FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Python.BtcMine.5

Added to the Dr.Web virus database: 2025-02-18

Virus description added:

Technical Information

To ensure autorun and distribution
Sets the following service settings
  • [HKLM\System\CurrentControlSet\Services\StateftpService] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\StateftpService] 'ImagePath' = '"%HOMEPATH%\HelpPane.exe"'
Creates the following services
  • 'StateftpService' "%HOMEPATH%\HelpPane.exe"
  • 'StateftpService' %HOMEPATH%\HelpPane.exe
Malicious functions
Executes the following
  • '%WINDIR%\syswow64\taskkill.exe' /pid 1028 /f
  • '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram %HOMEPATH%\HelpPane.exe "MyApp" ENABLE
Terminates or attempts to terminate
the following system processes:
  • <SYSTEM32>\spoolsv.exe
Modifies file system
Creates the following files
  • %TEMP%\_mei6962\crypto.cipher._aes.pyd
  • %TEMP%\_mei10682\xmrig.exe
  • %TEMP%\_mei10682\httplib2\cacerts.txt
  • %TEMP%\_mei10682\config.json
  • %TEMP%\_mei10682\certifi\cacert.pem
  • %TEMP%\_mei10682\back.jpg
  • %TEMP%\_mei10682\include\pyconfig.h
  • %TEMP%\_mei10682\win32service.pyd
  • %TEMP%\_mei10682\win32evtlog.pyd
  • %TEMP%\_mei10682\win32event.pyd
  • %TEMP%\_mei10682\win32api.pyd
  • %TEMP%\_mei10682\unicodedata.pyd
  • %TEMP%\_mei10682\servicemanager.pyd
  • %TEMP%\_mei10682\select.pyd
  • %WINDIR%\temp\_mei16722\crypto.cipher._aes.pyd
  • %TEMP%\_mei10682\pywintypes27.dll
  • %TEMP%\_mei10682\pyexpat.pyd
  • %TEMP%\_mei10682\psutil._psutil_windows.pyd
  • %TEMP%\_mei10682\perfmon.pyd
  • %TEMP%\_mei10682\netifaces.pyd
  • %TEMP%\_mei10682\msvcr90.dll
  • %TEMP%\_mei10682\msvcp90.dll
  • %TEMP%\_mei10682\msvcm90.dll
  • %TEMP%\_mei10682\ftpcrack.exe.manifest
  • %TEMP%\_mei10682\bz2.pyd
  • %TEMP%\_mei10682\_win32sysloader.pyd
  • %TEMP%\_mei10682\_ssl.pyd
  • %TEMP%\_mei10682\_socket.pyd
  • %TEMP%\_mei10682\_hashlib.pyd
  • %TEMP%\_mei10682\python27.dll
  • %WINDIR%\temp\_mei16722\microsoft.vc90.crt.manifest
  • %WINDIR%\temp\_mei16722\_ctypes.pyd
  • %WINDIR%\temp\_mei16722\_hashlib.pyd
  • %WINDIR%\temp\config.json
  • %WINDIR%\temp\xmrig.exe
  • %WINDIR%\temp\_mei16722\xmrig.exe
  • %WINDIR%\temp\_mei16722\httplib2\cacerts.txt
  • %WINDIR%\temp\_mei16722\config.json
  • %WINDIR%\temp\_mei16722\certifi\cacert.pem
  • %WINDIR%\temp\_mei16722\back.jpg
  • %WINDIR%\temp\_mei16722\include\pyconfig.h
  • %WINDIR%\temp\_mei16722\win32service.pyd
  • %WINDIR%\temp\_mei16722\win32evtlog.pyd
  • %WINDIR%\temp\_mei16722\win32event.pyd
  • %WINDIR%\temp\_mei16722\win32api.pyd
  • %WINDIR%\temp\_mei16722\unicodedata.pyd
  • %WINDIR%\temp\_mei16722\servicemanager.pyd
  • %WINDIR%\temp\_mei16722\select.pyd
  • %WINDIR%\temp\_mei16722\pywintypes27.dll
  • %WINDIR%\temp\_mei16722\python27.dll
  • %WINDIR%\temp\_mei16722\pyexpat.pyd
  • %WINDIR%\temp\_mei16722\psutil._psutil_windows.pyd
  • %WINDIR%\temp\_mei16722\perfmon.pyd
  • %WINDIR%\temp\_mei16722\netifaces.pyd
  • %WINDIR%\temp\_mei16722\msvcr90.dll
  • %WINDIR%\temp\_mei16722\msvcp90.dll
  • %WINDIR%\temp\_mei16722\msvcm90.dll
  • %WINDIR%\temp\_mei16722\ftpcrack.exe.manifest
  • %WINDIR%\temp\_mei16722\bz2.pyd
  • %WINDIR%\temp\_mei16722\_win32sysloader.pyd
  • %WINDIR%\temp\_mei16722\_ssl.pyd
  • %WINDIR%\temp\_mei16722\_socket.pyd
  • %TEMP%\_mei10682\_ctypes.pyd
  • %WINDIR%\temp\link.txt
  • %TEMP%\_mei10682\microsoft.vc90.crt.manifest
  • %TEMP%\_mei2762\xmrig.exe
  • %TEMP%\_mei6962\config.json
  • %TEMP%\_mei6962\certifi\cacert.pem
  • %TEMP%\_mei6962\back.jpg
  • %TEMP%\_mei6962\include\pyconfig.h
  • %TEMP%\_mei6962\win32service.pyd
  • %TEMP%\_mei6962\win32evtlog.pyd
  • %TEMP%\_mei6962\win32event.pyd
  • %TEMP%\_mei6962\win32api.pyd
  • %TEMP%\_mei6962\unicodedata.pyd
  • %TEMP%\_mei6962\servicemanager.pyd
  • %TEMP%\_mei6962\select.pyd
  • %TEMP%\_mei6962\pywintypes27.dll
  • %TEMP%\_mei6962\python27.dll
  • %TEMP%\_mei6962\httplib2\cacerts.txt
  • %TEMP%\_mei6962\pyexpat.pyd
  • %TEMP%\_mei6962\perfmon.pyd
  • %TEMP%\_mei6962\netifaces.pyd
  • %TEMP%\_mei6962\msvcr90.dll
  • %TEMP%\_mei6962\msvcp90.dll
  • %TEMP%\_mei6962\msvcm90.dll
  • %TEMP%\_mei6962\ftpcrack.exe.manifest
  • %TEMP%\_mei6962\bz2.pyd
