Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'pbncgviozlw' = '%TEMP%\vpjgspkyrlevwplvjlv.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ufqehvhmwh' = 'kdwsdztgyrjzzrmvij.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'pbncgviozlw' = 'idywjhdsmhbtvpmxmpah.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'mzmchxlserdn' = 'btlgqleqhzqfevpxj.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lznekbqylzmxs' = 'ulcwfzrcsjznlbub.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lznekbqylzmxs' = 'xtpocbyojfatwrpbrvhpb.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'mbqiphxgujxjft' = 'xtpocbyojfatwrpbrvhpb.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ulcwfzrcsjznlbub' = '%TEMP%\ulcwfzrcsjznlbub.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'pfvowpgqfvkxujb' = '%TEMP%\kdwsdztgyrjzzrmvij.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'blvikximv' = '%TEMP%\btlgqleqhzqfevpxj.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'pbncgviozlw' = '%TEMP%\xtpocbyojfatwrpbrvhpb.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'mbqiphxgujxjft' = 'ulcwfzrcsjznlbub.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ufqehvhmwh' = 'btlgqleqhzqfevpxj.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'mzmchxlserdn' = 'vpjgspkyrlevwplvjlv.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lznekbqylzmxs' = 'idywjhdsmhbtvpmxmpah.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'mbqiphxgujxjft' = 'btlgqleqhzqfevpxj.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'mbqiphxgujxjft' = 'kdwsdztgyrjzzrmvij.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ulcwfzrcsjznlbub' = '%TEMP%\idywjhdsmhbtvpmxmpah.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'pfvowpgqfvkxujb' = '%TEMP%\xtpocbyojfatwrpbrvhpb.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'blvikximv' = '%TEMP%\kdwsdztgyrjzzrmvij.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'pbncgviozlw' = '%TEMP%\ulcwfzrcsjznlbub.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'mzmchxlserdn' = 'xtpocbyojfatwrpbrvhpb.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'pbncgviozlw' = '%TEMP%\idywjhdsmhbtvpmxmpah.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ufqehvhmwh' = '%TEMP%\btlgqleqhzqfevpxj.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ufqehvhmwh' = '%TEMP%\idywjhdsmhbtvpmxmpah.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ufqehvhmwh' = 'vpjgspkyrlevwplvjlv.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ufqehvhmwh' = 'idywjhdsmhbtvpmxmpah.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'pbncgviozlw' = 'btlgqleqhzqfevpxj.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'mzmchxlserdn' = 'ulcwfzrcsjznlbub.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lznekbqylzmxs' = 'btlgqleqhzqfevpxj.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'mbqiphxgujxjft' = 'vpjgspkyrlevwplvjlv.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ulcwfzrcsjznlbub' = '%TEMP%\kdwsdztgyrjzzrmvij.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'pfvowpgqfvkxujb' = '%TEMP%\idywjhdsmhbtvpmxmpah.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'blvikximv' = '%TEMP%\vpjgspkyrlevwplvjlv.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ufqehvhmwh' = '%TEMP%\kdwsdztgyrjzzrmvij.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'pbncgviozlw' = '%TEMP%\kdwsdztgyrjzzrmvij.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ufqehvhmwh' = 'xtpocbyojfatwrpbrvhpb.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'blvikximv' = '%TEMP%\ulcwfzrcsjznlbub.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'pbncgviozlw' = 'xtpocbyojfatwrpbrvhpb.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'pbncgviozlw' = 'vpjgspkyrlevwplvjlv.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lznekbqylzmxs' = 'vpjgspkyrlevwplvjlv.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lznekbqylzmxs' = 'kdwsdztgyrjzzrmvij.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'mbqiphxgujxjft' = 'idywjhdsmhbtvpmxmpah.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ulcwfzrcsjznlbub' = '%TEMP%\btlgqleqhzqfevpxj.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ulcwfzrcsjznlbub' = '%TEMP%\vpjgspkyrlevwplvjlv.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'pfvowpgqfvkxujb' = '%TEMP%\btlgqleqhzqfevpxj.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'pfvowpgqfvkxujb' = '%TEMP%\vpjgspkyrlevwplvjlv.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'blvikximv' = '%TEMP%\idywjhdsmhbtvpmxmpah.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ufqehvhmwh' = '%TEMP%\vpjgspkyrlevwplvjlv.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'blvikximv' = '%TEMP%\xtpocbyojfatwrpbrvhpb.exe'
