Technical Information
- [HKLM\System\CurrentControlSet\Services\RuMqXc DhJEZ] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\RuMqXc DhJEZ] 'ImagePath' = '\/.\%WINDIR%\/syStEm32//MEmhXDoyiyl.exe Service 0'
- 'RuMqXc DhJEZ' \/.\%WINDIR%\/syStEm32//MEmhXDoyiyl.exe Service 0
- %WINDIR%\syswow64\memhxdoyiyl.exe
- from <Full path to file> to %TEMP%\_@7272.tmp
- 'zh###aohhhh.top':2024
- DNS ASK ba##u.com
- DNS ASK zh###aohhhh.top
- ClassName: 'Progman' WindowName: 'Program Manager'
- '%WINDIR%\syswow64\memhxdoyiyl.exe' -auto
- '%WINDIR%\syswow64\cmd.exe' > nul
- '%WINDIR%\syswow64\cmd.exe' > nul' (with hidden window)