  • %TEMP%\_mei6962\_win32sysloader.pyd
  • %TEMP%\_mei6962\_ssl.pyd
  • %TEMP%\_mei6962\_socket.pyd
  • %TEMP%\_mei6962\_hashlib.pyd
  • %TEMP%\_mei6962\_ctypes.pyd
  • %TEMP%\_mei6962\microsoft.vc90.crt.manifest
  • %TEMP%\_mei6962\psutil._psutil_windows.pyd
  • %TEMP%\_mei6962\xmrig.exe
  • %HOMEPATH%\helppane.exe
  • %TEMP%\_mei2762\crypto.cipher._aes.pyd
  • %TEMP%\_mei2762\httplib2\cacerts.txt
  • %TEMP%\_mei2762\config.json
  • %TEMP%\_mei2762\certifi\cacert.pem
  • %TEMP%\_mei2762\back.jpg
  • %TEMP%\_mei2762\include\pyconfig.h
  • %TEMP%\_mei2762\win32service.pyd
  • %TEMP%\_mei2762\win32evtlog.pyd
  • %TEMP%\_mei2762\win32event.pyd
  • %TEMP%\_mei2762\win32api.pyd
  • %TEMP%\_mei2762\unicodedata.pyd
  • %TEMP%\_mei2762\servicemanager.pyd
  • %TEMP%\_mei2762\select.pyd
  • %TEMP%\_mei2762\pywintypes27.dll
  • %TEMP%\_mei2762\python27.dll
  • %TEMP%\_mei2762\pyexpat.pyd
  • %TEMP%\_mei2762\psutil._psutil_windows.pyd
  • %TEMP%\_mei2762\perfmon.pyd
  • %TEMP%\_mei2762\netifaces.pyd
  • %TEMP%\_mei2762\msvcr90.dll
  • %TEMP%\_mei2762\msvcp90.dll
  • %TEMP%\_mei2762\msvcm90.dll
  • %TEMP%\_mei2762\ftpcrack.exe.manifest
  • %TEMP%\_mei2762\bz2.pyd
  • %TEMP%\_mei2762\_win32sysloader.pyd
  • %TEMP%\_mei2762\_ssl.pyd
  • %TEMP%\_mei2762\_socket.pyd
  • %TEMP%\_mei2762\_hashlib.pyd
  • %TEMP%\_mei2762\_ctypes.pyd
  • %TEMP%\_mei2762\microsoft.vc90.crt.manifest
  • %TEMP%\_mei10682\crypto.cipher._aes.pyd
  • %WINDIR%\temp\config
Deletes the following files
  • %TEMP%\_mei2762\back.jpg
  • %TEMP%\_mei6962\crypto.cipher._aes.pyd
  • %TEMP%\_mei6962\config.json
  • %TEMP%\_mei6962\certifi\cacert.pem
  • %TEMP%\_mei6962\bz2.pyd
  • %TEMP%\_mei6962\back.jpg
  • %TEMP%\_mei10682\_win32sysloader.pyd
  • %TEMP%\_mei10682\_ssl.pyd
  • %TEMP%\_mei10682\_socket.pyd
  • %TEMP%\_mei10682\_hashlib.pyd
  • %TEMP%\_mei10682\_ctypes.pyd
  • %TEMP%\_mei10682\xmrig.exe
  • %TEMP%\_mei10682\win32service.pyd
  • %TEMP%\_mei10682\win32evtlog.pyd
  • %TEMP%\_mei10682\win32event.pyd
  • %TEMP%\_mei10682\win32api.pyd
  • %TEMP%\_mei10682\unicodedata.pyd
  • %TEMP%\_mei10682\servicemanager.pyd
  • %TEMP%\_mei10682\select.pyd
  • %TEMP%\_mei10682\pywintypes27.dll
  • %TEMP%\_mei6962\ftpcrack.exe.manifest
  • %TEMP%\_mei6962\httplib2\cacerts.txt
  • %TEMP%\_mei6962\include\pyconfig.h
  • %TEMP%\_mei6962\microsoft.vc90.crt.manifest
  • %TEMP%\_mei6962\_socket.pyd
  • %TEMP%\_mei6962\_hashlib.pyd
  • %TEMP%\_mei6962\_ctypes.pyd
  • %TEMP%\_mei6962\xmrig.exe
  • %TEMP%\_mei6962\win32service.pyd
  • %TEMP%\_mei6962\win32evtlog.pyd
  • %TEMP%\_mei6962\win32event.pyd
  • %TEMP%\_mei6962\win32api.pyd
  • %TEMP%\_mei6962\unicodedata.pyd
  • %TEMP%\_mei6962\select.pyd
  • %TEMP%\_mei6962\servicemanager.pyd
  • %TEMP%\_mei6962\pywintypes27.dll
  • %TEMP%\_mei6962\python27.dll
  • %TEMP%\_mei6962\pyexpat.pyd
  • %TEMP%\_mei6962\psutil._psutil_windows.pyd
  • %TEMP%\_mei6962\perfmon.pyd
  • %TEMP%\_mei6962\netifaces.pyd
  • %TEMP%\_mei6962\msvcr90.dll
  • %TEMP%\_mei6962\msvcp90.dll
  • %TEMP%\_mei6962\msvcm90.dll
  • %TEMP%\_mei6962\_ssl.pyd
  • %TEMP%\_mei10682\python27.dll
  • %TEMP%\_mei10682\pyexpat.pyd
  • %TEMP%\_mei10682\psutil._psutil_windows.pyd
  • %TEMP%\_mei2762\servicemanager.pyd
  • %TEMP%\_mei2762\select.pyd
  • %TEMP%\_mei2762\pywintypes27.dll
  • %TEMP%\_mei2762\python27.dll
  • %TEMP%\_mei2762\pyexpat.pyd
  • %TEMP%\_mei2762\psutil._psutil_windows.pyd
  • %TEMP%\_mei2762\perfmon.pyd
  • %TEMP%\_mei2762\netifaces.pyd
  • %TEMP%\_mei2762\msvcr90.dll
  • %TEMP%\_mei2762\msvcp90.dll
  • %TEMP%\_mei2762\msvcm90.dll
  • %TEMP%\_mei2762\microsoft.vc90.crt.manifest
  • %TEMP%\_mei2762\include\pyconfig.h
  • %TEMP%\_mei2762\httplib2\cacerts.txt
  • %TEMP%\_mei2762\ftpcrack.exe.manifest
  • %TEMP%\_mei2762\crypto.cipher._aes.pyd
  • %TEMP%\_mei2762\config.json
  • %TEMP%\_mei2762\certifi\cacert.pem
  • %TEMP%\_mei2762\bz2.pyd
  • %TEMP%\_mei2762\unicodedata.pyd
  • %TEMP%\_mei2762\win32api.pyd
  • %TEMP%\_mei2762\win32event.pyd
  • %TEMP%\_mei2762\win32evtlog.pyd
  • %TEMP%\_mei10682\netifaces.pyd
  • %TEMP%\_mei10682\msvcr90.dll
  • %TEMP%\_mei10682\msvcp90.dll
  • %TEMP%\_mei10682\msvcm90.dll
  • %TEMP%\_mei10682\microsoft.vc90.crt.manifest
