':21
- '20#.#27.69.193':2121
- '22#.#54.207.103':2121
- '37.##.64.125':21
- '22#.#54.207.103':21
- '37.##.64.125':2121
- '15#.#69.112.213':21
- '15#.#69.112.213':2121
- '16#.#03.32.24':21
- '16#.#03.32.24':2121
- '11#.#60.25.75':21
- '24.##2.44.189':21
- '10#.#49.29.197':21
- '24.##2.44.189':2121
- '17#.#34.48.226':21
- '73.##4.125.189':2121
- '73.##4.125.189':21
- '73.##4.244.21':2121
- '11#.#01.127.152':21
- '11#.#01.127.152':2121
- '22#.#42.9.88':21
- '22#.#42.9.88':2121
- '12#.#51.22.102':21
- '12#.#51.22.102':2121
- '84.#.35.201':21
- '84.#.35.201':2121
- '20#.#7.40.32':21
- '20#.#7.40.32':2121
- '17#.#54.185.57':21
- '17#.#54.185.57':2121
- '12#.#53.15.90':21
- '12#.#53.15.90':2121
- '82.##.213.18':21
- '73.##8.13.152':2121
- '82.##.213.18':2121
- '73.##8.13.152':21
- '18#.#02.47.163':21
- '21#.#19.255.187':2121
- '96.#.212.173':21
- '96.#.212.173':2121
- '12#.#1.119.135':21
- '12#.#1.119.135':2121
- '10#.#4.168.14':21
- '10#.#4.168.14':2121
- '21#.#1.111.126':21
- '21#.#1.111.126':2121
- '19#.#0.241.2':21
- '19#.#0.241.2':2121
- '42.##.33.164':21
- '42.##.33.164':2121
- '34.##1.236.47':2121
- '34.##1.236.47':21
- '15#.#53.92.148':21
- '15#.#53.92.148':2121
- '18#.#02.47.163':2121
- '47.##3.130.115':21
- '73.##4.244.21':21
- '47.##3.130.115':2121
- '50.##.61.219':2121
- '2.##3.2.57':2121
- '13.##.106.205':21
- '13.##.106.205':2121
- '23.#4.78.43':21
- '23.#4.78.43':2121
- '87.#.162.167':21
- '87.#.162.167':2121
- '90.##9.240.218':21
- '90.##9.240.218':2121
- '61.#0.3.135':21
- '61.#0.3.135':2121
- '5.###.252.253':21
- '5.###.252.253':2121
- '76.#0.97.73':21
- '76.#0.97.73':2121
- '50.##.61.219':21
- '35.##6.220.0':21
- '2.##3.2.57':21
- '35.##6.220.0':2121
- '74.##.99.139':2121
- '19#.#0.12.158':21
- '17#.#83.90.209':21
- '17#.#83.90.209':2121
- '60.##.165.133':21
- '60.##.165.133':2121
- '5.##.239.159':21
- '5.##.239.159':2121
- '16#.#51.161.225':21
- '10#.#35.11.5':21
- '80.##.148.134':21
- '16#.#51.161.225':2121
- '67.#9.59.89':21
- '67.#9.59.89':2121
- '18#.#3.52.200':21
- '18#.#3.52.200':2121
- '18#.#31.60.194':21
- '18#.#31.60.194':2121
- '74.##.99.139':21
- '19#.#0.12.158':2121
- '61.##.39.156':2121
- '10#.#35.11.5':2121
UDP
- DNS ASK dh#.###nsmissionbt.com
- DNS ASK bt#####er.debian.org
- DNS ASK ro####.utorrent.com
- DNS ASK xm#.##ypto-pool.fr
- DNS ASK ro####.bittorrent.com
- '37.##2.197.46':51430
- '31.##8.30.28':8704
- '99.##8.13.213':35482
- '37.##3.226.68':6881
- '17#.#1.240.80':24517
- '45.##4.177.40':30070
- '83.##2.93.61':1434
- '23.##8.56.120':10039
- '18#.#50.21.103':1900
- '13#.#43.152.93':50450
- '22#.#3.70.215':40076
- '37.##4.158.211':6881
- '20#.#15.101.56':1434
- '21#.#2.253.225':21194
- '18#.#48.245.96':20943
- '19#.#88.51.249':5272
- '45.##4.177.2':13991
- '11#.#28.188.35':8000
- '12#.#12.239.144':6881
- '45.##3.207.61':6880
- '12#.#71.157.33':40774
- '5.##.7.34':3864
- '16#.#63.25.141':43424
- '45.##4.177.99':17440
- '37.##.159.107':6881
- '92.##0.215.226':61594
- '45.##4.177.210':32961
- '95.##.29.121':46375
- '18#.#32.133.141':6889
- '45.##8.251.19':52221
- '11#.#55.197.19':5353
- '42.##8.115.71':44517
- '22#.245.2.5':30099
- '45.##4.177.130':62923
- '45.##4.177.60':2190
