Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Base NGEN Protection Encryption' = '<SYSTEM32>\vsnqyxlgj.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Class Multimedia Protocol] 'Start' = '00000002'
- Windows Security Center
- '<SYSTEM32>\lwbvrkddqj.exe' "<SYSTEM32>\vsnqyxlgj.exe"
- '%WINDIR%\Temp\yhyoon335qz4tyg.exe' -r 42841 tcp
- '%TEMP%\yhyoon2yj2z4tyghvggxov.exe'
- '<SYSTEM32>\vsnqyxlgj.exe'
- <SYSTEM32>\cztwicaclpn\run
- <SYSTEM32>\cztwicaclpn\rng
- %WINDIR%\Temp\yhyoon335qz4tyg.exe
- <SYSTEM32>\cztwicaclpn\cfg
- <SYSTEM32>\lwbvrkddqj.exe
- %TEMP%\yhyoon2yj2z4tyghvggxov.exe
- <SYSTEM32>\cztwicaclpn\tst
- <SYSTEM32>\vsnqyxlgj.exe
- <SYSTEM32>\cztwicaclpn\etc
- <SYSTEM32>\lwbvrkddqj.exe
- <SYSTEM32>\vsnqyxlgj.exe
- %WINDIR%\Temp\yhyoon335qz4tyg.exe
- <DRIVERS>\etc\hosts
- %TEMP%\yhyoon2yj2z4tyghvggxov.exe
- 'mo###shoe.net':80
- 'wa###hoe.net':80
- 'fa###uter.net':80
- 'fa###oon.net':80
- 'le###outer.net':80
- 'wa###oon.net':80
- 'mo###outer.net':80
- 'mo###moon.net':80
- 'mo####ctober.net':80
- 'wa###ctober.net':80
- 'bo###uter.net':80
- 'ga###uter.net':80
- 'ga###oon.net':80
- 'ga###ctober.net':80
- 'bo###oon.net':80
- 'fa###ctober.net':80
- 'le###moon.net':80
- 'le####ctober.net':80
- 'le###shoe.net':80
- 'fa###hoe.net':80
- 'wa###uter.net':80
- 'fo###moon.net':80
- 'af###outer.net':80
- 'af###moon.net':80
- 'af####ctober.net':80
- 'fo####ctober.net':80
- 'se###ctober.net':80
- 'we#####ayoctober.net':80
- 'we####dayshoe.net':80
- 'fo###outer.net':80
- 'se###hoe.net':80
- 'we###ctober.net':80
- 'st###moon.net':80
- 'st####ctober.net':80
- 'st###shoe.net':80
- 'we###hoe.net':80
- 'af###shoe.net':80
- 'fo###shoe.net':80
- 'we###uter.net':80
- 'we###oon.net':80
- 'st###outer.net':80
- 'fo###deal.net':80
- 'se###ron.net':80
- 'af###deal.net':80
- 'af###roll.net':80
- 'fo###roll.net':80
- 'se###oll.net':80
- 'we####dayroll.net':80
- 'we####daybuild.net':80
- 'we####dayiron.net':80
- 'se###uild.net':80
- 'de###lxc.com':80
- 'st###deal.net':80
- 'be##lxc.com':80
- 'ri###nstorm.net':80
- 'af###sllc.com':80
- 'af###build.net':80
- 'fo###build.net':80
- 'fo###iron.net':80
- 'we###eal.net':80
- 'af###iron.net':80
- 'se###eal.net':80
- 'fi###moon.net':80
- 'qu###moon.net':80
- 'qu####ctober.net':80
- 'qu###shoe.net':80
- 'fi####ctober.net':80
- 'ga###hoe.net':80
- 'bo###ctober.net':80
- 'bo###hoe.net':80
- 'fi###outer.net':80
- 'qu###outer.net':80
- 'dr###build.net':80
- 'na###uild.net':80
- 'na###ron.net':80
- 'we####daydeal.net':80
- 'dr###iron.net':80
- 'na###eal.net':80
- 'fi###shoe.net':80
- 'dr###deal.net':80
- 'dr###roll.net':80
- 'na###oll.net':80
- http://mo###shoe.net/index.php
- http://wa###hoe.net/index.php
- http://fa###uter.net/index.php
- http://fa###oon.net/index.php
- http://le###outer.net/index.php
- http://wa###oon.net/index.php
- http://mo###outer.net/index.php
- http://mo###moon.net/index.php
- http://mo####ctober.net/index.php
- http://wa###ctober.net/index.php
- http://bo###uter.net/index.php
- http://ga###uter.net/index.php
- http://ga###oon.net/index.php
- http://ga###ctober.net/index.php
- http://bo###oon.net/index.php
- http://fa###ctober.net/index.php
- http://le###moon.net/index.php
- http://le####ctober.net/index.php
- http://le###shoe.net/index.php
- http://fa###hoe.net/index.php
- http://wa###uter.net/index.php
- http://fo###moon.net/index.php
- http://af###outer.net/index.php
- http://af###moon.net/index.php
- http://af####ctober.net/index.php
- http://fo####ctober.net/index.php
- http://se###ctober.net/index.php
- http://we#####ayoctober.net/index.php
- http://we####dayshoe.net/index.php
- http://fo###outer.net/index.php
- http://se###hoe.net/index.php
- http://we###ctober.net/index.php
- http://st###moon.net/index.php
