Technical Information
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\] 'win54' = '%PROGRAMDATA%\win54.exe'
- %TEMP%\rarsfx0\start.bat
- %TEMP%\rarsfx0\rg2210.exe
- %TEMP%\rarsfx1\win68.exe
- %TEMP%\rarsfx1\win55.dll
- %PROGRAMDATA%\win54.exe
- %TEMP%\rarsfx0\rg2210.exe
- %TEMP%\rarsfx0\start.bat
- '<DNS_SERVER>':53
- ClassName: 'EDIT' WindowName: ''
- '%TEMP%\rarsfx0\rg2210.exe' -p123 -d%LOCALAPPDATA%\Temp
- '%TEMP%\rarsfx1\win68.exe'
- '%PROGRAMDATA%\win54.exe'
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\RarSFX0\start.bat" "
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\