Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'syotom' = '%WINDIR%\SysWOW64\svchost.exe'
- %WINDIR%\syswow64\svchost.exe
- 'r.###ne.qq.com':80
- '27.##5.74.103':80
- http://r.###ne.qq.com/cgi-bin/user/cgi_personal_card?ui###################
- DNS ASK r.###ne.qq.com
- 'localhost':52009
- 'localhost':64471
- '%WINDIR%\syswow64\svchost.exe' ' (with hidden window)
- '%WINDIR%\syswow64\svchost.exe'