- http://st####ctober.net/index.php
- http://st###shoe.net/index.php
- http://we###hoe.net/index.php
- http://af###shoe.net/index.php
- http://fo###shoe.net/index.php
- http://we###uter.net/index.php
- http://we###oon.net/index.php
- http://st###outer.net/index.php
- http://fo###deal.net/index.php
- http://se###ron.net/index.php
- http://af###deal.net/index.php
- http://af###roll.net/index.php
- http://fo###roll.net/index.php
- http://se###oll.net/index.php
- http://we####dayroll.net/index.php
- http://we####daybuild.net/index.php
- http://we####dayiron.net/index.php
- http://se###uild.net/index.php
- http://de###lxc.com/index.php
- http://st###deal.net/index.php
- http://be##lxc.com/index.php
- http://ri###nstorm.net/index.php
- http://af###sllc.com/index.php
- http://af###build.net/index.php
- http://fo###build.net/index.php
- http://fo###iron.net/index.php
- http://we###eal.net/index.php
- http://af###iron.net/index.php
- http://se###eal.net/index.php
- http://fi###moon.net/index.php
- http://qu###moon.net/index.php
- http://qu####ctober.net/index.php
- http://qu###shoe.net/index.php
- http://fi####ctober.net/index.php
- http://ga###hoe.net/index.php
- http://bo###ctober.net/index.php
- http://bo###hoe.net/index.php
- http://fi###outer.net/index.php
- http://qu###outer.net/index.php
- http://dr###build.net/index.php
- http://na###uild.net/index.php
- http://na###ron.net/index.php
- http://we####daydeal.net/index.php
- http://dr###iron.net/index.php
- http://na###eal.net/index.php
- http://fi###shoe.net/index.php
- http://dr###deal.net/index.php
- http://dr###roll.net/index.php
- http://na###oll.net/index.php
- DNS ASK wa###hoe.net
- DNS ASK mo####ctober.net
- DNS ASK mo###shoe.net
- DNS ASK le###outer.net
- DNS ASK fa###uter.net
- DNS ASK mo###outer.net
- DNS ASK wa###uter.net
- DNS ASK wa###oon.net
- DNS ASK wa###ctober.net
- DNS ASK mo###moon.net
- DNS ASK fa###oon.net
- DNS ASK bo###uter.net
- DNS ASK ga###uter.net
- DNS ASK ga###oon.net
- DNS ASK ga###ctober.net
- DNS ASK bo###oon.net
- DNS ASK fa###ctober.net
- DNS ASK le###moon.net
- DNS ASK le####ctober.net
- DNS ASK le###shoe.net
- DNS ASK fa###hoe.net
- DNS ASK af###outer.net
- DNS ASK fo###outer.net
- DNS ASK fo###moon.net
- DNS ASK fo####ctober.net
- DNS ASK af###moon.net
- DNS ASK we#####ayoctober.net
- DNS ASK se###oon.net
- DNS ASK se###ctober.net
- DNS ASK se###hoe.net
- DNS ASK we####dayshoe.net
- DNS ASK af####ctober.net
- DNS ASK we###ctober.net
- DNS ASK st###moon.net
- DNS ASK st####ctober.net
- DNS ASK st###shoe.net
- DNS ASK we###hoe.net
- DNS ASK af###shoe.net
- DNS ASK fo###shoe.net
- DNS ASK we###uter.net
- DNS ASK we###oon.net
- DNS ASK st###outer.net
- DNS ASK fo###deal.net
- DNS ASK se###ron.net
- DNS ASK af###deal.net
- DNS ASK af###roll.net
- DNS ASK fo###roll.net
- DNS ASK se###oll.net
- DNS ASK we####dayroll.net
- DNS ASK we####daybuild.net
- DNS ASK we####dayiron.net
- DNS ASK se###uild.net
- DNS ASK de###lxc.com
- DNS ASK st###deal.net
- DNS ASK be##lxc.com
- DNS ASK ri###nstorm.net
- DNS ASK af###sllc.com
- DNS ASK af###build.net
- DNS ASK fo###build.net
- DNS ASK fo###iron.net
- DNS ASK we###eal.net
- DNS ASK af###iron.net
- DNS ASK se###eal.net
- DNS ASK fi###moon.net
- DNS ASK qu###moon.net
- DNS ASK qu####ctober.net
- DNS ASK qu###shoe.net
- DNS ASK fi####ctober.net
- DNS ASK ga###hoe.net
- DNS ASK bo###ctober.net
- DNS ASK bo###hoe.net
- DNS ASK fi###outer.net
- DNS ASK qu###outer.net
- DNS ASK dr###build.net
- DNS ASK na###uild.net
- DNS ASK na###ron.net
- DNS ASK we####daydeal.net
- DNS ASK dr###iron.net
- DNS ASK na###eal.net
- DNS ASK fi###shoe.net
- DNS ASK dr###deal.net
- DNS ASK dr###roll.net
- DNS ASK na###oll.net
- '23#.#55.255.250':1900