Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'MessageService' = '<LS_APPDATA>\mqtgsvc.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ClipSrv' = '<LS_APPDATA>\Microsoft\clipsrv.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'MessageService' = '<LS_APPDATA>\mqtgsvc.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'run' = '%APPDATA%\ieudinit.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%APPDATA%\winlogon.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Spooler' = '<LS_APPDATA>\Microsoft\Windows\spoolsv.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'WinLogon' = '<LS_APPDATA>\Microsoft\Windows\winlogon.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'lsm service' = '%WINDIR%\System\lsm.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'EseNtUtl' = '<DRIVERS>\esentutl.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Microsoft RSVP' = '%WINDIR%\rsvp.exe'
- <LS_APPDATA>\Microsoft\wininit.exe /c 21
- <LS_APPDATA>\Microsoft\Windows\spoolsv.exe /c 57
- <LS_APPDATA>\Microsoft\Windows\winlogon.exe /c 11
- %WINDIR%\system\dllhst3g.exe /c 73
- <LS_APPDATA>\Microsoft\Windows\spoolsv.exe /c 34
- %WINDIR%\system\lsm.exe /c 33
- %WINDIR%\rsvp.exe /c 52
- %WINDIR%\system\clipsrv.exe /c 14
- <LS_APPDATA>\Microsoft\mqtgsvc.exe /c 58
- <LS_APPDATA>\Microsoft\Windows\winlogon.exe /r
- <DRIVERS>\mqtgsvc.exe /c 25
- <LS_APPDATA>\Microsoft\Windows\spoolsv.exe /c 46
- <LS_APPDATA>\Microsoft\Windows\winlogon.exe /c 64
- %APPDATA%\mstsc.exe /c 47
- %APPDATA%\Microsoft\ieudinit.exe /c 21
- <LS_APPDATA>\Microsoft\Windows\smss.exe /c 48
- <LS_APPDATA>\Microsoft\Windows\winlogon.exe /c 14
- <LS_APPDATA>\Microsoft\winlogon.exe /c 38
- %APPDATA%\mqtgsvc.exe /c 50
- %WINDIR%\system\RCXE.tmp
- %WINDIR%\system\lsm.exe
- %WINDIR%\rsvp.exe
- <DRIVERS>\esentutl.exe
- %WINDIR%\RCXF.tmp
- %WINDIR%\system\clipsrv.exe
- <LS_APPDATA>\Microsoft\Windows\RCXB.tmp
- %WINDIR%\system\RCXC.tmp
- <LS_APPDATA>\Microsoft\RCXD.tmp
- <LS_APPDATA>\Microsoft\mqtgsvc.exe
- %APPDATA%\winlogon.exe
- <LS_APPDATA>\RCX13.tmp
- %APPDATA%\RCX14.tmp
- %APPDATA%\RCX15.tmp
- %APPDATA%\ieudinit.exe
- <LS_APPDATA>\Microsoft\clipsrv.exe
- <DRIVERS>\RCX10.tmp
- <LS_APPDATA>\Microsoft\RCX11.tmp
- <LS_APPDATA>\RCX12.tmp
- <LS_APPDATA>\mqtgsvc.exe
- <LS_APPDATA>\Microsoft\RCXA.tmp
- <DRIVERS>\RCX3.tmp
- <DRIVERS>\mqtgsvc.exe
- <LS_APPDATA>\Microsoft\Windows\spoolsv.exe
- %APPDATA%\Microsoft\ieudinit.exe
- <LS_APPDATA>\Microsoft\Windows\RCX4.tmp
- <LS_APPDATA>\Microsoft\Windows\winlogon.exe
- %TEMP%\Twain002.Mtx
- <LS_APPDATA>\Microsoft\Windows\RCX1.tmp
