Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'IEMain' = '%APPDATA%\Microsofta\Winrar.exe'
- %APPDATA%\microsofta\winrar.exe
- %APPDATA%\winrara\winrar.dll
- http://g.##ke.me/czapi/pc28/FileList.json
- http://g.##ke.me/czapi/pc28/down/pc001.dll
- http://g.##ke.me/czapi/exe/update.json
- DNS ASK g.##ke.me
- DNS ASK f.##ke.me
- ClassName: 'PC28iQStartForm2018' WindowName: ''
- ClassName: 'PC28PC_MainForm' WindowName: ''
- ClassName: 'PC28iQHostForm2018' WindowName: ''
- '%APPDATA%\microsofta\winrar.exe'
- '%APPDATA%\microsofta\winrar.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ping 127.0.0.1 -n 3&del /q "<Full path to file>"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ping 127.0.0.1 -n 3&del /q "<Full path to file>"
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 3