  • %TEMP%\_mei10682\include\pyconfig.h
  • %TEMP%\_mei10682\httplib2\cacerts.txt
  • %TEMP%\_mei10682\ftpcrack.exe.manifest
  • %TEMP%\_mei10682\crypto.cipher._aes.pyd
  • %TEMP%\_mei10682\certifi\cacert.pem
  • %TEMP%\_mei10682\config.json
  • %TEMP%\_mei10682\bz2.pyd
  • %TEMP%\_mei10682\back.jpg
  • %TEMP%\_mei2762\_win32sysloader.pyd
  • %TEMP%\_mei2762\_ssl.pyd
  • %TEMP%\_mei2762\_socket.pyd
  • %TEMP%\_mei2762\_hashlib.pyd
  • %TEMP%\_mei2762\_ctypes.pyd
  • %TEMP%\_mei2762\xmrig.exe
  • %TEMP%\_mei2762\win32service.pyd
  • %TEMP%\_mei10682\perfmon.pyd
  • %TEMP%\_mei6962\_win32sysloader.pyd
Network activity
Connects to
  • '10#.#11.199.186':21
  • '58.##.129.37':21
  • '18#.#26.219.110':21
  • '58.##.129.37':2121
  • '18#.#26.219.110':2121
  • '5.##2.88.8':21
  • '5.##2.88.8':2121
  • '12#.#29.27.158':21
  • '18#.#25.170.136':2121
  • '12#.#29.27.158':2121
  • '81.#5.1.242':2121
  • '14.##.111.36':21
  • '62.#.7.171':2121
  • '18#.#77.24.126':21
  • '18#.#77.24.126':2121
  • '73.##.231.141':21
  • '73.##.231.141':2121
  • '47.##0.176.177':2121
  • '47.##0.176.177':21
  • '14.##.111.36':2121
  • '23.##4.199.56':2121
  • '62.#.7.171':21
  • '76.##1.35.70':2121
  • '81.#5.1.242':21
  • '18#.#25.170.136':21
  • '35.##8.10.147':2121
  • '13.##5.30.26':21
  • '13.##5.30.26':2121
  • '10#.#65.121.239':21
  • '10#.#65.121.239':2121
  • '5.##.166.175':21
  • '67.#.145.101':2121
  • '88.##9.123.113':2121
  • '5.##.166.175':2121
  • '23.##4.199.56':21
  • '11#.#68.16.204':21
  • '19#.#48.242.183':21
  • '19#.#48.242.183':2121
  • '12#.#07.255.166':21
  • '12#.#07.255.166':2121
  • '37.##.176.59':21
  • '37.##.176.59':2121
  • '81.##5.113.184':21
  • '81.##5.113.184':2121
  • '67.#.145.101':21
  • '11#.#68.16.204':2121
  • '16#.#40.199.134':21
  • '17#.#96.67.29':2121
  • '75.##0.18.108':21
  • '19#.#3.109.149':21
  • '19#.#3.109.149':2121
  • '77.##8.56.43':21
  • '77.##8.56.43':2121
  • '17#.#31.139.226':2121
  • '17#.#31.139.226':21
  • '17#.#96.67.29':21
  • '89.##2.135.20':21
  • '21#.#15.224.48':21
  • '18#.#32.35.36':2121
  • '21#.#15.224.48':2121
  • '79.##1.100.161':2121
  • '16#.#57.224.177':2121
  • '16#.#57.224.177':21
  • '46.##.136.72':21
  • '46.##.136.72':2121
  • '21#.#58.162.109':21
  • '89.##2.135.20':2121
  • '67.##5.103.93':2121
  • '16#.#40.199.134':2121
  • '79.##1.100.161':21
  • '18#.#32.35.36':21
  • '67.##5.103.93':21
  • '18#.#7.249.191':2121
  • '75.##0.18.108':2121
  • '91.#7.5.60':21
  • '91.#7.5.60':2121
  • '2.###.20.128':21
  • '2.###.20.128':2121
  • '18#.#2.248.56':21
  • '18#.#2.248.56':2121
  • '20#.#9.215.109':21
  • '11#.#6.104.37':2121
  • '20#.#9.215.109':2121
  • '46.##2.130.189':2121
  • '2.###.61.175':21
  • '2.###.61.175':2121
  • '19#.#54.190.116':21
  • '19#.#54.190.116':2121
  • '17#.#4.188.248':21
  • '17#.#4.188.248':2121
  • '18#.#7.249.191':21
  • '15#.#54.6.35':21
  • '46.##2.130.189':21
  • '11#.#6.104.37':21
  • '35.##8.10.147':21
  • '15#.#54.6.35':2121
  • '88.##9.123.113':21
  • '15#.#95.164.163':2121
  • '72.##.51.176':21
  • '72.##.51.176':2121
  • '98.##4.84.22':21
  • '98.##4.84.22':2121
  • '17#.#21.45.106':2121
  • '17#.#21.45.106':21
  • '14#.#3.219.205':21
  • '94.##3.235.253':21
  • '15#.#.249.11':21
  • '99.##2.200.34':2121
  • '94.#.199.170':2121
  • '11#.#1.232.209':2121
  • '36.##.249.250':21
  • '36.##.249.250':2121
  • '27.##7.189.128':21
  • '27.##7.189.128':2121
  • '76.##0.108.211':21
  • '15#.#.249.11':2121
  • '94.#.199.170':21
  • '21#.#58.162.109':2121
  • '11#.#1.232.209':21
  • '99.##2.200.34':21
  • '94.##3.235.253':2121
  • '11#.#42.191.52':2121
  • '37.##.236.164':21
  • '37.##.236.164':2121
  • '17#.#8.222.71':21
  • '17#.#8.222.71':2121
  • '15#.#4.190.49':2121
  • '15#.#4.190.49':21
  • '99.##0.151.157':21
  • '99.##0.151.157':2121
  • '34.##.247.132':21
  • '11#.#3.245.6':2121
  • '12#.#59.29.4':21
  • '12#.#59.29.4':2121
  • '39.##.102.235':21
  • '39.##.102.235':2121
  • '37.##4.63.72':21
  • '37.##4.63.72':2121
  • '1.###.31.109':21
  • '1.###.31.109':2121
  • '11#.#42.191.52':21
  • '11#.#3.245.6':21
  • '76.##0.108.211':2121
  • '76.##1.35.70':21
  • '17#.#7.61.166':2121
  • '90.#41.29.9':21
  • '20#.#.222.66':2121
  • '10#.#78.174.177':21
  • '71.##1.193.216':21