- %APPDATA%\RCX2.tmp
- %APPDATA%\mstsc.exe
- <LS_APPDATA>\Microsoft\Windows\RCX8.tmp
- <LS_APPDATA>\Microsoft\Windows\smss.exe
- %WINDIR%\system\dllhst3g.exe
- <LS_APPDATA>\Microsoft\wininit.exe
- %WINDIR%\system\RCX9.tmp
- <LS_APPDATA>\Microsoft\winlogon.exe
- %APPDATA%\Microsoft\RCX5.tmp
- <LS_APPDATA>\Microsoft\RCX6.tmp
- %APPDATA%\RCX7.tmp
- %APPDATA%\mqtgsvc.exe
- %WINDIR%\system\lsm.exe
- %WINDIR%\rsvp.exe
- %WINDIR%\system\clipsrv.exe
- <LS_APPDATA>\Microsoft\mqtgsvc.exe
- <DRIVERS>\esentutl.exe
- %APPDATA%\winlogon.exe
- %APPDATA%\ieudinit.exe
- <LS_APPDATA>\Microsoft\clipsrv.exe
- <LS_APPDATA>\mqtgsvc.exe
- <LS_APPDATA>\Microsoft\wininit.exe
- <DRIVERS>\mqtgsvc.exe
- <LS_APPDATA>\Microsoft\Windows\spoolsv.exe
- <LS_APPDATA>\Microsoft\Windows\winlogon.exe
- %APPDATA%\mstsc.exe
- %APPDATA%\Microsoft\ieudinit.exe
- <LS_APPDATA>\Microsoft\Windows\smss.exe
- %WINDIR%\system\dllhst3g.exe
- <LS_APPDATA>\Microsoft\winlogon.exe
- %APPDATA%\mqtgsvc.exe
- from %WINDIR%\RCXF.tmp to %WINDIR%\rsvp.exe
- from <DRIVERS>\RCX10.tmp to <DRIVERS>\esentutl.exe
- from %WINDIR%\system\RCXE.tmp to %WINDIR%\system\lsm.exe
- from %WINDIR%\system\RCXC.tmp to %WINDIR%\system\clipsrv.exe
- from <LS_APPDATA>\Microsoft\RCXD.tmp to <LS_APPDATA>\Microsoft\mqtgsvc.exe
- from %APPDATA%\RCX14.tmp to %APPDATA%\winlogon.exe
- from %APPDATA%\RCX15.tmp to %APPDATA%\ieudinit.exe
- from <LS_APPDATA>\RCX13.tmp to <LS_APPDATA>\mqtgsvc.exe
- from <LS_APPDATA>\Microsoft\RCX11.tmp to <LS_APPDATA>\Microsoft\clipsrv.exe
- from <LS_APPDATA>\RCX12.tmp to <LS_APPDATA>\mqtgsvc.exe
- from <LS_APPDATA>\Microsoft\Windows\RCXB.tmp to <LS_APPDATA>\Microsoft\Windows\spoolsv.exe
- from <LS_APPDATA>\Microsoft\Windows\RCX4.tmp to <LS_APPDATA>\Microsoft\Windows\spoolsv.exe
- from %APPDATA%\Microsoft\RCX5.tmp to %APPDATA%\Microsoft\ieudinit.exe
- from <DRIVERS>\RCX3.tmp to <DRIVERS>\mqtgsvc.exe
- from <LS_APPDATA>\Microsoft\Windows\RCX1.tmp to <LS_APPDATA>\Microsoft\Windows\winlogon.exe
- from %APPDATA%\RCX2.tmp to %APPDATA%\mstsc.exe
- from %WINDIR%\system\RCX9.tmp to %WINDIR%\system\dllhst3g.exe
- from <LS_APPDATA>\Microsoft\RCXA.tmp to <LS_APPDATA>\Microsoft\wininit.exe
- from <LS_APPDATA>\Microsoft\Windows\RCX8.tmp to <LS_APPDATA>\Microsoft\Windows\smss.exe
- from <LS_APPDATA>\Microsoft\RCX6.tmp to <LS_APPDATA>\Microsoft\winlogon.exe
- from %APPDATA%\RCX7.tmp to %APPDATA%\mqtgsvc.exe
- 'www.ms###csi.com':80
- www.ms###csi.com/ncsi.txt
- DNS ASK www.ms###csi.com
- DNS ASK dn#.##ftncsi.com
- DNS ASK ly###s-db.org
- ClassName: 'Indicator' WindowName: ''