Technical Information
- [<HKLM>\System\CurrentControlSet\Services\winrshost] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\winrshost] 'ImagePath' = '"%WINDIR%\SysWOW64\winrshost\winrshost.exe"'
- from <Full path to file> to %WINDIR%\syswow64\winrshost\winrshost.exe
- '60.##0.173.117':80
- '20#.21.90.5':443
- '10#.#36.28.47':8080
- http://10#.##6.28.47:8080/bmAwWCRy/amv1VPdtF8/2q68o4e0MKcDn1iRHv/ via 10#.#36.28.47