  • '71.##1.193.216':2121
  • '79.##7.109.8':21
  • '79.##7.109.8':2121
  • '10#.#4.223.98':21
  • '19#.#27.251.37':2121
  • '10#.#4.223.98':2121
  • '73.##0.29.216':2121
  • '10#.#78.174.177':2121
  • '45.##.108.119':21
  • '10#.#3.78.173':21
  • '10#.#3.78.173':2121
  • '70.##9.197.109':21
  • '70.##9.197.109':2121
  • '27.#4.23.85':21
  • '27.#4.23.85':2121
  • '73.##0.29.216':21
  • '14#.#3.219.205':2121
  • '15#.#95.164.163':21
  • '45.##.108.119':2121
  • '84.##9.210.53':2121
  • '84.##9.210.53':21
  • '19#.#27.251.37':21
  • '74.##.228.33':21
  • '74.##.228.33':2121
  • '18#.#0.115.10':21
  • '18#.#0.115.10':2121
  • '11#.#8.83.11':21
  • '11#.#8.83.11':2121
  • '75.##2.13.34':21
  • '90.#41.29.9':2121
  • '75.##2.13.34':2121
  • '10#.#8.108.186':2121
  • '81.##4.19.239':21
  • '81.##4.19.239':2121
  • '10#.#41.162.65':21
  • '10#.#41.162.65':2121
  • '10#.#30.54.192':21
  • '10#.#30.54.192':2121
  • '11#.#29.157.57':21
  • '11#.#29.157.57':2121
  • '10#.#8.108.186':21
  • '12#.#58.175.140':21
  • '12#.#58.175.140':2121
  • '20#.#.222.66':21
  • '34.##.247.132':2121
  • '24.##7.53.88':21
  • '11#.#66.116.181':2121
  • '1.###.206.80':21
  • '1.###.206.80':2121
  • '79.##5.31.174':21
  • '79.##5.31.174':2121
  • '16#.#6.72.193':21
  • '16#.#6.72.193':2121
  • '17#.#74.230.199':21
  • '17#.#74.230.199':2121
  • '49.#3.94.18':21
  • '49.#3.94.18':2121
  • '20#.#1.60.195':2121
  • '93.##9.163.58':2121
  • '90.##1.178.119':21
  • '90.##1.178.119':2121
  • '18#.64.82.4':21
  • '18#.64.82.4':2121
  • '50.##9.90.227':21
  • '50.##9.90.227':2121
  • '10#.#3.46.235':21
  • '20#.#1.60.195':21
  • '93.##9.163.58':21
  • '18#.#36.140.250':21
  • '10#.#3.46.235':2121
  • '10#.#0.47.221':2121
  • '11#.#4.128.190':2121
  • '80.##.227.63':21
  • '80.##.227.63':2121
  • '82.##8.100.217':21
  • '82.##8.100.217':2121
  • '73.##2.121.115':21
  • '73.##2.121.115':2121
  • '12#.#9.98.149':21
  • '22#.#03.137.35':2121
  • '12#.#9.98.149':2121
  • '86.##.166.234':21
  • '75.##.105.225':21
  • '75.##.105.225':2121
  • '46.#9.29.23':21
  • '46.#9.29.23':2121
  • '34.##.162.175':21
  • '34.##.162.175':2121
  • '10#.#0.47.221':21
  • '86.##.166.234':2121
  • '13#.#55.197.37':21
  • '13#.#55.197.37':2121
  • '5.###.142.54':21
  • '18#.#36.140.250':2121
  • '73.##2.45.65':21
  • '51.##8.116.222':21
  • '51.##8.116.222':2121
  • '73.#5.4.60':21
  • '73.#5.4.60':2121
  • '19#.#2.242.156':21
  • '19#.#2.242.156':2121
  • '37.##9.236.210':21
  • '10#.#69.84.34':2121
  • '37.##9.236.210':2121
  • '73.##2.45.65':2121
  • '20#.#9.69.22':2121
  • '70.##3.46.65':2121
  • '8.###.134.247':2121
  • '8.###.134.247':21
  • '98.##3.105.195':21
  • '98.##3.105.195':2121
  • '10#.#14.90.92':21
  • '10#.#14.90.92':2121
  • '20#.#9.69.22':21
  • '10#.#69.84.34':21
  • '70.##3.46.65':21
  • '60.##.15.134':2121
  • '60.##.15.134':21
  • '38.##0.158.220':2121
  • '12#.#24.164.205':2121
  • '11#.#6.74.74':21
  • '76.##.210.104':21
  • '11#.#6.74.74':2121
  • '76.##.210.104':2121
  • '79.##5.158.204':21
  • '79.##5.158.204':2121
  • '11#.#9.91.87':21
  • '11#.#9.91.87':2121
  • '12#.#24.164.205':21
  • '94.##5.221.101':21
  • '89.##9.86.75':21
  • '89.##9.86.75':2121
  • '62.##.72.221':21
  • '62.##.72.221':2121
  • '85.#.217.88':21
  • '85.#.217.88':2121
  • '21#.#00.130.122':21
  • '21#.#00.130.122':2121
  • '22#.#03.137.35':21
  • '94.##5.221.101':2121
  • '11#.#4.128.190':21
  • '5.###.142.54':2121
  • '95.##2.227.231':2121
  • '12#.#9.164.222':2121
  • '11#.#13.208.56':2121
  • '91.##3.171.200':21
  • '91.##3.171.200':2121
  • '38.##7.228.205':21
  • '38.##7.228.205':2121
  • '14.##1.122.42':21
  • '10#.#9.188.229':2121
  • '14.##1.122.42':2121
  • '89.##8.184.108':2121
  • '11#.#13.208.56':21
  • '40.##3.231.28':21
  • '86.##0.214.56':21
  • '86.##0.214.56':2121
  • '79.##5.110.132':21
  • '79.##5.110.132':2121
  • '23.#1.19.96':21
  • '23.#1.19.96':2121
  • '89.##8.184.108':21
  • '10#.#9.188.229':21
  • '24.##7.53.88':2121
  • '40.##3.231.28':2121
  • '17#.#49.240.198':2121
  • '94.#6.125.1':2121
  • '94.#6.125.1':21
  • '20#.#6.203.228':21
  • '20#.#6.203.228':2121
  • '41.##5.153.189':21
  • '41.##5.153.189':2121
  • '10#.#3.117.212':21
  • '10#.#3.117.212':2121
  • '12#.#7.95.158':21
