Technical Information
- [<HKLM>\System\CurrentControlSet\Services\Copy Gateway Engine Notification] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\Copy Gateway Engine Notification] 'ImagePath' = 'C:\yrzdrxblcntew\axevktjxx.exe'
- 'Copy Gateway Engine Notification' C:\yrzdrxblcntew\axevktjxx.exe
- %WINDIR%\yrzdrxblcntew\fcoxjh0ktlo
- C:\yrzdrxblcntew\fcoxjh0ktlo
- C:\yrzdrxblcntew\cfcirogblhpnyoyym3bklr.exe
- C:\yrzdrxblcntew\axevktjxx.exe
- C:\yrzdrxblcntew\nwyepbcxq.exe
- C:\yrzdrxblcntew\gaqpdcernax
- C:\yrzdrxblcntew\axevktjxx.exe
- C:\yrzdrxblcntew\nwyepbcxq.exe
- %WINDIR%\yrzdrxblcntew\fcoxjh0ktlo
- C:\yrzdrxblcntew\cfcirogblhpnyoyym3bklr.exe
- %WINDIR%\yrzdrxblcntew\fcoxjh0ktlo
- 'th###clean.net':80
- 'th###paint.net':80
- 'th###course.net':80
- 'ch###clean.net':80
- 'co####ewomen.net':80
- 'hi####ycourse.net':80
- 'cl###clean.net':80
- 'cl###course.net':80
- 'th###women.net':80
- 'cl###women.net':80
- http://th###clean.net/index.php
- http://th###paint.net/index.php
- http://th###course.net/index.php
- http://ch###clean.net/index.php
- http://hi####ycourse.net/index.php
- http://cl###clean.net/index.php
- http://cl###course.net/index.php
- http://th###women.net/index.php
- http://cl###women.net/index.php
- DNS ASK fl####urprise.net
- DNS ASK ra###rwomen.net
- DNS ASK mo####gcourse.net
- DNS ASK ra####course.net
- DNS ASK mo####gpaint.net
- DNS ASK ra###rpaint.net
- DNS ASK mo####gclean.net
- DNS ASK ra###rclean.net
- DNS ASK tw###ewomen.net
- DNS ASK mi###ewomen.net
- DNS ASK tw####course.net
- DNS ASK mi####course.net
- DNS ASK tw###epaint.net
- DNS ASK mi###epaint.net
- DNS ASK tw###eclean.net
- DNS ASK mi###eclean.net
- DNS ASK mo####gwomen.net
- DNS ASK st####eclean.net
- DNS ASK hi####yclean.net
- DNS ASK st####epaint.net
- DNS ASK cl###course.net
- DNS ASK cl###paint.net
- DNS ASK cl###clean.net
- DNS ASK we####rwomen.net
- DNS ASK am###twomen.net
- DNS ASK we####rcourse.net
- DNS ASK am####course.net
- DNS ASK am###tpaint.net
- DNS ASK we####rpaint.net
- DNS ASK we####rclean.net
- DNS ASK am###tclean.net
- DNS ASK hi####ywomen.net
- DNS ASK st####ewomen.net
- DNS ASK hi####ycourse.net
- DNS ASK st####ecourse.net
- DNS ASK hi####ypaint.net
- DNS ASK cl###women.net
- DNS ASK al###women.net
- DNS ASK of###women.net
- DNS ASK al###course.net
- DNS ASK se####different.net
- DNS ASK qu####ifferent.net
- DNS ASK se####letter.net
- DNS ASK qu###letter.net
- DNS ASK se####beside.net
- DNS ASK qu###beside.net
- DNS ASK se####surprise.net
- DNS ASK qu####urprise.net
- DNS ASK br####ifferent.net
- DNS ASK fl####ifferent.net
- DNS ASK br###letter.net
- DNS ASK fl###letter.net
- DNS ASK br###beside.net
- DNS ASK fl###beside.net
- DNS ASK br####urprise.net
- DNS ASK th###clean.net
- DNS ASK pr####tclean.net
- DNS ASK th###paint.net
- DNS ASK pr####tpaint.net
- DNS ASK al###paint.net
- DNS ASK of###paint.net
- DNS ASK al###clean.net
- DNS ASK of###clean.net
- DNS ASK co####ewomen.net
- DNS ASK ch###women.net
- DNS ASK co####ecourse.net
- DNS ASK co####epaint.net
- DNS ASK ch###course.net
- DNS ASK ch###paint.net
- DNS ASK co####eclean.net
- DNS ASK ch###clean.net
- DNS ASK pr####twomen.net
- DNS ASK th###women.net
- DNS ASK pr####tcourse.net
- DNS ASK th###course.net
- DNS ASK of###course.net
- DNS ASK th###stream.net
- 'C:\yrzdrxblcntew\cfcirogblhpnyoyym3bklr.exe'
- 'C:\yrzdrxblcntew\axevktjxx.exe'
- 'C:\yrzdrxblcntew\nwyepbcxq.exe' "c:\yrzdrxblcntew\axevktjxx.exe"