Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'UPnP Registrar Presentation' = 'C:\iulxrbuxkcjpgd\erwgmmgtplw.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Removal User-mode Notification Superfetch] 'ImagePath' = 'C:\iulxrbuxkcjpgd\erwgmmgtplw.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Removal User-mode Notification Superfetch] 'Start' = '00000002'
- 'C:\iulxrbuxkcjpgd\qiksiwuhili.exe' "c:\iulxrbuxkcjpgd\erwgmmgtplw.exe"
- 'C:\iulxrbuxkcjpgd\erwgmmgtplw.exe'
- 'C:\iulxrbuxkcjpgd\pq2g6wafmfod4b.exe'
- C:\iulxrbuxkcjpgd\erwgmmgtplw.exe
- C:\iulxrbuxkcjpgd\qiksiwuhili.exe
- C:\iulxrbuxkcjpgd\pq2g6wafmfod4b.exe
- %WINDIR%\iulxrbuxkcjpgd\ecn6fdv
- C:\iulxrbuxkcjpgd\ecn6fdv
- C:\iulxrbuxkcjpgd\qiksiwuhili.exe
- C:\iulxrbuxkcjpgd\erwgmmgtplw.exe
- C:\iulxrbuxkcjpgd\pq2g6wafmfod4b.exe
- %WINDIR%\iulxrbuxkcjpgd\ecn6fdv
- 'sm###device.net':80
- 'wo###before.net':80
- 'sm####anguage.net':80
- 'wo###device.net':80
- 'fi###settle.net':80
- 'pa####anguage.net':80
- 'sm###before.net':80
- 'pa###settle.net':80
- 'wo####anguage.net':80
- 'th####tdevice.net':80
- 'wa###device.net':80
- 'th####tlanguage.net':80
- 'wa####anguage.net':80
- 'wo###settle.net':80
- 'sm###settle.net':80
- 'th####tbefore.net':80
- 'wa###before.net':80
- 'fi####anguage.net':80
- 'ex#####ncebanker.net':80
- 'ge####manfound.net':80
- 'ex#####ncesuccess.net':80
- 'fr###banker.net':80
- 'al####yspring.net':80
- 'ge#####ansuccess.net':80
- 'al####yfound.net':80
- 'ge####manspring.net':80
- 'fr####uccess.net':80
- 'pa###before.net':80
- 'fi###before.net':80
- 'pa###device.net':80
- 'fi###device.net':80
- 'fr###spring.net':80
- 'ex#####ncespring.net':80
- 'fr###found.net':80
- 'ex####encefound.net':80
- 'wa###settle.net':80
- 'me####settle.net':80
- 'fo####language.net':80
- 'al####ybefore.net':80
- 'fo####settle.net':80
- 'me####device.net':80
- 'fo####before.net':80
- 'me####language.net':80
- 'fo####device.net':80
- 'ge####manbefore.net':80
- 'ge####mansettle.net':80
- 'al####ysettle.net':80
- 'fr###before.net':80
- 'ex#####ncebefore.net':80
- 'ge####mandevice.net':80
- 'al####ydevice.net':80
- 'ge#####anlanguage.net':80
- 'al####ylanguage.net':80
- 'me####before.net':80
- 'cr####anguage.net':80
- 'su####device.net':80
- 'cr###settle.net':80
- 'su####language.net':80
- 'cr###before.net':80
- 'th####tsettle.net':80
- 'cr###device.net':80
- 'su####before.net':80
- 'su####settle.net':80
- 'be####anguage.net':80
- 'kn####anguage.net':80
- 'be###settle.net':80
- 'kn###settle.net':80
- 'be###before.net':80
- 'kn###before.net':80
- 'be###device.net':80
- 'kn###device.net':80
- http://sm###device.net/index.php
- http://wo###before.net/index.php
- http://sm####anguage.net/index.php
- http://wo###device.net/index.php
- http://fi###settle.net/index.php
- http://pa####anguage.net/index.php
- http://sm###before.net/index.php
- http://pa###settle.net/index.php
- http://wo####anguage.net/index.php
- http://th####tdevice.net/index.php
- http://wa###device.net/index.php
- http://th####tlanguage.net/index.php
- http://wa####anguage.net/index.php
- http://wo###settle.net/index.php
- http://sm###settle.net/index.php
- http://th####tbefore.net/index.php
- http://wa###before.net/index.php
- http://fi####anguage.net/index.php
- http://ex#####ncebanker.net/index.php
- http://ge####manfound.net/index.php
- http://ex#####ncesuccess.net/index.php
- http://fr###banker.net/index.php
- http://al####yspring.net/index.php
- http://ge#####ansuccess.net/index.php
- http://al####yfound.net/index.php
- http://ge####manspring.net/index.php
- http://fr####uccess.net/index.php
- http://pa###before.net/index.php
