Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'nyqdhzdoyln' = '%TEMP%\zqohrpzqgzhmvwlzj.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'sctfizcmvh' = 'gabxklyslhsamqizmeca.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'nyqdhzdoyln' = 'tmmhttfyqlvcnqhxjax.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'kwpdibgsdruu' = 'tmmhttfyqlvcnqhxjax.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'jwqflflykzdej' = 'zqohrpzqgzhmvwlzj.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'jwqflflykzdej' = 'sifxgdmcrjquccqd.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'sifxgdmcrjquccqd' = '%TEMP%\sifxgdmcrjquccqd.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'kytjqlsgtjoqwu' = 'iaztedogxragqsixiy.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'ncypxtbqevbelkx' = '%TEMP%\tmmhttfyqlvcnqhxjax.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'sifxgdmcrjquccqd' = '%TEMP%\zqohrpzqgzhmvwlzj.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'sctfizcmvh' = '%TEMP%\vqspdftoifransldrkjiv.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'sctfizcmvh' = '%TEMP%\gabxklyslhsamqizmeca.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'ziyjlbdmu' = '%TEMP%\sifxgdmcrjquccqd.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'nyqdhzdoyln' = '%TEMP%\vqspdftoifransldrkjiv.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'nyqdhzdoyln' = 'gabxklyslhsamqizmeca.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'kytjqlsgtjoqwu' = 'gabxklyslhsamqizmeca.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'ziyjlbdmu' = '%TEMP%\tmmhttfyqlvcnqhxjax.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'sctfizcmvh' = '%TEMP%\iaztedogxragqsixiy.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'kwpdibgsdruu' = 'vqspdftoifransldrkjiv.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'ziyjlbdmu' = '%TEMP%\gabxklyslhsamqizmeca.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'sctfizcmvh' = '%TEMP%\zqohrpzqgzhmvwlzj.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'nyqdhzdoyln' = '%TEMP%\iaztedogxragqsixiy.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'sctfizcmvh' = 'tmmhttfyqlvcnqhxjax.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'kwpdibgsdruu' = 'zqohrpzqgzhmvwlzj.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'nyqdhzdoyln' = '%TEMP%\gabxklyslhsamqizmeca.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'nyqdhzdoyln' = '%TEMP%\tmmhttfyqlvcnqhxjax.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'sctfizcmvh' = '%TEMP%\sifxgdmcrjquccqd.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'sctfizcmvh' = 'sifxgdmcrjquccqd.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'sctfizcmvh' = 'zqohrpzqgzhmvwlzj.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'nyqdhzdoyln' = 'sifxgdmcrjquccqd.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'kwpdibgsdruu' = 'gabxklyslhsamqizmeca.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'jwqflflykzdej' = 'vqspdftoifransldrkjiv.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'kytjqlsgtjoqwu' = 'zqohrpzqgzhmvwlzj.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'sifxgdmcrjquccqd' = '%TEMP%\gabxklyslhsamqizmeca.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'ncypxtbqevbelkx' = '%TEMP%\iaztedogxragqsixiy.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'ziyjlbdmu' = '%TEMP%\vqspdftoifransldrkjiv.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'sctfizcmvh' = '%TEMP%\tmmhttfyqlvcnqhxjax.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'nyqdhzdoyln' = '%TEMP%\sifxgdmcrjquccqd.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'sctfizcmvh' = 'vqspdftoifransldrkjiv.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'nyqdhzdoyln' = 'zqohrpzqgzhmvwlzj.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'ziyjlbdmu' = '%TEMP%\iaztedogxragqsixiy.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'nyqdhzdoyln' = 'iaztedogxragqsixiy.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'kwpdibgsdruu' = 'iaztedogxragqsixiy.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'kwpdibgsdruu' = 'sifxgdmcrjquccqd.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'jwqflflykzdej' = 'gabxklyslhsamqizmeca.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'jwqflflykzdej' = 'tmmhttfyqlvcnqhxjax.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'kytjqlsgtjoqwu' = 'sifxgdmcrjquccqd.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'kytjqlsgtjoqwu' = 'vqspdftoifransldrkjiv.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'sifxgdmcrjquccqd' = '%TEMP%\iaztedogxragqsixiy.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'sifxgdmcrjquccqd' = '%TEMP%\vqspdftoifransldrkjiv.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'ncypxtbqevbelkx' = '%TEMP%\gabxklyslhsamqizmeca.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'ncypxtbqevbelkx' = '%TEMP%\zqohrpzqgzhmvwlzj.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'ziyjlbdmu' = '%TEMP%\zqohrpzqgzhmvwlzj.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'kytjqlsgtjoqwu' = 'tmmhttfyqlvcnqhxjax.exe .'
