Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Windowstyimr6td6rUpdate' = '%TEMP%\76010575\qxh.exe %TEMP%\76010575\rbi=qmq'
- %WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
- %TEMP%\76010575\rep.jpg
- %TEMP%\76010575\bcl.xl
- %TEMP%\76010575\ofj.ico
- %TEMP%\76010575\hmg.txt
- %TEMP%\76010575\pbx.xl
- %TEMP%\76010575\isb.dat
- %TEMP%\76010575\qju.jpg
- %TEMP%\76010575\skh.pdf
- %TEMP%\76010575\vjm.dat
- %TEMP%\76010575\uis.xl
- %TEMP%\76010575\noh.pdf
- %TEMP%\76010575\HVCWS
- %TEMP%\76010575\qkw.xl
- %TEMP%\76010575\mvr.icm
- %TEMP%\76010575\gxs.bmp
- %TEMP%\76010575\nmi.dat
- %TEMP%\76010575\pwe.dat
- %TEMP%\76010575\dte.icm
- %TEMP%\76010575\mgc.ico
- %TEMP%\76010575\eas.icm
- %TEMP%\76010575\woa.dat
- %TEMP%\76010575\bce.mp4
- %TEMP%\76010575\atp.bmp
- %TEMP%\76010575\axg.txt
- %TEMP%\76010575\rxc.txt
- %TEMP%\76010575\rbi=qmq
- %TEMP%\76010575\qxh.exe
- %TEMP%\76010575\wfo.dat
- %TEMP%\76010575\xbw.txt
- %TEMP%\76010575\iee.icm
- %TEMP%\76010575\rqe.xl
- %TEMP%\76010575\kxj.mp4
- %TEMP%\76010575\uqv.txt
- %TEMP%\76010575\tjm.dat
- %TEMP%\76010575\wto.jpg
- %TEMP%\76010575\rwb.xl
- %TEMP%\76010575\juf.ico
- %TEMP%\76010575\kjb.xl
- %TEMP%\76010575\rqp.ppt
- %TEMP%\76010575\wfe.docx
- %TEMP%\76010575\tso.icm
- %TEMP%\76010575\fbt.docx
- %TEMP%\76010575\vtj.pdf
- %TEMP%\76010575\nhx.mp3
- %TEMP%\76010575\xrb.docx
- %TEMP%\76010575\wap.dat
- %APPDATA%\VFGRBTR\logs.dat
- %TEMP%\76010575\atp.bmp
- %TEMP%\76010575\qxh.exe
- %TEMP%\76010575\rbi=qmq
- %TEMP%\76010575\rep.jpg
- %TEMP%\76010575\rqe.xl
- %TEMP%\76010575\rqp.ppt
- %TEMP%\76010575\rwb.xl
- %TEMP%\76010575\rxc.txt
- %TEMP%\76010575\skh.pdf
- %TEMP%\76010575\tjm.dat
- %TEMP%\76010575\tso.icm
- %TEMP%\76010575\uis.xl
- %TEMP%\76010575\uqv.txt
- %TEMP%\76010575\vjm.dat
- %TEMP%\76010575\vtj.pdf
- %TEMP%\76010575\wap.dat
- %TEMP%\76010575\wfe.docx
- %TEMP%\76010575\wfo.dat
- %TEMP%\76010575\woa.dat
- %TEMP%\76010575\wto.jpg
- %TEMP%\76010575\qkw.xl
- %TEMP%\76010575\xbw.txt
- %TEMP%\76010575\qju.jpg
- %TEMP%\76010575\pbx.xl
- %TEMP%\76010575\axg.txt
- %TEMP%\76010575\bce.mp4
- %TEMP%\76010575\bcl.xl
- %TEMP%\76010575\dte.icm
- %TEMP%\76010575\eas.icm
- %TEMP%\76010575\fbt.docx
- %TEMP%\76010575\gxs.bmp
- %TEMP%\76010575\hmg.txt
- %TEMP%\76010575\iee.icm
- %TEMP%\76010575\isb.dat
- %TEMP%\76010575\juf.ico
- %TEMP%\76010575\kjb.xl
- %TEMP%\76010575\kxj.mp4
- %TEMP%\76010575\mgc.ico
- %TEMP%\76010575\mvr.icm
- %TEMP%\76010575\nhx.mp3
- %TEMP%\76010575\nmi.dat
- %TEMP%\76010575\noh.pdf
- %TEMP%\76010575\ofj.ico
- %TEMP%\76010575\pwe.dat
- %TEMP%\76010575\xrb.docx
- %TEMP%\76010575\HVCWS
- 'ca####as.hicam.net':2404
- 'ca#######x.chickenkiller.com':2404
- 'ca#####s45.hopto.org':2404
- 'ca#####s.libfoobar.so':2404
- 'du#####ute.sendsmtp.com':2404
- 'se#####s.wifizone.org':2404
- 'wi##.con-ip.com':2404
- 'rs######r.jumpingcrab.com':2404
- DNS ASK www.google.com
- DNS ASK ca####as.hicam.net
- DNS ASK ca#######x.chickenkiller.com
- DNS ASK ca#####s45.hopto.org
- DNS ASK ca#####s.libfoobar.so
- DNS ASK du#####ute.sendsmtp.com
- DNS ASK se#####s.wifizone.org
- DNS ASK wi##.con-ip.com
- DNS ASK rs######r.jumpingcrab.com
- ClassName: 'EDIT' WindowName: ''
- '%TEMP%\76010575\qxh.exe' rbi=qmq
- '%TEMP%\76010575\qxh.exe' %TEMP%\76010575\HVCWS
- '%WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'