Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES] 'services' = '%WINDIR%\services.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'run' = 'services.EXE'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'services' = '%WINDIR%\services.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\services.exe' = '%WINDIR%\services.exe:*:Enabled:%WINDIR%\servi...
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\services.exe' = '%WINDIR%\services.exe:*:Enabled:%WINDIR%\ser...
- '%WINDIR%\services.exe'
- '<SYSTEM32>\cmd.exe' /c <Current directory>\bat.bat
- <Current directory>\bat.bat
- %WINDIR%\services.exe
- %WINDIR%\services.exe
- 'ra####.gotdns.org':8862
- DNS ASK ra####.gotdns.org