  • '12#.#7.95.158':2121
  • '11#.#66.116.181':21
  • '18#.#3.19.239':21
  • '34.##7.93.119':2121
  • '34.##7.93.119':21
  • '73.##3.75.12':21
  • '73.##3.75.12':2121
  • '17#.#26.234.229':21
  • '19#.#16.5.130':21
  • '17#.#26.234.229':2121
  • '19#.#16.5.130':2121
  • '83.#50.5.25':21
  • '18#.#3.19.239':2121
  • '23.##6.208.114':2121
  • '17#.#49.240.198':21
  • '23.##6.208.114':21
  • '83.#50.5.25':2121
  • '18#.#21.181.171':21
  • '21#.#1.235.34':2121
  • '21#.#1.235.34':21
  • '86.#.240.39':21
  • '86.#.240.39':2121
  • '10#.#02.24.62':21
  • '10#.#02.24.62':2121
  • '17#.#35.171.248':21
  • '20#.#71.201.81':21
  • '72.##.76.193':21
  • '27.##.127.130':2121
  • '72.##.76.193':2121
  • '18#.#83.21.207':2121
  • '17#.#7.73.230':21
  • '17#.#7.73.230':2121
  • '1.###.212.78':21
  • '1.###.212.78':2121
  • '95.##2.227.231':21
  • '20#.#71.201.81':2121
  • '18#.#15.20.178':2121
  • '82.#8.89.95':2121
  • '18#.#83.21.207':21
  • '27.##.127.130':21
  • '18#.#15.20.178':21
  • '18#.#8.163.234':2121
  • '18#.#21.181.171':2121
  • '5.###.188.250':21
  • '5.###.188.250':2121
  • '35.##6.38.132':21
  • '35.##6.38.132':2121
  • '11#.#38.59.58':21
  • '11#.#38.59.58':2121
  • '19#.#40.66.190':21
  • '17#.#06.20.183':2121
  • '19#.#40.66.190':2121
  • '17#.#1.90.64':2121
  • '98.##.127.133':21
  • '98.##.127.133':2121
  • '12#.#22.159.110':21
  • '12#.#22.159.110':2121
  • '68.##9.102.143':21
  • '68.##9.102.143':2121
  • '18#.#8.163.234':21
  • '82.#8.89.95':21
  • '17#.#1.90.64':21
  • '17#.#06.20.183':21
  • '17#.#35.171.248':2121
  • '17#.#7.61.166':21
  • '24.##.254.154':2121
  • '24.##.254.154':21
  • '76.##2.31.37':2121
  • '17#.#13.247.80':21
  • '17#.#13.247.80':2121
  • '10#.157.6.6':21
  • '10#.157.6.6':2121
  • '86.#.202.33':21
  • '86.#.202.33':2121
  • '12#.#40.47.26':21
  • '12#.#3.198.193':21
  • '76.##2.31.37':21
  • '12#.#0.220.70':21
  • '13.##7.8.113':21
  • '13.##7.8.113':2121
  • '17#.#5.17.19':21
  • '17#.#5.17.19':2121
  • '15#.#55.85.246':21
  • '15#.#55.85.246':2121
  • '23.##6.189.224':21
  • '12#.#3.198.193':2121
  • '23.##6.189.224':2121
  • '12#.#0.220.70':2121
  • '68.##3.242.17':2121
  • '18#.#3.200.118':2121
  • '11#.#7.209.7':2121
  • '80.#.254.113':21
  • '80.#.254.113':2121
  • '95.##1.254.31':21
  • '95.##1.254.31':2121
  • '10#.#05.12.231':21
  • '10#.#05.12.231':2121
  • '18#.#3.200.118':21
  • '11#.#8.52.206':21
  • '89.##3.65.129':21
  • '69.##1.171.251':2121
  • '10#.#50.171.216':21
  • '12#.#7.67.37':2121
  • '69.##4.187.113':21
  • '97.##2.200.81':21
  • '97.##2.200.81':2121
  • '69.##4.187.113':2121
  • '69.##1.171.251':21
  • '11#.#8.52.206':2121
  • '68.##3.242.17':21
  • '10#.#50.171.216':2121
  • '12#.#7.67.37':21
  • '18#.#95.120.65':2121
  • '95.##8.136.105':21
  • '18#.#2.185.36':21
  • '18#.#2.185.36':2121
  • '15#.#19.7.28':21
  • '15#.#19.7.28':2121
  • '86.##5.147.137':21
  • '86.##5.147.137':2121
  • '79.##.93.111':21
  • '10#.#0.44.138':2121
  • '79.##.93.111':2121
  • '23.#2.3.179':2121
  • '17#.#80.168.91':2121
  • '85.#.231.69':21
  • '18#.#81.26.41':21
  • '18#.#81.26.41':2121
  • '12#.#39.60.135':21
  • '12#.#39.60.135':2121
  • '17#.#39.68.140':21
  • '17#.#39.68.140':2121
  • '23.#2.3.179':21
  • '10#.#0.44.138':21
  • '1.###.149.160':2121
  • '85.#.231.69':2121
  • '1.###.149.160':21
  • '95.##8.136.105':2121
  • '11#.#0.236.218':21
  • '34.##0.254.65':21
  • '34.##0.254.65':2121
  • '17#.#51.63.253':21
  • '17#.#51.63.253':2121
  • '78.#0.69.49':21
  • '78.#0.69.49':2121
  • '73.#.6.136':21
  • '73.#.6.136':2121
  • '63.##1.60.185':21
  • '11#.#0.236.218':2121
  • '63.##1.60.185':2121
  • '1.###.15.134':21
  • '27.##4.194.99':2121
  • '1.###.15.134':2121
  • '42.##.123.180':21
  • '42.##.123.180':2121
  • '14#.#47.102.119':21
  • '14#.#47.102.119':2121
  • '11#.#7.209.7':21
  • '19#.#21.15.37':2121
  • '27.##4.194.99':21
  • '89.##3.65.129':2121
  • '19#.#21.15.37':21
  • '80.##.151.37':2121
  • '12#.#79.107.28':21
  • '12#.#23.191.76':2121
  • '19#.#08.94.130':21
  • '19#.#08.94.130':2121
  • '69.##9.50.226':21
  • '69.##9.50.226':2121
  • '11#.#6.236.103':21
  • '11#.#5.173.173':2121
  • '11#.#6.236.103':2121
  • '12#.#5.138.156':21
  • '12#.#23.191.76':21
