Technical Information
- [<HKLM>\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] '' = '"<LS_APPDATA>\app.exe" -a "%PROGRAM_FILES%\Internet Explorer\iexplore.exe"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '386692799' = '<LS_APPDATA>\app.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ctfmon.exe' = '<SYSTEM32>\ctfmon.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- Windows Security Center
- <LS_APPDATA>\app.exe -gav <Full path to virus>
- chrome.exe
- opera.exe
- iexplore.exe
- firefox.exe
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'Icon' = 'inetcpl.cpl#001313'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'Description' = 'This zone contains all Web sites you haven't placed in other zones'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'RecommendedLevel' = '00011000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'MinLevel' = '00011000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'DisplayName' = 'Internet'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'Flags' = '00000047'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'RecommendedLevel' = '00010000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '' = ''
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1805' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'MinLevel' = '00012000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'Icon' = 'inetcpl.cpl#00004481'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'Flags' = '00000003'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'RecommendedLevel' = '00012000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'Description' = 'This zone contains Web sites that could potentially damage your computer or data.'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1805' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'Flags' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'DisplayName' = 'Restricted sites'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '' = ''
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'MinLevel' = '00010000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1805' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'Flags' = '00000021'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'DisplayName' = 'Local intranet'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '' = ''
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'CurrentLevel' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'DisplayName' = 'My Computer'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '' = ''
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'Icon' = 'explorer.exe#0100'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'Description' = 'Your computer'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'DisplayName' = 'Trusted sites'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '' = ''
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'Icon' = 'inetcpl.cpl#00004480'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'Description' = 'This zone contains Web sites that you trust not to damage your computer or data.'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '1805' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'Icon' = 'shell32.dll#0018'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'Description' = 'This zone contains all Web sites that are on your organization's intranet.'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'RecommendedLevel' = '00010500'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'MinLevel' = '00010000'
- %WINDIR%\RGI2.tmp
- %HOMEPATH%\Templates\r33536ux4totcsm1000ih3kf34jcuip81
- %TEMP%\RGI4.tmp
- %WINDIR%\RGI3.tmp
- <LS_APPDATA>\r33536ux4totcsm1000ih3kf34jcuip81
- <LS_APPDATA>\app.exe
- %TEMP%\r33536ux4totcsm1000ih3kf34jcuip81
- %ALLUSERSPROFILE%\Application Data\r33536ux4totcsm1000ih3kf34jcuip81
- %TEMP%\RGI4.tmp
- %WINDIR%\RGI3.tmp
- 'ti###uqel.com':80
- 'da###ufigaj.com':80
- 'su###ebaq.com':80
- 'wy###ediwo.com':80
- 'ci####cuqekexo.com':80
- 'za####tahuryp.com':80
- 'fo####wupode.com':80
- 'sy####lurypugi.com':80
- 'si####qilugoq.com':80
- 'le###ehup.com':80
- 'xi####xegybozi.com':80
- '20#.#6.232.182':80
- 'le####jezociw.com':80
- 'tu####kenuqi.com':80
- 'ra####bareme.com':80
- 'xo###ipowu.com':80
- 'po###ybaru.com':80
- 'pu####cyvazym.com':80
- 'he###ixiru.com':80
- 'zy####wodojyx.com':80
- 'gi####powaqa.com':80
- 'qo###ifelaw.com':80
- 'wa####qohuli.com':80
- 'pe###ehywe.com':80
- 'ci####rijugeg.com':80
- 'do####cufinulo.com':80
- 'gi###eceta.com':80
- 'he###yheduf.com':80
- 'di###akiri.com':80
- DNS ASK su###ebaq.com
- DNS ASK da###ufigaj.com
- DNS ASK le####jezociw.com
- DNS ASK microsoft.com
- DNS ASK fo####wupode.com
- DNS ASK za####tahuryp.com
- DNS ASK ti###uqel.com
- DNS ASK wy###ediwo.com
- DNS ASK zi####qeqite.com
- DNS ASK le###ehup.com
- DNS ASK me####lykowuw.com
- DNS ASK pa####kavygaj.com
- DNS ASK xi####xegybozi.com
- DNS ASK tu####kenuqi.com
- DNS ASK si####qilugoq.com
- DNS ASK sy####lurypugi.com
- DNS ASK po###ybaru.com
- DNS ASK xo###ipowu.com
- DNS ASK gi###eceta.com
- DNS ASK pu####cyvazym.com
- DNS ASK gi####powaqa.com
- DNS ASK zy####wodojyx.com
- DNS ASK he###ixiru.com
- DNS ASK qo###ifelaw.com
- DNS ASK ci####rijugeg.com
- DNS ASK pe###ehywe.com
- DNS ASK ci####cuqekexo.com
- DNS ASK ra####bareme.com
- DNS ASK di###akiri.com
- DNS ASK he###yheduf.com
- DNS ASK wa####qohuli.com
- DNS ASK do####cufinulo.com
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'msascui_class' WindowName: ''
- ClassName: 'Indicator' WindowName: ''