Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'xeuanxbmvt' = 'lccspjxsltntsriuanee.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'sarymxcoyxi' = 'espcwnyqglcfbxlux.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'sarymxcoyxi' = 'xkgslblcrvlnidqy.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'pyqynzfsddpn' = 'ncaojbngxdvzwtiswh.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'oyraqdkyklyxp' = 'ncaojbngxdvzwtiswh.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'oyraqdkyklyxp' = 'yoncyreyqxqvtrhsxjz.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'sezkcraqehwxrlx' = '%TEMP%\espcwnyqglcfbxlux.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'sezkcraqehwxrlx' = '%TEMP%\yoncyreyqxqvtrhsxjz.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'nsgkvdfo' = '%TEMP%\espcwnyqglcfbxlux.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'nsgkvdfo' = '%TEMP%\ncaojbngxdvzwtiswh.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ekzeqzcmu' = 'astkidsoirmtttlyftlmd.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'xeuanxbmvt' = 'xkgslblcrvlnidqy.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'xeuanxbmvt' = '%TEMP%\astkidsoirmtttlyftlmd.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'pyqynzfsddpn' = 'espcwnyqglcfbxlux.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'nsgkvdfo' = '%TEMP%\lccspjxsltntsriuanee.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'oyraqdkyklyxp' = 'astkidsoirmtttlyftlmd.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'sezkcraqehwxrlx' = '%TEMP%\lccspjxsltntsriuanee.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'pauevjrgtvjjcv' = '%TEMP%\espcwnyqglcfbxlux.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'nsgkvdfo' = '%TEMP%\yoncyreyqxqvtrhsxjz.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ekzeqzcmu' = '%TEMP%\lccspjxsltntsriuanee.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ekzeqzcmu' = 'yoncyreyqxqvtrhsxjz.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'xeuanxbmvt' = 'espcwnyqglcfbxlux.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'pyqynzfsddpn' = 'astkidsoirmtttlyftlmd.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'xeuanxbmvt' = '%TEMP%\xkgslblcrvlnidqy.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'sarymxcoyxi' = 'yoncyreyqxqvtrhsxjz.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ekzeqzcmu' = 'ncaojbngxdvzwtiswh.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'xeuanxbmvt' = '%TEMP%\lccspjxsltntsriuanee.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'xeuanxbmvt' = '%TEMP%\espcwnyqglcfbxlux.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'xeuanxbmvt' = 'ncaojbngxdvzwtiswh.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'sarymxcoyxi' = 'lccspjxsltntsriuanee.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'pyqynzfsddpn' = 'lccspjxsltntsriuanee.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'oyraqdkyklyxp' = 'espcwnyqglcfbxlux.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'sezkcraqehwxrlx' = '%TEMP%\ncaojbngxdvzwtiswh.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'pauevjrgtvjjcv' = '%TEMP%\ncaojbngxdvzwtiswh.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'nsgkvdfo' = '%TEMP%\xkgslblcrvlnidqy.