Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Startup Name' = '<Full path to file>'
- %WINDIR%\syswow64\werfault.exe
- %TEMP%\autc16b.tmp
- %TEMP%\1.resource
- <Full path to file>
- %TEMP%\autc16b.tmp
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\C448.tmp\C449.bat %WINDIR%\SysWOW64\WerFault.exe"
- '<SYSTEM32>\reg.exe' delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"