Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'XXXXXXDE98BE56' = '%WINDIR%\XXXXXXDE98BE56\svchsot.exe'
- %WINDIR%\svchost.exe
- %WINDIR%\syswow64\de98be56
- from %WINDIR%\svchost.exe to %WINDIR%\xxxxxxde98be56\svchsot.exe
- 'aa###3299.xyz':801
- DNS ASK aa###3299.xyz
- ClassName: '' WindowName: 'ÈðÐdzÌÐòÉý¼¶ÖÐ'
- ClassName: '' WindowName: ''
- '%WINDIR%\svchost.exe'
- '%WINDIR%\svchost.exe' ' (with hidden window)