Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'sfvagvamyf' = 'vtukbbroldlxdduvdlcyz.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'nbsyfvbobjh' = 'gddsihwsofmxcbrryfvq.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'kzrygxesgpor' = 'idboczmgapudgdrpuz.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'zlaejxbmx' = 'vtukbbroldlxdduvdlcyz.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'kbveohqgwhinmf' = '%TEMP%\vtukbbroldlxdduvdlcyz.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ithkobeo' = '%TEMP%\tpocrpdytjpzdbqpvbq.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'jzsajbjynxxbz' = '%TEMP%\ztqcplxqjxbjlhurv.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'zlaejxbmx' = '%TEMP%\gddsihwsofmxcbrryfvq.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'tdqsvhj' = '%TEMP%\tpocrpdytjpzdbqpvbq.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ithkobeo' = '%TEMP%\gddsihwsofmxcbrryfvq.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'zlaejxbmx' = 'tpocrpdytjpzdbqpvbq.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'tdqsvhj' = '%TEMP%\idboczmgapudgdrpuz.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'kbveohqgwhinmf' = '%TEMP%\ztqcplxqjxbjlhurv.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ithkobeo' = '%TEMP%\ztqcplxqjxbjlhurv.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'zlaejxbmx' = '%TEMP%\vtukbbroldlxdduvdlcyz.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ithkobeo' = '%TEMP%\vtukbbroldlxdduvdlcyz.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'zlaejxbmx' = '%TEMP%\slhsezkcuhkrsnzv.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'zlaejxbmx' = 'slhsezkcuhkrsnzv.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'nbsyfvbobjh' = 'slhsezkcuhkrsnzv.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'kzrygxesgpor' = 'tpocrpdytjpzdbqpvbq.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'nbsyfvbobjh' = 'vtukbbroldlxdduvdlcyz.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'tdqsvhj' = '%TEMP%\slhsezkcuhkrsnzv.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ithkobeo' = '%TEMP%\slhsezkcuhkrsnzv.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ithkobeo' = 'idboczmgapudgdrpuz.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'jzsajbjynxxbz' = '%TEMP%\slhsezkcuhkrsnzv.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ithkobeo' = 'vtukbbroldlxdduvdlcyz.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'nbsyfvbobjh' = 'tpocrpdytjpzdbqpvbq.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'tdqsvhj' = '%TEMP%\gddsihwsofmxcbrryfvq.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'jzsajbjynxxbz' = '%TEMP%\idboczmgapudgdrpuz.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ithkobeo' = 'slhsezkcuhkrsnzv.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'zlaejxbmx' = 'idboczmgapudgdrpuz.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'sfvagvamyf' = 'tpocrpdytjpzdbqpvbq.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'nbsyfvbobjh' = 'ztqcplxqjxbjlhurv.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'kzrygxesgpor' = 'slhsezkcuhkrsnzv.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'kbveohqgwhinmf' = '%TEMP%\slhsezkcuhkrsnzv.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'jzsajbjynxxbz' = '%TEMP%\tpocrpdytjpzdbqpvbq.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'tdqsvhj' = '%TEMP%\vtukbbroldlxdduvdlcyz.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ithkobeo' = '%TEMP%\idboczmgapudgdrpuz.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'zlaejxbmx' = '%TEMP%\tpocrpdytjpzdbqpvbq.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ithkobeo' = 'ztqcplxqjxbjlhurv.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'zlaejxbmx' = 'gddsihwsofmxcbrryfvq.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'sfvagvamyf' = 'idboczmgapudgdrpuz.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ithkobeo' = 'tpocrpdytjpzdbqpvbq.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'nbsyfvbobjh' = 'idboczmgapudgdrpuz.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'zlaejxbmx' = 'ztqcplxqjxbjlhurv.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'kzrygxesgpor' = 'gddsihwsofmxcbrryfvq.