Look for suspicious processes running from user directories (e.g., svchost.exe running from %AppData% instead of System32 ).
When the archive is extracted and the internal payload is executed, the following actions generally occur: seahoga.rar
The malware copies itself to the Windows %AppData% or %Temp% directories and creates a Registry Run key (e.g., HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ) to ensure it starts automatically upon reboot. Look for suspicious processes running from user directories