  • '18#.#12.151.116':2121
  • '17#.#0.76.11':21
  • '17#.#0.76.11':2121
  • '18#.#4.139.151':21
  • '18#.#4.139.151':2121
  • '12#.#71.241.30':21
  • '12#.#71.241.30':2121
  • '18#.#12.151.116':21
  • '11#.#5.173.173':21
  • '86.##.214.123':21
  • '86.##.214.123':2121
  • '12#.#5.138.156':2121
  • '10#.#11.199.186':2121
  • '18#.#95.120.65':21
  • '13#.#24.203.76':2121
  • '10#.#3.71.145':21
  • '10#.#3.71.145':2121
  • '79.##4.118.175':21
  • '79.##4.118.175':2121
  • '14#.#24.4.224':21
  • '14#.#24.4.224':2121
  • '18#.#17.32.6':21
  • '18#.#17.32.6':2121
  • '13#.#24.203.76':21
  • '92.##.118.88':21
  • '13#.#77.22.72':21
  • '13#.#77.22.72':2121
  • '95.##.106.208':21
  • '95.##.106.208':2121
  • '21#.#95.102.10':21
  • '21#.#95.102.10':2121
  • '86.##1.186.55':21
  • '86.##1.186.55':2121
  • '19#.#5.123.178':21
  • '92.##.118.88':2121
  • '19#.#5.123.178':2121
  • '17#.#80.168.91':21
  • '92.##4.159.125':2121
  • '5.##.238.161':21
  • '87.#7.97.58':21
  • '87.#7.97.58':2121
  • '70.##2.226.23':21
  • '70.##2.226.23':2121
  • '88.##9.248.87':21
  • '88.##9.248.87':2121
  • '22#.#80.33.50':21
  • '52.##.117.245':21
  • '15#.#59.116.13':21
  • '10#.#72.51.167':2121
  • '15#.#59.116.13':2121
  • '22#.#44.225.213':2121
  • '14#.#96.45.200':21
  • '14#.#96.45.200':2121
  • '21#.#07.53.11':21
  • '21#.#07.53.11':2121
  • '80.##.151.37':21
  • '52.##.117.245':2121
  • '19#.#00.153.29':2121
  • '12#.#79.107.28':2121
  • '22#.#44.225.213':21
  • '10#.#72.51.167':21
  • '19#.#00.153.29':21
  • '17#.#11.73.13':2121
  • '5.##.238.161':2121
  • '18#.#3.242.137':21
  • '18#.#3.242.137':2121
  • '48.##4.172.121':21
  • '48.##4.172.121':2121
  • '11#.#28.126.211':21
  • '11#.#28.126.211':2121
  • '82.##.185.185':21
  • '80.##4.149.54':2121
  • '82.##.185.185':2121
  • '10#.#90.81.160':21
  • '18#.#7.112.103':2121
  • '10#.#90.81.160':2121
  • '17#.#7.75.36':21
  • '17#.#7.75.36':2121
  • '71.##8.95.103':21
  • '71.##8.95.103':2121
  • '17#.#11.73.13':21
  • '92.##4.159.125':21
  • '18#.#7.112.103':21
  • '80.##4.149.54':21
  • '22#.#80.33.50':2121
  • '12#.#40.47.26':2121
  • '23.##1.36.66':21
  • '42.##9.151.1':2121
  • '59.##.135.85':21
  • '59.##.135.85':2121
  • '18#.#0.72.233':2121
  • '18#.#0.72.233':21
  • '10#.#57.178.236':21
  • '10#.#57.178.236':2121
  • '42.##9.151.1':21
  • '17#.#12.6.168':21
  • '95.##4.242.93':21
  • '76.##5.234.112':2121
  • '95.##4.242.93':2121
  • '42.#3.253.5':2121
  • '22#.#57.13.155':21
  • '22#.#57.13.155':2121
  • '19#.#79.230.204':2121
  • '19#.#79.230.204':21
  • '95.##8.167.61':21
  • '17#.#12.6.168':2121
  • '60.##5.119.217':2121
  • '27.##2.73.45':2121
  • '42.#3.253.5':21
  • '76.##5.234.112':21
  • '60.##5.119.217':21
  • '20#.#27.34.46':21
  • '59.##.195.50':2121
  • '17#.#6.132.84':2121
  • '17#.#6.132.84':21
  • '89.##.47.117':2121
  • '17#.#04.172.148':21
  • '89.##.47.117':21
  • '17#.#04.172.148':2121
  • '77.##5.32.18':2121
  • '20#.#42.84.27':2121
  • '77.##5.32.18':21
  • '96.##.193.150':21
  • '17#.#09.50.90':2121
  • '96.##.193.150':2121
  • '78.##0.176.252':21
  • '78.##0.176.252':2121
  • '71.##6.96.180':21
  • '71.##6.96.180':2121
  • '20#.#27.34.46':2121
  • '95.##8.167.61':2121
  • '17#.#09.50.90':21
  • '20#.#42.84.27':21
  • '23.##1.36.66':2121
  • '59.##.195.50':21
  • '79.##6.213.124':21
  • '1.##.193.69':2121
  • '16#.#0.197.121':2121
  • '18#.#23.18.195':21
  • '18#.#23.18.195':2121
  • '45.##7.172.180':21
  • '45.##7.172.180':2121
  • '21#.#21.34.113':21
  • '98.##3.164.167':2121
  • '21#.#21.34.113':2121
  • '72.##.240.69':2121
  • '16#.#0.197.121':21
  • '71.##8.181.136':21
  • '21#.#44.94.175':21
  • '21#.#44.94.175':2121
  • '18#.#26.237.45':21
  • '18#.#26.237.45':2121
  • '45.##.192.143':21
  • '45.##.192.143':2121
  • '72.##.240.69':21
  • '98.##3.164.167':21
  • '17#.#07.66.145':21
  • '71.##8.181.136':2121
  • '79.##8.239.73':2121
  • '39.#6.44.27':2121
  • '39.#6.44.27':21
  • '20#.76.29.9':21
  • '20#.76.29.9':2121
  • '19#.#5.63.102':21
  • '19#.#5.63.102':2121
  • '19#.#20.158.65':2121
  • '19#.#20.158.65':21
  • '60.##4.84.215':21
  • '60.##4.84.215':2121
  • '1.##.193.69':21
  • '11#.#4.162.109':21
  • '16#.#2.171.226':21
  • '16#.#2.171.226':2121
  • '18.#54.6.22':21