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'sfvagvamyf' = 'gddsihwsofmxcbrryfvq.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'ithkobeo' = 'gddsihwsofmxcbrryfvq.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'kzrygxesgpor' = 'ztqcplxqjxbjlhurv.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'kbveohqgwhinmf' = '%TEMP%\idboczmgapudgdrpuz.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'sfvagvamyf' = 'ztqcplxqjxbjlhurv.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'jzsajbjynxxbz' = '%TEMP%\gddsihwsofmxcbrryfvq.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'tdqsvhj' = '%TEMP%\ztqcplxqjxbjlhurv.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'kbveohqgwhinmf' = '%TEMP%\tpocrpdytjpzdbqpvbq.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'zlaejxbmx' = '%TEMP%\idboczmgapudgdrpuz.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'kbveohqgwhinmf' = '%TEMP%\gddsihwsofmxcbrryfvq.exe'
- hidden files
- Registry Editor (RegEdit)
- User Account Control (UAC)
- %TEMP%\bdzpwnljqch.exe
- %TEMP%\vtukbbroldlxdduvdlcyz.exe
- %TEMP%\mlnewxomkdmzghzbktlikj.exe
- %TEMP%\gpbcep.exe
- C:\gpbcep.exe-debug.log
- %WINDIR%\syswow64\xbiebhdgjhvnzfcjxlikrvc.vbx
- %TEMP%\tpocrpdytjpzdbqpvbq.exe
- %TEMP%\gddsihwsofmxcbrryfvq.exe
- %ProgramFiles(x86)%\xbiebhdgjhvnzfcjxlikrvc.vbx
- %TEMP%\xbiebhdgjhvnzfcjxlikrvc.vbx
- %WINDIR%\syswow64\kzrygxesgporofnfedlyqfxemdkymvuxul.lkj
- %ProgramFiles(x86)%\kzrygxesgporofnfedlyqfxemdkymvuxul.lkj
- %LOCALAPPDATA%\kzrygxesgporofnfedlyqfxemdkymvuxul.lkj
- %WINDIR%\kzrygxesgporofnfedlyqfxemdkymvuxul.lkj
- %LOCALAPPDATA%\xbiebhdgjhvnzfcjxlikrvc.vbx
- %WINDIR%\xbiebhdgjhvnzfcjxlikrvc.vbx
- %TEMP%\idboczmgapudgdrpuz.exe
- %TEMP%\ztqcplxqjxbjlhurv.exe
- %TEMP%\slhsezkcuhkrsnzv.exe
- %WINDIR%\syswow64\slhsezkcuhkrsnzv.exe
- %WINDIR%\syswow64\ztqcplxqjxbjlhurv.exe
- %WINDIR%\syswow64\idboczmgapudgdrpuz.exe
- %WINDIR%\syswow64\tpocrpdytjpzdbqpvbq.exe
- %WINDIR%\syswow64\gddsihwsofmxcbrryfvq.exe
- %WINDIR%\syswow64\vtukbbroldlxdduvdlcyz.exe
- C:\bdzpwnljqch.exe-debug.log
- %WINDIR%\syswow64\mlnewxomkdmzghzbktlikj.exe
- %WINDIR%\ztqcplxqjxbjlhurv.exe
- %WINDIR%\idboczmgapudgdrpuz.exe
- %WINDIR%\tpocrpdytjpzdbqpvbq.exe
- %WINDIR%\gddsihwsofmxcbrryfvq.exe
- %WINDIR%\vtukbbroldlxdduvdlcyz.exe
- %WINDIR%\mlnewxomkdmzghzbktlikj.exe
- %WINDIR%\slhsezkcuhkrsnzv.exe
- %TEMP%\kzrygxesgporofnfedlyqfxemdkymvuxul.lkj
- %TEMP%\gpbcep\sfvagvamyf.exe
- %WINDIR%\syswow64\slhsezkcuhkrsnzv.exe
- %LOCALAPPDATA%\kzrygxesgporofnfedlyqfxemdkymvuxul.lkj
- %ProgramFiles(x86)%\kzrygxesgporofnfedlyqfxemdkymvuxul.lkj
- %WINDIR%\syswow64\kzrygxesgporofnfedlyqfxemdkymvuxul.lkj
- %TEMP%\xbiebhdgjhvnzfcjxlikrvc.vbx
- %WINDIR%\xbiebhdgjhvnzfcjxlikrvc.vbx
- %LOCALAPPDATA%\xbiebhdgjhvnzfcjxlikrvc.vbx
- %ProgramFiles(x86)%\xbiebhdgjhvnzfcjxlikrvc.vbx
- %WINDIR%\syswow64\xbiebhdgjhvnzfcjxlikrvc.vbx
- %TEMP%\mlnewxomkdmzghzbktlikj.exe
- %TEMP%\vtukbbroldlxdduvdlcyz.exe
- %TEMP%\gddsihwsofmxcbrryfvq.exe
- %TEMP%\tpocrpdytjpzdbqpvbq.exe
- %TEMP%\idboczmgapudgdrpuz.exe
- %WINDIR%\kzrygxesgporofnfedlyqfxemdkymvuxul.lkj
- %TEMP%\ztqcplxqjxbjlhurv.exe
- %WINDIR%\mlnewxomkdmzghzbktlikj.exe
- %WINDIR%\vtukbbroldlxdduvdlcyz.exe
- %WINDIR%\gddsihwsofmxcbrryfvq.exe
- %WINDIR%\tpocrpdytjpzdbqpvbq.exe
- %WINDIR%\idboczmgapudgdrpuz.exe
- %WINDIR%\ztqcplxqjxbjlhurv.exe
- %WINDIR%\slhsezkcuhkrsnzv.exe
- %WINDIR%\syswow64\mlnewxomkdmzghzbktlikj.exe
- %WINDIR%\syswow64\vtukbbroldlxdduvdlcyz.exe
- %WINDIR%\syswow64\gddsihwsofmxcbrryfvq.exe
- %WINDIR%\syswow64\tpocrpdytjpzdbqpvbq.exe
- %WINDIR%\syswow64\idboczmgapudgdrpuz.exe
- %WINDIR%\syswow64\ztqcplxqjxbjlhurv.exe
- %TEMP%\slhsezkcuhkrsnzv.exe
- %TEMP%\kzrygxesgporofnfedlyqfxemdkymvuxul.lkj
- 'wh###smyip.com':80
- 'sh####ipaddress.com':80
- 'wh#####yipaddress.com':80
- 'yo##ube.com':80
- '88.##6.21.94':35433
- http://www.wh###smyip.com/
- http://www.sh####ipaddress.com/
- http://wh#####yipaddress.com/
- http://www.yo##ube.com/
- DNS ASK wh###smyip.com
- DNS ASK wh###smyip.ca
- DNS ASK sh####ipaddress.com
- DNS ASK wh#####yipaddress.com
- DNS ASK wh#####yip.everdot.org
- DNS ASK yo##ube.com
- '%TEMP%\bdzpwnljqch.exe' "<Full path to file>*"
- '%TEMP%\gpbcep.exe' "-<SYSTEM32>\\slhsezkcuhkrsnzv.exe"