Technical Information
- [<HKLM>\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] '' = '"<LS_APPDATA>\beg.exe" -a "%PROGRAM_FILES%\Internet Explorer\iexplore.exe"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '1967177966' = '<LS_APPDATA>\beg.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ctfmon.exe' = '<SYSTEM32>\ctfmon.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- Windows Security Center
- <LS_APPDATA>\beg.exe -gav <Full path to virus>
- chrome.exe
- opera.exe
- iexplore.exe
- firefox.exe
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Options]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Options]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Main]
- [<HKLM>\Software\FlashFXP]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Main]
- [<HKCU>\Software\BPFTP]
- [<HKCU>\Software\South River Technologies\WebDrive\Connections]
- [<HKLM>\Software\South River Technologies\WebDrive\Connections]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
- [<HKCU>\Software\Sota\FFFTP\Options]
- [<HKCU>\Software\CoffeeCup Software\Internet\Profiles]
- [<HKCU>\Software\Far2\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Ghisler\Windows Commander]
- [<HKCU>\Software\Far\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Far\Plugins\FTP\Hosts]
- [<HKCU>\Software\Far2\Plugins\FTP\Hosts]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKCU>\Software\FlashFXP]
- [<HKLM>\Software\FlashFXP\3]
- [<HKCU>\Software\FlashFXP\3]
- [<HKLM>\Software\Ghisler\Windows Commander]
- [<HKLM>\Software\Ghisler\Total Commander]
- %ALLUSERSPROFILE%\Application Data\rvtc.exe
- %TEMP%\nbrr.exe
- <LS_APPDATA>\rnoc.exe
- %TEMP%\vkfv.exe
- %HOMEPATH%\Templates\bnes.exe
- %TEMP%\c63i8t33o0unv8374i4802e6m8e5p61syff1omht4mu7
- %HOMEPATH%\Templates\c63i8t33o0unv8374i4802e6m8e5p61syff1omht4mu7
- %ALLUSERSPROFILE%\Application Data\c63i8t33o0unv8374i4802e6m8e5p61syff1omht4mu7
- %HOMEPATH%\Templates\qrnm.exe
- <LS_APPDATA>\c63i8t33o0unv8374i4802e6m8e5p61syff1omht4mu7
- %ALLUSERSPROFILE%\Application Data\etjo.exe
- %TEMP%\tdnx.exe
- %HOMEPATH%\Templates\ccqa.exe
- %ALLUSERSPROFILE%\Application Data\rint.exe
- <LS_APPDATA>\beg.exe
- <LS_APPDATA>\spko.exe
- %HOMEPATH%\Templates\gsfg.exe
- <LS_APPDATA>\tpvt.exe
- %TEMP%\ejck.exe
- <LS_APPDATA>\yopw.exe
- %ALLUSERSPROFILE%\Application Data\pxfv.exe
- 'ci####cuqekexo.com':80
- 'qo###ifelaw.com':80
- 'jy####fyhulora.com':80
- 'he###ixiru.com':80
- 'le####vasezo.com':80
- 'sy####lurypugi.com':80
- 'za####tahuryp.com':80
- 'he###yheduf.com':80
- 'pa####kavygaj.com':80
- 'xu###acaqy.com':80
- 'su###ebaq.com':80
- 'pi####xuwisin.com':80
- 'wi###ypihag.com':80
- 'xi####xegybozi.com':80
- 'pe###ehywe.com':80
- 'wa####qohuli.com':80
- 'ba####naxepo.com':80
- 'su###evebat.com':80
- 'te####ter-th4j.com':80
- 'gi###eceta.com':80
- 'fo####wupode.com':80
- 'le####jezociw.com':80
- 'ci####rijugeg.com':80
- 'si####qilugoq.com':80
- 'mo####xazyby.com':80
- 'bi####qojivu.com':80
- 'ho####mitajy.com':80
- te####ter-th4j.com/setup.exe
- su###evebat.com/
- DNS ASK pi####xuwisin.com
- DNS ASK su###ebaq.com
- DNS ASK he###yheduf.com
- DNS ASK wi###ypihag.com
- DNS ASK qo###ifelaw.com
- DNS ASK ci####cuqekexo.com
- DNS ASK za####tahuryp.com
- DNS ASK jy####fyhulora.com
- DNS ASK pa####kavygaj.com
- DNS ASK fe####holubaro.com
- DNS ASK zy####wodojyx.com
- DNS ASK wy####facysyd.com
- DNS ASK microsoft.com
- DNS ASK ra####bareme.com
- DNS ASK xu###acaqy.com
- DNS ASK ti###uqel.com
- DNS ASK le###ehup.com
- DNS ASK ba####naxepo.com
- DNS ASK wa####qohuli.com
- DNS ASK mo####xazyby.com
- DNS ASK fo####wupode.com
- DNS ASK te####ter-th4j.com
- DNS ASK su###evebat.com
- DNS ASK pe###ehywe.com
- DNS ASK gi###eceta.com
- DNS ASK bi####qojivu.com
- DNS ASK he###ixiru.com
- DNS ASK xi####xegybozi.com
- DNS ASK sy####lurypugi.com
- DNS ASK le####vasezo.com
- DNS ASK le####jezociw.com
- DNS ASK ho####mitajy.com
- DNS ASK si####qilugoq.com
- DNS ASK ci####rijugeg.com
- ClassName: 'msascui_class' WindowName: ''
- ClassName: 'Indicator' WindowName: ''