Technical Information
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'QQ°²È«ÖÐÐÄ' = 'C:\Users\Public\1.exe'
- [HKLM\System\CurrentControlSet\Services\CreateSvcRpc_1292015] 'ImagePath' = 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v QQ°²È«ÖÐÐÄ /t REG_SZ /d "C:\Users\Public\1.exe" /f'
- 'CreateSvcRpc_1292015' reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v QQ°²È«ÖÐÐÄ /t REG_SZ /d "C:\Users\Public\1.exe" /f
- <SYSTEM32>\reg.exe
- C:\users\public\proj.exe
- C:\users\public\1.exe
- '47.##1.11.103':80
- '12#.#1.21.197':80
- '12#.#1.21.197':3004
- http://47.##1.11.103/dsaf121.41.21.197.txt
- http://12#.#1.21.197/mm.txt
- http://12#.#1.21.197/m.txt
- '12#.#1.21.197':3004
- 'C:\users\public\proj.exe'
- 'C:\users\public\1.exe'
- '%WINDIR%\syswow64\wbem\wmic.exe' process get ExecutablePath,Name' (with hidden window)
- 'C:\users\public\1.exe' ' (with hidden window)
- '%WINDIR%\syswow64\wbem\wmic.exe' process get ExecutablePath,Name
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v QQ°²È«ÖÐÐÄ /t REG_SZ /d "C:\Users\Public\1.exe" /f