Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'umeejkek' = '%LOCALAPPDATA%\Qfwjxffxnn\ryxejkek.exe'
- %WINDIR%\syswow64\svchost.exe
- %TEMP%\skvgrogqve.pre
- %LOCALAPPDATA%\qfwjxffxnn\ryxejkek.exe
- %TEMP%\~46463234.tmp
- %LOCALAPPDATA%\qfwjxffxnn\ryxejkek.exe
- %TEMP%\skvgrogqve.pre
- 'ro####ewearred.com':80
- http://ro####ewearred.com/backup.php?ev#####################################################
- DNS ASK ro####ewearred.com
- '%TEMP%\skvgrogqve.pre'
- '%TEMP%\skvgrogqve.pre' ' (with hidden window)
- '%WINDIR%\syswow64\svchost.exe'