Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'laocnboxkytnk' = 'iezumhbrlgijnuctdkgb.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'mcrgshvftiezxy' = 'bumetlcpgyxvwafta.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'pgwmzpepeurnmor' = 'vqkevpixqklloubragb.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'mcrgshvftiezxy' = 'vqkevpixqklloubragb.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'umduizpbrigddgkx' = 'vqkevpixqklloubragb.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'pgwmzpepeurnmor' = 'iezumhbrlgijnuctdkgb.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'kexqgzrfxqqprwcrze' = '%TEMP%\vqkevpixqklloubragb.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'bumetlcpgyxvwafta' = '%TEMP%\kexqgzrfxqqprwcrze.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'bumetlcpgyxvwafta' = '%TEMP%\bumetlcpgyxvwafta.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'manakxjrdqkd' = 'xuqmfbwniehjowfxiqnjf.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'manakxjrdqkd' = 'vqkevpixqklloubragb.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'manakxjrdqkd' = '%TEMP%\bumetlcpgyxvwafta.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'mcrgshvftiezxy' = 'iezumhbrlgijnuctdkgb.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'umduizpbrigddgkx' = 'bumetlcpgyxvwafta.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'umduizpbrigddgkx' = 'kexqgzrfxqqprwcrze.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'kexqgzrfxqqprwcrze' = '%TEMP%\iezumhbrlgijnuctdkgb.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'bumetlcpgyxvwafta' = '%TEMP%\xuqmfbwniehjowfxiqnjf.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'pcoajvgnykd' = '%TEMP%\iezumhbrlgijnuctdkgb.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'pcoajvgnykd' = '%TEMP%\vqkevpixqklloubragb.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'mcrgshvftiezxy' = 'kexqgzrfxqqprwcrze.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'pcoajvgnykd' = '%TEMP%\bumetlcpgyxvwafta.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'manakxjrdqkd' = 'iezumhbrlgijnuctdkgb.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'laocnboxkytnk' = 'kexqgzrfxqqprwcrze.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'laocnboxkytnk' = '%TEMP%\iezumhbrlgijnuctdkgb.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'manakxjrdqkd' = '%TEMP%\kexqgzrfxqqprwcrze.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'laocnboxkytnk' = '%TEMP%\umduizpbrigddgkx.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'laocnboxkytnk' = 'umduizpbrigddgkx.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'mcrgshvftiezxy' = 'xuqmfbwniehjowfxiqnjf.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'pgwmzpepeurnmor' = 'bumetlcpgyxvwafta.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'umduizpbrigddgkx' = 'xuqmfbwniehjowfxiqnjf.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'kexqgzrfxqqprwcrze' = '%TEMP%\kexqgzrfxqqprwcrze.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'bumetlcpgyxvwafta' = '%TEMP%\vqkevpixqklloubragb.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'pcoajvgnykd' = '%TEMP%\kexqgzrfxqqprwcrze.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'manakxjrdqkd' = '%TEMP%\umduizpbrigddgkx.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'laocnboxkytnk' = '%TEMP%\kexqgzrfxqqprwcrze.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'manakxjrdqkd' = 'bumetlcpgyxvwafta.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'manakxjrdqkd' = 'kexqgzrfxqqprwcrze.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'laocnboxkytnk' = 'bumetlcpgyxvwafta.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'umduizpbrigddgkx' = 'iezumhbrlgijnuctdkgb.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'pgwmzpepeurnmor' = 'kexqgzrfxqqprwcrze.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'kexqgzrfxqqprwcrze' = '%TEMP%\bumetlcpgyxvwafta.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'umduizpbrigddgkx' = 'umduizpbrigddgkx.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'bumetlcpgyxvwafta' = '%TEMP%\umduizpbrigddgkx.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'kexqgzrfxqqprwcrze' = '%TEMP%\umduizpbrigddgkx.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'pcoajvgnykd' = '%TEMP%\umduizpbrigddgkx.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'bumetlcpgyxvwafta' = '%TEMP%\iezumhbrlgijnuctdkgb.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'pcoajvgnykd' = '%TEMP%\xuqmfbwniehjowfxiqnjf.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'manakxjrdqkd' = '%TEMP%\xuqmfbwniehjowfxiqnjf.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'mcrgshvftiezxy' = 'umduizpbrigddgkx.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'manakxjrdqkd' = '%TEMP%\iezumhbrlgijnuctdkgb.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'laocnboxkytnk' = '%TEMP%\bumetlcpgyxvwafta.exe .'
