Technical Information
- [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WindowsServiceHost' = '%APPDATA%\RuntimeBroker.exe'
- %TEMP%\dbfca055d9844316bc75d4f65978dfba.exe
- %APPDATA%\runtimebroker.exe
- %LOCALAPPDATA%\microsoft\clr_v4.0_32\usagelogs\dbfca055d9844316bc75d4f65978dfba.exe.log
- %LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\<File name>.exe.log
- %TEMP%\ratagentlog.txt
- %APPDATA%\runtimebroker.exe
- %TEMP%\dbfca055d9844316bc75d4f65978dfba.exe
- '65.##9.125.86':5445
- '%TEMP%\dbfca055d9844316bc75d4f65978dfba.exe'
- '%APPDATA%\runtimebroker.exe' --moved