Technical Information
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'XXXXXX868040A9' = '%WINDIR%\XXXXXX868040A9\svchsot.exe'
- %WINDIR%\server.exe
- %WINDIR%\xxxxxx868040a9\svchsot.exe
- %WINDIR%\syswow64\868040a9
- %WINDIR%\server.exe
- '82.##7.254.217':8080
- '19#.#44.213.79':8000
- http://82.###.254.217:8080/server.exe via 82.##7.254.217
- http://82.###.254.217:8080/Xz.txt via 82.##7.254.217
- '19#.#44.213.79':8000
- ClassName: '' WindowName: 'ÈðÐdzÌÐòÉý¼¶ÖÐ'
- '%WINDIR%\server.exe'