  • '18.#54.6.22':2121
  • '1.###.180.89':21
  • '1.###.180.89':2121
  • '11#.#39.181.64':21
  • '11#.#39.181.64':2121
  • '79.##6.213.124':2121
  • '11#.#4.162.109':2121
  • '17#.#07.66.145':2121
  • '79.##8.239.73':21
  • '38.##0.158.220':21
  • '15#.#45.75.141':2121
  • '11#.#54.71.192':2121
  • '86.#7.90.82':2121
  • '81.##6.156.251':21
  • '81.##6.156.251':2121
  • '21#.#85.84.3':21
  • '21#.#85.84.3':2121
  • '95.##5.42.82':21
  • '95.##5.42.82':2121
  • '16#.#3.249.14':21
  • '20#.#19.71.62':21
  • '86.#7.90.82':21
  • '11#.#4.60.36':21
  • '72.##.140.123':21
  • '72.##.140.123':2121
  • '47.##7.158.48':21
  • '66.##.136.106':21
  • '47.##7.158.48':2121
  • '66.##.136.106':2121
  • '49.##.92.121':21
  • '11#.#4.60.36':2121
  • '38.##2.137.209':21
  • '38.##2.137.209':2121
  • '20#.#19.71.62':2121
  • '21#.#92.193.218':2121
  • '49.##.92.121':2121
  • '47.##2.98.167':2121
  • '14.##.173.174':21
  • '14.##.173.174':2121
  • '17#.#86.246.55':21
  • '17#.#86.246.55':2121
  • '27.##0.181.174':21
  • '27.##0.181.174':2121
  • '95.##8.101.212':21
  • '95.##8.101.212':2121
  • '47.##2.98.167':21
  • '10#.#17.39.113':21
  • '77.##7.101.225':21
  • '77.##7.101.225':2121
  • '24.##4.164.123':21
  • '24.##4.164.123':2121
  • '10#.#64.54.155':2121
  • '10#.#64.54.155':21
  • '98.##5.9.219':21
  • '98.##5.9.219':2121
  • '21#.#92.193.218':21
  • '10#.#17.39.113':2121
  • '11#.#54.71.192':21
  • '27.##2.73.45':21
  • '12#.#9.164.222':21
  • '84.##8.35.91':2121
  • '22#.#57.1.242':21
  • '22#.#57.1.242':2121
  • '71.##.170.150':21
  • '71.##.170.150':2121
  • '36.##.196.16':21
  • '36.##.196.16':2121
  • '70.##.133.152':21
  • '11#.#03.168.249':2121
  • '70.##.133.152':2121
  • '17#.#66.38.24':2121
  • '13#.#4.133.129':2121
  • '60.##.34.168':2121
  • '12#.#3.240.253':21
  • '12#.#3.240.253':2121
  • '18.##8.159.197':21
  • '18.##8.159.197':2121
  • '12#.#29.96.20':21
  • '12#.#29.96.20':2121
  • '13#.#4.133.129':21
  • '16#.#3.249.14':2121
  • '60.##.34.168':21
  • '17#.#66.38.24':21
  • '11#.#03.168.249':21
  • '51.##1.18.124':2121
  • '84.##8.35.91':21
  • '81.##0.49.73':21
  • '81.##0.49.73':2121
  • '34.##0.26.51':21
  • '34.##0.26.51':2121
  • '91.##.250.55':21
  • '91.##.250.55':2121
  • '12#.#27.173.160':21
  • '14#.#46.147.88':2121
  • '12#.#27.173.160':2121
  • '73.##8.176.241':2121
  • '11#.#16.189.41':21
  • '11#.#16.189.41':2121
  • '73.##4.14.95':21
  • '73.##4.14.95':2121
  • '11#.#00.192.98':21
  • '11#.#00.192.98':2121
  • '42.##0.143.36':21
  • '42.##0.143.36':2121
  • '73.##8.176.241':21
  • '51.##1.18.124':21
  • '14#.#46.147.88':21
  • '15#.#45.75.141':21
TCP
HTTP GET requests
  • / via 41.##5.153.189
Other
  • '45.##7.172.180':21
  • '19#.#48.242.183':21
  • '19#.#54.190.116':21
  • '5.###.188.250':21
  • '16#.#6.72.193':21
UDP
  • DNS ASK dh#.###nsmissionbt.com
  • DNS ASK ro####.bittorrent.com
  • DNS ASK xm#.##ypto-pool.fr
  • DNS ASK ro####.utorrent.com
  • DNS ASK bt#####er.debian.org
  • '46.##7.112.42':7579
  • '17#.#6.67.104':1793
  • '21#.#48.208.165':63714
  • '22#.#00.196.130':33288
  • '11#.#35.110.40':50641
  • '22#.#09.206.198':6886
  • '31.##9.151.6':54360
  • '21#.#8.91.61':6881
  • '45.##4.86.83':6881
  • '19#.#3.228.160':11316
  • '11#.#4.150.20':5060
  • '17#.#41.5.156':8000
  • '69.#0.95.40':12023
  • '21#.#3.44.86':5952
  • '15#.#3.116.236':25015
  • '11#.#48.188.174':18488
  • '88.#.96.243':59198
  • '98.##.40.216':7681
  • '45.##4.177.145':46800
  • '45.##8.251.169':22806
  • '37.#8.70.3':28013
  • '89.##2.124.143':21693
  • '45.##4.177.129':46130
  • '81.#.171.207':40628
  • '86.#.88.100':11843
  • '11#.#41.56.65':26171
  • '17#.#9.218.77':6881
  • '77.##9.208.247':50682
  • '97.##.15.169':56502
  • '15#.#3.185.180':24400
  • '79.##8.216.100':25652
  • '17#.#62.173.104':28007
  • '72.##.21.152':36834
  • '45.##4.177.132':34050
  • '91.##2.176.189':49001
  • '18#.#68.153.171':22939
  • '17#.#2.59.123':42165
  • '5.###.121.94':6881
  • '18#.#04.255.146':39227
  • '59.##.98.153':33254
  • '21#.#0.48.132':29478
  • '92.##5.151.22':58045
  • '11#.#4.138.206':51417
  • '11#.#27.55.2':5855
  • '59.##2.110.12':14371
  • '11#.#53.156.213':5060
  • '11#.#21.125.85':16101
  • '12#.61.9.99':47980
  • '45.##4.177.185':41716