- hidden files
- Registry Editor (RegEdit)
- User Account Control (UAC)
- %TEMP%\xpkihpqwojh.exe
- <LS_APPDATA>\laocnboxkytnkklvyynbpaobkxlgaxxyill.ocn
- %ProgramFiles(x86)%\laocnboxkytnkklvyynbpaobkxlgaxxyill.ocn
- %WINDIR%\syswow64\laocnboxkytnkklvyynbpaobkxlgaxxyill.ocn
- %TEMP%\cgjmmprpruenzoedvkoruuxz.zcm
- %WINDIR%\cgjmmprpruenzoedvkoruuxz.zcm
- <LS_APPDATA>\cgjmmprpruenzoedvkoruuxz.zcm
- %ProgramFiles(x86)%\cgjmmprpruenzoedvkoruuxz.zcm
- %WINDIR%\syswow64\cgjmmprpruenzoedvkoruuxz.zcm
- %TEMP%\xekqt.exe
- %TEMP%\omjgaxtlheilrakdpywtqk.exe
- %TEMP%\xuqmfbwniehjowfxiqnjf.exe
- %TEMP%\iezumhbrlgijnuctdkgb.exe
- %TEMP%\vqkevpixqklloubragb.exe
- %TEMP%\kexqgzrfxqqprwcrze.exe
- %WINDIR%\laocnboxkytnkklvyynbpaobkxlgaxxyill.ocn
- %TEMP%\bumetlcpgyxvwafta.exe
- %WINDIR%\omjgaxtlheilrakdpywtqk.exe
- %WINDIR%\xuqmfbwniehjowfxiqnjf.exe
- %WINDIR%\iezumhbrlgijnuctdkgb.exe
- %WINDIR%\vqkevpixqklloubragb.exe
- %WINDIR%\kexqgzrfxqqprwcrze.exe
- %WINDIR%\bumetlcpgyxvwafta.exe
- %WINDIR%\umduizpbrigddgkx.exe
- %WINDIR%\syswow64\omjgaxtlheilrakdpywtqk.exe
- %WINDIR%\syswow64\xuqmfbwniehjowfxiqnjf.exe
- %WINDIR%\syswow64\iezumhbrlgijnuctdkgb.exe
- %WINDIR%\syswow64\vqkevpixqklloubragb.exe
- %WINDIR%\syswow64\kexqgzrfxqqprwcrze.exe
- %WINDIR%\syswow64\bumetlcpgyxvwafta.exe
- %WINDIR%\syswow64\umduizpbrigddgkx.exe
- %TEMP%\umduizpbrigddgkx.exe
- %TEMP%\laocnboxkytnkklvyynbpaobkxlgaxxyill.ocn
- %WINDIR%\syswow64\umduizpbrigddgkx.exe
- <LS_APPDATA>\laocnboxkytnkklvyynbpaobkxlgaxxyill.ocn
- %ProgramFiles(x86)%\laocnboxkytnkklvyynbpaobkxlgaxxyill.ocn
- %WINDIR%\syswow64\laocnboxkytnkklvyynbpaobkxlgaxxyill.ocn
- %TEMP%\cgjmmprpruenzoedvkoruuxz.zcm
- %WINDIR%\cgjmmprpruenzoedvkoruuxz.zcm
- <LS_APPDATA>\cgjmmprpruenzoedvkoruuxz.zcm
- %ProgramFiles(x86)%\cgjmmprpruenzoedvkoruuxz.zcm
- %WINDIR%\syswow64\cgjmmprpruenzoedvkoruuxz.zcm
- %TEMP%\omjgaxtlheilrakdpywtqk.exe
- %TEMP%\xuqmfbwniehjowfxiqnjf.exe
- %TEMP%\iezumhbrlgijnuctdkgb.exe
- %TEMP%\vqkevpixqklloubragb.exe
- %TEMP%\kexqgzrfxqqprwcrze.exe
- %WINDIR%\laocnboxkytnkklvyynbpaobkxlgaxxyill.ocn
- %TEMP%\bumetlcpgyxvwafta.exe
- %WINDIR%\omjgaxtlheilrakdpywtqk.exe
- %WINDIR%\xuqmfbwniehjowfxiqnjf.exe
- %WINDIR%\iezumhbrlgijnuctdkgb.exe
- %WINDIR%\vqkevpixqklloubragb.exe
- %WINDIR%\kexqgzrfxqqprwcrze.exe
- %WINDIR%\bumetlcpgyxvwafta.exe
- %WINDIR%\umduizpbrigddgkx.exe
- %WINDIR%\syswow64\omjgaxtlheilrakdpywtqk.exe
- %WINDIR%\syswow64\xuqmfbwniehjowfxiqnjf.exe
- %WINDIR%\syswow64\iezumhbrlgijnuctdkgb.exe
- %WINDIR%\syswow64\vqkevpixqklloubragb.exe
- %WINDIR%\syswow64\kexqgzrfxqqprwcrze.exe
- %WINDIR%\syswow64\bumetlcpgyxvwafta.exe
- %TEMP%\umduizpbrigddgkx.exe
- %TEMP%\laocnboxkytnkklvyynbpaobkxlgaxxyill.ocn
- DNS ASK wh#####yip.everdot.org
- DNS ASK sh####ipaddress.com
- '%TEMP%\xpkihpqwojh.exe' "<Full path to file>*"
- '%TEMP%\xekqt.exe' "-%TEMP%\umduizpbrigddgkx.exe"