Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'rmqubfjn40b666bf100xy' = '%ALLUSERSPROFILE%\7e232613-09c1-4fc5-9cbd-5bdf7367c1b6\rmqubfjn40b666bf100xy.exe'
- %ALLUSERSPROFILE%\7e232613-09c1-4fc5-9cbd-5bdf7367c1b6\rmqubfjn40b666bf100xy.exe
- %ALLUSERSPROFILE%\7e232613-09c1-4fc5-9cbd-5bdf7367c1b6\ttpcomm.dll
- %ALLUSERSPROFILE%\7e232613-09c1-4fc5-9cbd-5bdf7367c1b6\rmqubfjn40b666bf100xy.data
- %LOCALAPPDATA%\178bfbff000406f1
- %ALLUSERSPROFILE%\7e232613-09c1-4fc5-9cbd-5bdf7367c1b6\key
- %ALLUSERSPROFILE%\7e232613-09c1-4fc5-9cbd-5bdf7367c1b6\key
- '27.#24.7.62':8080
- '27.#24.7.62':12345
- http://27.###.7.62:8080/8X/client.dll via 27.#24.7.62
- '27.#24.7.62':12345
- '%ALLUSERSPROFILE%\7e232613-09c1-4fc5-9cbd-5bdf7367c1b6\rmqubfjn40b666bf100xy.exe'
- '%WINDIR%\syswow64\cmd.exe' /c start %ALLUSERSPROFILE%\7e232613-09c1-4fc5-9cbd-5bdf7367c1b6\rmqubfjn40b666bf100xy.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c start %ALLUSERSPROFILE%\7e232613-09c1-4fc5-9cbd-5bdf7367c1b6\rmqubfjn40b666bf100xy.exe