Technical Information
- [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'Java Updater' = '%ALLUSERSPROFILE%\Java Updater\o5wy1ig7o9957s.exe'
- [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Java Updater' = '"%ALLUSERSPROFILE%\Java Updater\o5wy1ig7o9957s.exe"'
- [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe] 'Debugger' = 'pzkqn.exe'
- [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe] 'Debugger' = 'bunyzix.exe'
- [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe] 'Debugger' = 'nbfysej.exe'
- [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe] 'Debugger' = 'kknqtvy.exe'
- [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe] 'Debugger' = 'kpheujz.exe'
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe] 'Debugger' = 'hasxpvfdlnn.exe'
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe] 'Debugger' = 'kfvndumgfrw.exe'
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrtstub.exe] 'Debugger' = 'vimibyofars.exe'
- [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe] 'Debugger' = 'zfp.exe'
- <SYSTEM32>\tasks\firefox default browser agent 8e2a1ddef93f7359
- <SYSTEM32>\tasks\windows update check - 0x1bb70478
- [HKLM\System\CurrentControlSet\Services\SSDPSRV] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- System Restore (SR)
- Windows Action Center
- Hides taskbar notifications
- %WINDIR%\syswow64\regedit.exe
- %WINDIR%\syswow64\schtasks.exe
- <SYSTEM32>\conhost.exe
- iexplore.exe
- firefox.exe
- %WINDIR%\syswow64\schtasks.exe
- ClassName: '', WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'OLLYDBG', WindowName: ''
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
- ClassName: 'TIdaWindow', WindowName: ''
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '2500' = '00000003'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2500' = '00000003'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2500' = '00000003'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '2500' = '00000003'
- %APPDATA%\bcbgtwa
- %TEMP%\f68e.exe
- %TEMP%\9ff.exe
- %TEMP%\o5wy1ig7o9957s_1.exe
- %TEMP%\o5wy1ig7o9957s_1.exe:1bb7fb68
- %APPDATA%\bcbgtwa
- %ALLUSERSPROFILE%\java updater\o5wy1ig7o9957s.exe
- <SYSTEM32>\tasks\firefox default browser agent 8e2a1ddef93f7359
- from %TEMP%\f68e.exe to %ALLUSERSPROFILE%\java updater\o5wy1ig7o9957s.exe
- 'ho####ile-host6.com':80
- 'cu####dlover.com':80
- http://ho####ile-host6.com/
- http://cu####dlover.com/client/register.php?id########
- DNS ASK ho####ile-host6.com
- DNS ASK windowsupdate.microsoft.com
- DNS ASK cu####dlover.com
- ClassName: '' WindowName: 'GMER'
- ClassName: '' WindowName: 'Monitoring - API Monitor v2 32-bit'
- '%TEMP%\f68e.exe'
- '%TEMP%\9ff.exe'
- '%TEMP%\o5wy1ig7o9957s_1.exe'
- '%WINDIR%\syswow64\schtasks.exe' /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\O5WY1I~1.EXE" /RL HIGHEST' (with hidden window)
- '%WINDIR%\syswow64\explorer.exe'
- '%WINDIR%\syswow64\regedit.exe'
- '%WINDIR%\syswow64\schtasks.exe' /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\O5WY1I~1.EXE" /RL HIGHEST