- http://fi###before.net/index.php
- http://pa###device.net/index.php
- http://fi###device.net/index.php
- http://fr###spring.net/index.php
- http://ex#####ncespring.net/index.php
- http://fr###found.net/index.php
- http://ex####encefound.net/index.php
- http://wa###settle.net/index.php
- http://me####settle.net/index.php
- http://fo####language.net/index.php
- http://al####ybefore.net/index.php
- http://fo####settle.net/index.php
- http://me####device.net/index.php
- http://fo####before.net/index.php
- http://me####language.net/index.php
- http://fo####device.net/index.php
- http://ge####manbefore.net/index.php
- http://ge####mansettle.net/index.php
- http://al####ysettle.net/index.php
- http://fr###before.net/index.php
- http://ex#####ncebefore.net/index.php
- http://ge####mandevice.net/index.php
- http://al####ydevice.net/index.php
- http://ge#####anlanguage.net/index.php
- http://al####ylanguage.net/index.php
- http://me####before.net/index.php
- http://cr####anguage.net/index.php
- http://su####device.net/index.php
- http://cr###settle.net/index.php
- http://su####language.net/index.php
- http://cr###before.net/index.php
- http://th####tsettle.net/index.php
- http://cr###device.net/index.php
- http://su####before.net/index.php
- http://su####settle.net/index.php
- http://be####anguage.net/index.php
- http://kn####anguage.net/index.php
- http://be###settle.net/index.php
- http://kn###settle.net/index.php
- http://be###before.net/index.php
- http://kn###before.net/index.php
- http://be###device.net/index.php
- http://kn###device.net/index.php
- DNS ASK sm###device.net
- DNS ASK wo###before.net
- DNS ASK sm####anguage.net
- DNS ASK wo###device.net
- DNS ASK sm###before.net
- DNS ASK pa####anguage.net
- DNS ASK fi####anguage.net
- DNS ASK pa###settle.net
- DNS ASK fi###settle.net
- DNS ASK th####tdevice.net
- DNS ASK wa###device.net
- DNS ASK th####tlanguage.net
- DNS ASK wa####anguage.net
- DNS ASK th####tbefore.net
- DNS ASK sm###settle.net
- DNS ASK wo####anguage.net
- DNS ASK wa###before.net
- DNS ASK wo###settle.net
- DNS ASK ex#####ncebanker.net
- DNS ASK ge####manfound.net
- DNS ASK ex#####ncesuccess.net
- DNS ASK fr###banker.net
- DNS ASK al####yfound.net
- DNS ASK ge#####ansuccess.net
- DNS ASK al####ysuccess.net
- DNS ASK ge####manspring.net
- DNS ASK al####yspring.net
- DNS ASK pa###before.net
- DNS ASK fi###before.net
- DNS ASK pa###device.net
- DNS ASK fi###device.net
- DNS ASK fr###found.net
- DNS ASK ex#####ncespring.net
- DNS ASK fr####uccess.net
- DNS ASK ex####encefound.net
- DNS ASK fr###spring.net
- DNS ASK me####settle.net
- DNS ASK fo####language.net
- DNS ASK al####ybefore.net
- DNS ASK fo####settle.net
- DNS ASK me####language.net
- DNS ASK fo####before.net
- DNS ASK me####before.net
- DNS ASK fo####device.net
- DNS ASK me####device.net
- DNS ASK ge####mansettle.net
- DNS ASK al####ysettle.net
- DNS ASK fr###before.net
- DNS ASK ex#####ncebefore.net
- DNS ASK ge#####anlanguage.net
- DNS ASK al####ydevice.net
- DNS ASK ge####manbefore.net
- DNS ASK al####ylanguage.net
- DNS ASK ge####mandevice.net
- DNS ASK cr####anguage.net
- DNS ASK su####device.net
- DNS ASK cr###settle.net
- DNS ASK su####language.net
- DNS ASK cr###device.net
- DNS ASK th####tsettle.net
- DNS ASK wa###settle.net
- DNS ASK su####before.net
- DNS ASK cr###before.net
- DNS ASK be####anguage.net
- DNS ASK kn####anguage.net
- DNS ASK be###settle.net
- DNS ASK kn###settle.net
- DNS ASK be###device.net
- DNS ASK kn###before.net
- DNS ASK su####settle.net
- DNS ASK kn###device.net
- DNS ASK be###before.net
- ClassName: 'Shell_TrayWnd' WindowName: ''