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ekzeqzcmu' = '%TEMP%\astkidsoirmtttlyftlmd.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'xeuanxbmvt' = '%TEMP%\yoncyreyqxqvtrhsxjz.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ekzeqzcmu' = 'lccspjxsltntsriuanee.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'xeuanxbmvt' = 'astkidsoirmtttlyftlmd.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ekzeqzcmu' = 'espcwnyqglcfbxlux.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'xeuanxbmvt' = 'yoncyreyqxqvtrhsxjz.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'sarymxcoyxi' = 'astkidsoirmtttlyftlmd.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'pyqynzfsddpn' = 'xkgslblcrvlnidqy.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'pyqynzfsddpn' = 'yoncyreyqxqvtrhsxjz.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'oyraqdkyklyxp' = 'lccspjxsltntsriuanee.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'oyraqdkyklyxp' = 'xkgslblcrvlnidqy.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'sezkcraqehwxrlx' = '%TEMP%\astkidsoirmtttlyftlmd.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'pauevjrgtvjjcv' = '%TEMP%\lccspjxsltntsriuanee.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'pauevjrgtvjjcv' = '%TEMP%\xkgslblcrvlnidqy.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'nsgkvdfo' = '%TEMP%\astkidsoirmtttlyftlmd.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ekzeqzcmu' = '%TEMP%\yoncyreyqxqvtrhsxjz.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ekzeqzcmu' = '%TEMP%\ncaojbngxdvzwtiswh.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'sarymxcoyxi' = 'ncaojbngxdvzwtiswh.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'pauevjrgtvjjcv' = '%TEMP%\yoncyreyqxqvtrhsxjz.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ekzeqzcmu' = '%TEMP%\espcwnyqglcfbxlux.exe'
- <Drive name for removable media>:\ycpscjk.exe
- <Drive name for removable media>:\ycpscjk.bat
- <Drive name for removable media>:\ekzeqzcmu.bat
- <Drive name for removable media>:\sarymxcoyxi.bat
- <Drive name for removable media>:\autorun.inf
- hidden files
- Registry Editor (RegEdit)
- User Account Control (UAC)
- %TEMP%\onyvlbjmjji.exe
- %WINDIR%\syswow64\caheijeggvwjpvtmztryvza.xxm
- %ProgramFiles(x86)%\caheijeggvwjpvtmztryvza.xxm
- %LOCALAPPDATA%\caheijeggvwjpvtmztryvza.xxm
- %WINDIR%\caheijeggvwjpvtmztryvza.xxm
- %TEMP%\caheijeggvwjpvtmztryvza.xxm
- %WINDIR%\syswow64\pyqynzfsddpneveiglumujvbozzljaraec.qiq
- %ProgramFiles(x86)%\pyqynzfsddpneveiglumujvbozzljaraec.qiq
- %LOCALAPPDATA%\pyqynzfsddpneveiglumujvbozzljaraec.qiq
- %TEMP%\pyqynzfsddpneveiglumujvbozzljaraec.qiq
- D:\sarymxcoyxi.bat
- %TEMP%\oyraqdkyklyxp\xeuanxbmvt.exe
- %TEMP%\oyraqdkyklyxp\rcx177d.tmp
- C:\ycpscjk.bat
- C:\ekzeqzcmu.bat
- C:\sarymxcoyxi.bat
- C:\autorun.inf
- D:\ycpscjk.bat
- D:\ekzeqzcmu.bat
- %TEMP%\acnow.exe
- %WINDIR%\pyqynzfsddpneveiglumujvbozzljaraec.qiq
- %TEMP%\rkmedzpmhrnvwxqembuwon.exe
- %WINDIR%\espcwnyqglcfbxlux.exe
- %WINDIR%\syswow64\xkgslblcrvlnidqy.exe
- %WINDIR%\syswow64\espcwnyqglcfbxlux.exe
- %WINDIR%\syswow64\ncaojbngxdvzwtiswh.exe
- %WINDIR%\syswow64\yoncyreyqxqvtrhsxjz.exe
