Technical Information
- [<HKLM>\System\CurrentControlSet\Services\WiredService] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\WiredService] 'ImagePath' = '%PROGRAMDATA%\Microsoft\DeviceSync\lsass.exe'
- %PROGRAMDATA%\microsoft\devicesync\lsass.exe
- <Current directory>\_delxmr.bat
- %PROGRAMDATA%\microsoft\devicesync\lcacs.exe
- 'po##.#inexmr.com':7777
- DNS ASK po##.#inexmr.com
- '%PROGRAMDATA%\microsoft\devicesync\lsass.exe'
- '%PROGRAMDATA%\microsoft\devicesync\lcacs.exe' -o pool.minexmr.com:7777 -u 42XNe9ZxGM8haieebpzG5M7yU3whiky7NPBFD2KasSgs6NhWqiFuaxidtTMyEvgpfQT2EWhEiU5PKhEQVRNQVT75JNV5VsM -p x -k
- '%WINDIR%\syswow64\cmd.exe' /c <Current directory>\_delxmr.bat' (with hidden window)
- '%PROGRAMDATA%\microsoft\devicesync\lcacs.exe' -o pool.minexmr.com:7777 -u 42XNe9ZxGM8haieebpzG5M7yU3whiky7NPBFD2KasSgs6NhWqiFuaxidtTMyEvgpfQT2EWhEiU5PKhEQVRNQVT75JNV5VsM -p x -k' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c <Current directory>\_delxmr.bat