Technical Information
- [<HKCU>\software\microsoft\windows\currentversion\run] 'mMsccgoE.exe' = '%HOMEPATH%\TGQwQUYY\mMsccgoE.exe'
- [<HKLM>\software\Wow6432Node\microsoft\windows\currentversion\run] 'RCEYgAcE.exe' = '%ALLUSERSPROFILE%\wAgMgIcg\RCEYgAcE.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,%ALLUSERSPROFILE%\wAgMgIcg\RCEYgAcE.exe,'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = 'userinit.exe,%ALLUSERSPROFILE%\wAgMgIcg\RCEYgAcE.exe,'
- [<HKLM>\System\CurrentControlSet\Services\tcEckcds] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\tcEckcds] 'ImagePath' = '%ALLUSERSPROFILE%\sycsMAAs\aMgMMIUQ.exe'
- 'tcEckcds' %ALLUSERSPROFILE%\sycsMAAs\aMgMMIUQ.exe
- %HOMEPATH%\tgqwquyy\mmsccgoe
- %ALLUSERSPROFILE%\wagmgicg\rceygace
- %HOMEPATH%\tgqwquyy\mmsccgoe.exe
- %ALLUSERSPROFILE%\wagmgicg\rceygace.exe
- %ALLUSERSPROFILE%\sycsmaas\amgmmiuq.exe
- 'bl##k.io':443
- DNS ASK bl##k.io
- '%HOMEPATH%\tgqwquyy\mmsccgoe.exe'
- '%ALLUSERSPROFILE%\wagmgicg\rceygace.exe'
- '%ALLUSERSPROFILE%\sycsmaas\amgmmiuq.exe'