- %WINDIR%\syswow64\lccspjxsltntsriuanee.exe
- %WINDIR%\syswow64\astkidsoirmtttlyftlmd.exe
- %WINDIR%\syswow64\rkmedzpmhrnvwxqembuwon.exe
- %WINDIR%\xkgslblcrvlnidqy.exe
- %WINDIR%\ncaojbngxdvzwtiswh.exe
- %TEMP%\lccspjxsltntsriuanee.exe
- %WINDIR%\yoncyreyqxqvtrhsxjz.exe
- %WINDIR%\lccspjxsltntsriuanee.exe
- %WINDIR%\astkidsoirmtttlyftlmd.exe
- %WINDIR%\rkmedzpmhrnvwxqembuwon.exe
- %TEMP%\xkgslblcrvlnidqy.exe
- %TEMP%\espcwnyqglcfbxlux.exe
- %TEMP%\ncaojbngxdvzwtiswh.exe
- %TEMP%\yoncyreyqxqvtrhsxjz.exe
- %TEMP%\astkidsoirmtttlyftlmd.exe
- D:\autorun.inf
- %WINDIR%\syswow64\xkgslblcrvlnidqy.exe
- %TEMP%\caheijeggvwjpvtmztryvza.xxm
- %WINDIR%\syswow64\pyqynzfsddpneveiglumujvbozzljaraec.qiq
- %ProgramFiles(x86)%\pyqynzfsddpneveiglumujvbozzljaraec.qiq
- %LOCALAPPDATA%\pyqynzfsddpneveiglumujvbozzljaraec.qiq
- %WINDIR%\pyqynzfsddpneveiglumujvbozzljaraec.qiq
- %TEMP%\pyqynzfsddpneveiglumujvbozzljaraec.qiq
- C:\ycpscjk.bat
- %LOCALAPPDATA%\caheijeggvwjpvtmztryvza.xxm
- %WINDIR%\caheijeggvwjpvtmztryvza.xxm
- C:\ekzeqzcmu.bat
- D:\ycpscjk.bat
- D:\ekzeqzcmu.bat
- D:\sarymxcoyxi.bat
- D:\autorun.inf
- <Drive name for removable media>:\ycpscjk.exe
- <Drive name for removable media>:\ycpscjk.bat
- <Drive name for removable media>:\ekzeqzcmu.bat
- C:\sarymxcoyxi.bat
- C:\autorun.inf
- %ProgramFiles(x86)%\caheijeggvwjpvtmztryvza.xxm
- %WINDIR%\syswow64\caheijeggvwjpvtmztryvza.xxm
- %TEMP%\rkmedzpmhrnvwxqembuwon.exe
- %WINDIR%\syswow64\ncaojbngxdvzwtiswh.exe
- %WINDIR%\syswow64\yoncyreyqxqvtrhsxjz.exe
- %WINDIR%\syswow64\lccspjxsltntsriuanee.exe
- %WINDIR%\syswow64\astkidsoirmtttlyftlmd.exe
- %WINDIR%\syswow64\rkmedzpmhrnvwxqembuwon.exe
- %WINDIR%\xkgslblcrvlnidqy.exe
- %WINDIR%\espcwnyqglcfbxlux.exe
- %WINDIR%\ncaojbngxdvzwtiswh.exe
- %WINDIR%\syswow64\espcwnyqglcfbxlux.exe
- %WINDIR%\yoncyreyqxqvtrhsxjz.exe
- %WINDIR%\astkidsoirmtttlyftlmd.exe
- %WINDIR%\rkmedzpmhrnvwxqembuwon.exe
- %TEMP%\xkgslblcrvlnidqy.exe
- %TEMP%\espcwnyqglcfbxlux.exe
- %TEMP%\ncaojbngxdvzwtiswh.exe
- %TEMP%\yoncyreyqxqvtrhsxjz.exe
- %TEMP%\lccspjxsltntsriuanee.exe
- %TEMP%\astkidsoirmtttlyftlmd.exe
- %WINDIR%\lccspjxsltntsriuanee.exe
- <Drive name for removable media>:\sarymxcoyxi.bat
- <Drive name for removable media>:\autorun.inf
- from %TEMP%\oyraqdkyklyxp\rcx177d.tmp to %TEMP%\oyraqdkyklyxp\xeuanxbmvt.exe
- '10#.#26.229.195':40990
- http://www.wh###smyip.com/
- http://www.sh####ipaddress.com/
- http://wh#####yipaddress.com/
- http://www.my##ace.com/
- http://www.fa###ook.com/
- http://sa##ls.info/
- DNS ASK wh###smyip.com
- DNS ASK ci##ik.net
- DNS ASK me####uiwcymao.info
- DNS ASK sj####nansnan.org
- DNS ASK sn####nansnan.cc
- DNS ASK qs##pk.net
- DNS ASK wy####uiwcymao.net
- DNS ASK qf####nansnan.org
- DNS ASK sn###ufqbex.com
- DNS ASK qo###wiq.net
- DNS ASK ig####uiwcymao.info
- DNS ASK rx###wfox.com
- DNS ASK hq##ikn.com
- DNS ASK oi###qeoya.biz
- DNS ASK sa##ls.info
- DNS ASK au####dsholapet.org
- DNS ASK fa###ook.com
- DNS ASK my##ace.com
- DNS ASK wh#####yipaddress.com
- DNS ASK sh####ipaddress.com
- DNS ASK wh#####yip.everdot.org
- DNS ASK wh###smyip.ca
- DNS ASK hi##lsn.cc
- DNS ASK xj##wgn.cc
- '%TEMP%\onyvlbjmjji.exe' "<Full path to file>*"
- '%TEMP%\acnow.exe' "-<SYSTEM32>\\xkgslblcrvlnidqy.exe"