- hidden files
- Registry Editor (RegEdit)
- User Account Control (UAC)
- %TEMP%\hgjenvzixmp.exe
- <LS_APPDATA>\sifxgdmcrjquccqdmauowegwtluraqfxeiqqer.oic
- %ProgramFiles(x86)%\sifxgdmcrjquccqdmauowegwtluraqfxeiqqer.oic
- %WINDIR%\syswow64\sifxgdmcrjquccqdmauowegwtluraqfxeiqqer.oic
- %TEMP%\vamtrdbgkrngdsvxvyhqnkbgszx.hmq
- %WINDIR%\vamtrdbgkrngdsvxvyhqnkbgszx.hmq
- <LS_APPDATA>\vamtrdbgkrngdsvxvyhqnkbgszx.hmq
- %ProgramFiles(x86)%\vamtrdbgkrngdsvxvyhqnkbgszx.hmq
- %WINDIR%\syswow64\vamtrdbgkrngdsvxvyhqnkbgszx.hmq
- %TEMP%\vamtr.exe
- %TEMP%\miljybqmhfscqwqjysssgu.exe
- %TEMP%\vqspdftoifransldrkjiv.exe
- %TEMP%\gabxklyslhsamqizmeca.exe
- %TEMP%\tmmhttfyqlvcnqhxjax.exe
- %TEMP%\iaztedogxragqsixiy.exe
- %WINDIR%\sifxgdmcrjquccqdmauowegwtluraqfxeiqqer.oic
- %TEMP%\zqohrpzqgzhmvwlzj.exe
- %WINDIR%\miljybqmhfscqwqjysssgu.exe
- %WINDIR%\vqspdftoifransldrkjiv.exe
- %WINDIR%\gabxklyslhsamqizmeca.exe
- %WINDIR%\tmmhttfyqlvcnqhxjax.exe
- %WINDIR%\iaztedogxragqsixiy.exe
- %WINDIR%\zqohrpzqgzhmvwlzj.exe
- %WINDIR%\sifxgdmcrjquccqd.exe
- %WINDIR%\syswow64\miljybqmhfscqwqjysssgu.exe
- %WINDIR%\syswow64\vqspdftoifransldrkjiv.exe
- %WINDIR%\syswow64\gabxklyslhsamqizmeca.exe
- %WINDIR%\syswow64\tmmhttfyqlvcnqhxjax.exe
- %WINDIR%\syswow64\iaztedogxragqsixiy.exe
- %WINDIR%\syswow64\zqohrpzqgzhmvwlzj.exe
- %WINDIR%\syswow64\sifxgdmcrjquccqd.exe
- %TEMP%\sifxgdmcrjquccqd.exe
- %TEMP%\sifxgdmcrjquccqdmauowegwtluraqfxeiqqer.oic
- %WINDIR%\syswow64\sifxgdmcrjquccqd.exe
- <LS_APPDATA>\sifxgdmcrjquccqdmauowegwtluraqfxeiqqer.oic
- %ProgramFiles(x86)%\sifxgdmcrjquccqdmauowegwtluraqfxeiqqer.oic
- %WINDIR%\syswow64\sifxgdmcrjquccqdmauowegwtluraqfxeiqqer.oic
- %TEMP%\vamtrdbgkrngdsvxvyhqnkbgszx.hmq
- %WINDIR%\vamtrdbgkrngdsvxvyhqnkbgszx.hmq
- <LS_APPDATA>\vamtrdbgkrngdsvxvyhqnkbgszx.hmq
- %ProgramFiles(x86)%\vamtrdbgkrngdsvxvyhqnkbgszx.hmq
- %WINDIR%\syswow64\vamtrdbgkrngdsvxvyhqnkbgszx.hmq
- %TEMP%\miljybqmhfscqwqjysssgu.exe
- %TEMP%\vqspdftoifransldrkjiv.exe
- %TEMP%\gabxklyslhsamqizmeca.exe
- %TEMP%\tmmhttfyqlvcnqhxjax.exe
- %TEMP%\iaztedogxragqsixiy.exe
- %WINDIR%\sifxgdmcrjquccqdmauowegwtluraqfxeiqqer.oic
- %TEMP%\zqohrpzqgzhmvwlzj.exe
- %WINDIR%\miljybqmhfscqwqjysssgu.exe
- %WINDIR%\vqspdftoifransldrkjiv.exe
- %WINDIR%\gabxklyslhsamqizmeca.exe
- %WINDIR%\tmmhttfyqlvcnqhxjax.exe
- %WINDIR%\iaztedogxragqsixiy.exe
- %WINDIR%\zqohrpzqgzhmvwlzj.exe
- %WINDIR%\sifxgdmcrjquccqd.exe
- %WINDIR%\syswow64\miljybqmhfscqwqjysssgu.exe
- %WINDIR%\syswow64\vqspdftoifransldrkjiv.exe
- %WINDIR%\syswow64\gabxklyslhsamqizmeca.exe
- %WINDIR%\syswow64\tmmhttfyqlvcnqhxjax.exe
- %WINDIR%\syswow64\iaztedogxragqsixiy.exe
- %WINDIR%\syswow64\zqohrpzqgzhmvwlzj.exe
- %TEMP%\sifxgdmcrjquccqd.exe
- %TEMP%\sifxgdmcrjquccqdmauowegwtluraqfxeiqqer.oic
- DNS ASK wh###smyip.com
- DNS ASK wh###smyip.ca
- DNS ASK wh#####yip.everdot.org
- '%TEMP%\hgjenvzixmp.exe' "<Full path to file>*"
- '%TEMP%\vamtr.exe' "-%TEMP%\sifxgdmcrjquccqd.exe"