  • '11#.#21.53.60':54517
  • '17#.#65.86.84':32023
  • '5.##.86.79':5732
  • '18#.#53.101.65':1489
  • '94.##8.68.227':57348
  • '59.##0.172.101':12599
  • '84.##.122.73':36399
  • '89.##.201.115':22379
  • '59.#8.26.56':1434
  • '45.##4.177.244':37706
  • '45.##4.177.64':40622
  • '12#.#76.38.70':1024
  • '45.##4.177.220':55386
  • '45.##4.177.255':7659
  • '45.##8.249.10':37976
  • '92.##1.246.208':1024
  • '18#.#3.37.202':39490
  • '94.##.222.72':6881
  • '82.##.16.211':59395
  • '45.##8.250.80':62437
  • '45.##8.250.65':58228
  • '14#.#02.48.88':12033
  • '51.##8.166.161':1036
  • '45.##4.177.112':56591
  • '14#.#4.100.228':6881
  • '38.##.255.76':10095
  • '17#.#08.238.144':2565
  • '45.##3.212.18':6880
  • '49.##8.88.156':25435
  • '23.##8.56.120':12059
  • '94.##.194.218':28009
  • '1.##.103.38':41159
  • '86.##.240.231':35237
  • '45.##8.251.26':42029
  • '78.##.162.87':36479
  • '21#.#57.4.252':7740
  • '16#.#50.223.250':64054
  • '17#.#62.174.136':28001
  • '46.##2.211.38':61636
  • '22#.#30.162.160':6881
  • '38.##.255.76':10084
  • 'bt#####er.debian.org':8524
  • 'dh#.###nsmissionbt.com':6881
  • 'ro####.bittorrent.com':6881
  • 'ro####.utorrent.com':6881
  • 'bt#####er.debian.org':6881
  • '85.##5.17.66':49001
  • '95.##6.116.228':50000
  • '45.##8.250.165':41959
  • '12#.#05.218.174':36053
  • '45.##8.249.47':1991
  • '12#.#8.193.6':6889
  • '13#.#09.183.166':6881
  • 'bt#####er.debian.org':8554
  • '17#.#11.38.128':26076
  • '45.##8.249.202':46642
  • '17#.#28.0.116':51413
  • '11#.#3.202.56':11211
  • '12#.#30.91.69':7958
  • '12#.#29.217.89':6001
  • '85.##7.202.3':26172
  • '84.#4.84.63':64269
  • '17#.#5.147.31':42112
  • '45.##8.251.76':44031
  • '85.##4.8.141':11282
  • '16#.#19.65.34':32283
  • '11#.#09.46.110':41178
  • '18#.#49.91.185':51035
  • '88.##2.131.121':12223
  • '21#.#.200.72':24092
  • '21#.#55.20.167':50209
  • '18#.#65.199.35':56162
  • '45.##4.177.96':64220
  • '45.##8.251.117':54177
  • '17#.#62.173.200':28009
  • '45.##3.155.73':6880
  • '23.##8.56.119':10033
  • '17#.#02.152.142':9189
  • 'bt#####er.debian.org':8515
  • '11#.#2.42.63':28144
  • '18#.#50.21.103':1900
  • '88.#.110.233':6881
  • '13#.#43.152.93':50450
  • '21#.#00.195.174':30301
  • '45.##4.177.117':1892
  • '11#.#8.42.20':6881
  • '12#.#2.124.21':30301
  • '17#.#1.252.163':51413
  • '45.##3.211.13':6880
  • '1.##.133.10':43867
  • '22#.#37.210.171':1027
  • '12#.#28.62.9':48751
  • '17#.#41.182.245':8082
  • '45.##4.177.219':16100
  • '45.##8.249.32':31113
Miscellaneous
Searches for the following windows
  • ClassName: '' WindowName: ''
Creates and executes the following
  • '%HOMEPATH%\helppane.exe' --startup auto install
  • '%HOMEPATH%\helppane.exe' start
  • '%HOMEPATH%\helppane.exe'
  • '%WINDIR%\temp\xmrig.exe'
Restarts the analyzed sample
Executes the following
  • '%WINDIR%\syswow64\cmd.exe' /c copy /y <Full path to file> %HOMEPATH%\HelpPane.exe
  • '%WINDIR%\syswow64\cmd.exe' /c %HOMEPATH%\HelpPane.exe --startup auto install
  • '%WINDIR%\syswow64\cmd.exe' /c %HOMEPATH%\HelpPane.exe start
  • '%WINDIR%\syswow64\cmd.exe' /c taskkill /pid 1028 /f
  • '%WINDIR%\syswow64\cmd.exe' \c copy \y %WINDIR%\TEMP\_MEI16~1\\xmrig.exe %WINDIR%\TEMP\xmrig.exe
  • '%WINDIR%\syswow64\cmd.exe' \c copy \y %WINDIR%\TEMP\_MEI16~1\\config.json %WINDIR%\TEMP\config.json
  • '<SYSTEM32>\spoolsv.exe'
  • '%WINDIR%\syswow64\cmd.exe' /c copy /y <Full path to file> %HOMEPATH%\HelpPane.exe' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c %HOMEPATH%\HelpPane.exe --startup auto install' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c %HOMEPATH%\HelpPane.exe start' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c taskkill /pid 1028 /f' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' \c copy \y %WINDIR%\TEMP\_MEI16~1\\xmrig.exe %WINDIR%\TEMP\xmrig.exe' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' \c copy \y %WINDIR%\TEMP\_MEI16~1\\config.json %WINDIR%\TEMP\config.json' (with hidden window)
  • '%WINDIR%\temp\xmrig.exe' ' (with hidden window)
  • '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram %HOMEPATH%\HelpPane.exe "MyApp" ENABLE' (with hidden window)

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play