- hidden files
- Registry Editor (RegEdit)
- User Account Control (UAC)
- %TEMP%\qzsdrtztvtw.exe
- %TEMP%\idywjhdsmhbtvpmxmpah.exe
- %TEMP%\xtpocbyojfatwrpbrvhpb.exe
- %TEMP%\oliixxvmifbvzvuhydqzmj.exe
- %TEMP%\xdjsq.exe
- %WINDIR%\syswow64\otygdlrquzdfrvcxwjevqvaifn.swb
- %ProgramFiles(x86)%\otygdlrquzdfrvcxwjevqvaifn.swb
- %WINDIR%\otygdlrquzdfrvcxwjevqvaifn.swb
- %TEMP%\ufqehvhmwh\ufqehvhmwh.exe
- %TEMP%\otygdlrquzdfrvcxwjevqvaifn.swb
- %WINDIR%\syswow64\pfvowpgqfvkxujbhrpvxdtjckduetjylixpvf.jlr
- %ProgramFiles(x86)%\pfvowpgqfvkxujbhrpvxdtjckduetjylixpvf.jlr
- %LOCALAPPDATA%\pfvowpgqfvkxujbhrpvxdtjckduetjylixpvf.jlr
- %WINDIR%\pfvowpgqfvkxujbhrpvxdtjckduetjylixpvf.jlr
- %TEMP%\pfvowpgqfvkxujbhrpvxdtjckduetjylixpvf.jlr
- %TEMP%\vpjgspkyrlevwplvjlv.exe
- %LOCALAPPDATA%\otygdlrquzdfrvcxwjevqvaifn.swb
- %TEMP%\kdwsdztgyrjzzrmvij.exe
- %WINDIR%\syswow64\oliixxvmifbvzvuhydqzmj.exe
- %WINDIR%\syswow64\ulcwfzrcsjznlbub.exe
- %WINDIR%\syswow64\btlgqleqhzqfevpxj.exe
- %WINDIR%\syswow64\kdwsdztgyrjzzrmvij.exe
- %WINDIR%\syswow64\vpjgspkyrlevwplvjlv.exe
- %WINDIR%\syswow64\idywjhdsmhbtvpmxmpah.exe
- %WINDIR%\syswow64\xtpocbyojfatwrpbrvhpb.exe
- %WINDIR%\ulcwfzrcsjznlbub.exe
- %TEMP%\ulcwfzrcsjznlbub.exe
- %WINDIR%\btlgqleqhzqfevpxj.exe
- %WINDIR%\kdwsdztgyrjzzrmvij.exe
- %WINDIR%\vpjgspkyrlevwplvjlv.exe
- %WINDIR%\idywjhdsmhbtvpmxmpah.exe
- %WINDIR%\xtpocbyojfatwrpbrvhpb.exe
- %WINDIR%\oliixxvmifbvzvuhydqzmj.exe
- %TEMP%\btlgqleqhzqfevpxj.exe
- %TEMP%\ufqehvhmwh\rcx6648.tmp
- %WINDIR%\syswow64\ulcwfzrcsjznlbub.exe
- %LOCALAPPDATA%\pfvowpgqfvkxujbhrpvxdtjckduetjylixpvf.jlr
- %ProgramFiles(x86)%\pfvowpgqfvkxujbhrpvxdtjckduetjylixpvf.jlr
- %WINDIR%\syswow64\pfvowpgqfvkxujbhrpvxdtjckduetjylixpvf.jlr
- %TEMP%\otygdlrquzdfrvcxwjevqvaifn.swb
- %WINDIR%\otygdlrquzdfrvcxwjevqvaifn.swb
- %LOCALAPPDATA%\otygdlrquzdfrvcxwjevqvaifn.swb
- %ProgramFiles(x86)%\otygdlrquzdfrvcxwjevqvaifn.swb
- %WINDIR%\syswow64\otygdlrquzdfrvcxwjevqvaifn.swb
- %TEMP%\oliixxvmifbvzvuhydqzmj.exe
- %TEMP%\xtpocbyojfatwrpbrvhpb.exe
- %TEMP%\idywjhdsmhbtvpmxmpah.exe
- %TEMP%\vpjgspkyrlevwplvjlv.exe
- %TEMP%\kdwsdztgyrjzzrmvij.exe
- %WINDIR%\pfvowpgqfvkxujbhrpvxdtjckduetjylixpvf.jlr
- %TEMP%\btlgqleqhzqfevpxj.exe
- %WINDIR%\oliixxvmifbvzvuhydqzmj.exe
- %WINDIR%\xtpocbyojfatwrpbrvhpb.exe
- %WINDIR%\idywjhdsmhbtvpmxmpah.exe
- %WINDIR%\vpjgspkyrlevwplvjlv.exe
- %WINDIR%\kdwsdztgyrjzzrmvij.exe
- %WINDIR%\btlgqleqhzqfevpxj.exe
- %WINDIR%\ulcwfzrcsjznlbub.exe
- %WINDIR%\syswow64\oliixxvmifbvzvuhydqzmj.exe
- %WINDIR%\syswow64\xtpocbyojfatwrpbrvhpb.exe
- %WINDIR%\syswow64\idywjhdsmhbtvpmxmpah.exe
- %WINDIR%\syswow64\vpjgspkyrlevwplvjlv.exe
- %WINDIR%\syswow64\kdwsdztgyrjzzrmvij.exe
- %WINDIR%\syswow64\btlgqleqhzqfevpxj.exe
- %TEMP%\ulcwfzrcsjznlbub.exe
- %TEMP%\pfvowpgqfvkxujbhrpvxdtjckduetjylixpvf.jlr
- from %TEMP%\ufqehvhmwh\rcx6648.tmp to %TEMP%\ufqehvhmwh\ufqehvhmwh.exe
- http://wh#####yipaddress.com/
- http://www.wh###smyip.com/
- http://www.sh####ipaddress.com/
- http://www.google.com/
- http://wm##eq.org/
- http://sh###mdf.info/
- DNS ASK wh#####yipaddress.com
- DNS ASK wh#####yip.everdot.org
- DNS ASK wh###smyip.com
- DNS ASK sh####ipaddress.com
- DNS ASK wh###smyip.ca
- DNS ASK google.com
- DNS ASK wm##eq.org
- DNS ASK gh###icd.info
- DNS ASK is###mwk.com
- DNS ASK bf###tim.info
- DNS ASK sh###mdf.info
- DNS ASK sq##fwo.net
- DNS ASK qi##hl.info
- DNS ASK yg###sf.info
- '%TEMP%\qzsdrtztvtw.exe' "<Full path to file>*"
- '%TEMP%\xdjsq.exe' "-%TEMP%\ulcwfzrcsjznlbub.exe"