- '14.##.200.186':7769
- '62.##7.187.3':8082
- '11#.#.148.47':6880
- '79.##3.86.155':56609
- '14#.#32.202.187':50000
- '21#.#19.122.3':51417
- '78.##.65.222':50000
- '51.#5.37.94':51413
- '45.##4.177.171':64897
- '45.##4.177.212':32961
- '11#.#18.93.201':8290
- '20#.59.85.3':8000
- '11#.#6.171.243':5060
- '17#.72.77.5':10522
- '45.##4.177.209':52622
- '17#.#41.178.177':24537
- '18#.#49.91.53':51544
- '5.##.83.114':28014
- '46.##.133.52':8098
- '19#.#76.83.99':3847
- '18#.#35.114.63':43259
- '11#.#08.101.107':4000
- '18#.#65.199.35':53604
- '18#.#62.65.68':2352
- '18#.#48.12.129':1434
- '12#.#8.224.158':46880
- 'bt#####er.debian.org':8515
- '23.##8.56.120':10015
- '1.##.81.94':23225
- '41.##8.171.53':12131
- '17#.#1.252.163':51413
- '18#.#47.143.222':24512
- '46.##2.211.38':61636
- '85.##.240.235':8566
- '45.##8.249.126':39064
- '45.##8.249.245':27146
- '94.##2.208.14':7773
- '95.##.204.133':27041
- '23.##8.56.119':10033
- '92.##5.164.234':26700
- '31.##4.151.58':6881
- '82.##8.126.170':1547
- 'dh#.###nsmissionbt.com':6881
- 'ro####.bittorrent.com':6881
- 'ro####.utorrent.com':6881
- '45.##4.86.83':6881
- '95.##6.116.228':50000
- 'bt#####er.debian.org':6881
- 'bt#####er.debian.org':8554
- '18#.#65.199.35':56162
- '94.##.194.218':28009
- '5.##.85.217':53158
- '38.##.255.76':10095
- '18#.#43.83.49':12016
- '62.##0.85.151':5250
- '45.##4.177.173':4680
- '69.#0.95.40':12047
- '11#.#66.62.78':41334
- '17#.#02.152.142':9189
- '37.##.68.143':19577
- '72.#1.17.20':18624
- '50.##.149.153':54644
- '10#.#75.181.152':53119
- '18#.#16.66.114':18678
- '69.#0.95.40':12023
- '1.##.211.36':45135
- '11#.#78.46.244':8082
- '39.##3.169.90':60961
- '14#.#35.11.99':7030
- '17#.#3.232.187':51413
- '61.##.238.144':4000
- '45.##4.177.153':16998
- '83.##9.84.137':21154
- '12#.#7.100.213':8080
- '18#.#03.56.69':28390
- '22#.#2.177.10':36892
- '45.##2.210.80':65503
- '5.##.85.89':64158
- '45.##8.250.109':57115
- '51.##.16.100':4000
- '13#.#09.183.166':6881
- '37.#6.16.67':8083
- '11#.#82.184.160':48508
- '13#.#75.46.64':6736
- '78.##.203.243':5353
- '62.##4.171.97':51413
Другое
Ищет следующие окна
- ClassName: '' WindowName: ''
Создает и запускает на исполнение
- '%HOMEPATH%\helppane.exe' --startup auto install
- '%HOMEPATH%\helppane.exe' start
- '%HOMEPATH%\helppane.exe'
- '%WINDIR%\temp\xmrig.exe'
Перезапускает анализируемый образец
Запускает на исполнение
- '%WINDIR%\syswow64\cmd.exe' /c copy /y <Полный путь к файлу> %HOMEPATH%\HelpPane.exe (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c %HOMEPATH%\HelpPane.exe --startup auto install (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c %HOMEPATH%\HelpPane.exe start (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /pid 1032 /f (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' \c copy \y %WINDIR%\TEMP\_MEI17~1\\xmrig.exe %WINDIR%\TEMP\xmrig.exe (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' \c copy \y %WINDIR%\TEMP\_MEI17~1\\config.json %WINDIR%\TEMP\config.json (со скрытым окном)
- '%WINDIR%\temp\xmrig.exe' (со скрытым окном)
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram %HOMEPATH%\HelpPane.exe "MyApp" ENABLE (со скрытым окном)
