Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'GrpConv' = 'grpconv -o'
- [<HKLM>\SOFTWARE\Classes\MSProgramGroup\Shell\Open\Command] '' = '<SYSTEM32>\grpconv.exe %1'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'werp' = '%APPDATA%\b8sw43o.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Inoyikotadoqev' = 'rundll32.exe "%WINDIR%\tyukbk.dll",Startup'
- [<HKLM>\SYSTEM\ControlSet001\Control\Print\Providers\1537405768] 'Name' = '%TEMP%\5.tmp'
- [<HKLM>\SYSTEM\ControlSet001\Services\MouseDriver] 'Start' = '00000002'
- '%TEMP%\dxybapfj.exe'
- '%APPDATA%\b8sw43o.exe' -dC6D548A2A7608C53C33298BF206426232ABF077725475E97E589E6909147375F403C6578AAD6712F4B3F61CEA39DFDD57FBC7D9565CEB3EFA49D74088FF04735F1B8AD02BCB47A967637115604FF8D87B7801955C574FBFB9A282B43A35767E183D42634CDD3D464BD7B3B6C824114411CA10033D48F83B4E0C2BFF1ADD3F537DDCB14BD0F4DEC38D9E8B7E4A0640E8F36DB96966564D798D04B2778CE108C50294CFC81F395706FC49397CD1D8039A6CEA5813288ADC50F030E961967230AEFD0AFA3B129654BB2B5C533A9FB6A92C2EE50A5E08EC05A2652B182121ADC8C5B7BC70E02A311AD1C27261D8C7AB05516DEEB2801087BE357D565A028C73C6F0413FD8228911900B4D2352C101D54FF3928886F56C6E9EC77E7D0E5AD8F22506AC18D8572652EF3CEB08E740BA3BD4EA294421EA4DC5E43721E2D86F1D4AD0C7EEEA0DAA0CF2B72CDF8E94B060FCE3FD82C271B5B981DF50956FFF89236D2C0B843268895C1DFAA0125F74519A0760E6938978BE38CDF4F7CA65DEFFB9616C972A887D3646C0008FAEF9937BAD82D3881425CD2938963DDB068AD62F116DCC43C48C040FC40E23A6B4FDA374877A87BBE1298965AA08D6DB13517841D16568F778B139486EF6B2C0B7ED99924802ED4A4B25EBCC4235A0CB5E55ACC4237D5455F1AF7D4F7698E0BE1F6D2F36332C47FFF6A5E6825A10507A8927EED525B7E
- '%TEMP%\vlflp.exe'
- '%TEMP%\hvgxrel.exe'
- '%TEMP%\ojiunesf.exe'
- '%TEMP%\nsnu.exe'
- '%TEMP%\ysxenhy.exe'
- '%TEMP%\vhglsog.exe'
- '%TEMP%\jvowus.exe'
- '%TEMP%\vyxp.exe'
- '%TEMP%\ikrjim.exe'
- '%APPDATA%\b8sw43o.exe'
- '%TEMP%\nsw3.tmp\3E4U - Bucks.exe'
- '%TEMP%\nsw3.tmp\IR.exe'
- '%TEMP%\nsw3.tmp\6tbp.exe'
- '%TEMP%\nsw3.tmp\2IC.exe'
- '%TEMP%\nsw3.tmp\taskmgr.exe'
- '%TEMP%\-1998166001'
- '%TEMP%\nsw3.tmp\1EuroP.exe'
- '%TEMP%\rlupkh.exe'
- '%TEMP%\vhglsog.exe' (downloaded from the Internet)
- '%TEMP%\ikrjim.exe' (downloaded from the Internet)
- '%TEMP%\jvowus.exe' (downloaded from the Internet)
- '%TEMP%\ysxenhy.exe' (downloaded from the Internet)
- '%TEMP%\hvgxrel.exe' (downloaded from the Internet)
- '%TEMP%\ojiunesf.exe' (downloaded from the Internet)
- '%TEMP%\rlupkh.exe' (downloaded from the Internet)
- '%TEMP%\-1998166001' (downloaded from the Internet)
- '%TEMP%\nsnu.exe' (downloaded from the Internet)
- '%TEMP%\vyxp.exe' (downloaded from the Internet)
- '%TEMP%\vlflp.exe' (downloaded from the Internet)
- '%TEMP%\dxybapfj.exe' (downloaded from the Internet)
- '<SYSTEM32>\runonce.exe' -r
- '<SYSTEM32>\rundll32.exe' setupapi,InstallHinfSection DefaultInstall 128 %APPDATA%\mdinstall.inf
- '<SYSTEM32>\net1.exe' stop "Windows Firewall/Internet Connection Sharing (ICS)"
- '<SYSTEM32>\rundll32.exe' "%WINDIR%\tyukbk.dll",iep
- '<SYSTEM32>\grpconv.exe' -o
- '<SYSTEM32>\cmd.exe' /c "%APPDATA%\um0unx4ss.bat"
- '<SYSTEM32>\net1.exe' stop "Security Center"
- '<SYSTEM32>\net.exe' stop "Security Center"
- '<SYSTEM32>\svchost.exe'
- '<SYSTEM32>\rundll32.exe' "%WINDIR%\tyukbk.dll",Startup
- '<SYSTEM32>\sc.exe' config SharedAccess start= DISABLED
- '<SYSTEM32>\net.exe' stop "Windows Firewall/Internet Connection Sharing (ICS)"
- '<SYSTEM32>\sc.exe' config wscsvc start= DISABLED
- <SYSTEM32>\svchost.exe
- %WINDIR%\Explorer.EXE
- <SYSTEM32>\spoolsv.exe
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1400' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1601' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'currentlevel' = '00000000'
- %TEMP%\nsnu.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\oyppct[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\gqquulypp[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\sftkxkb[1].php
- %TEMP%\vyxp.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\klppp[1].php
- %TEMP%\ojiunesf.exe
- %TEMP%\vlflp.exe
- %TEMP%\dxybapfj.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\wjwjwaobfs[1].php
- %TEMP%\ikrjim.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\gggklycc[1].php
- %TEMP%\vhglsog.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\CANE03ZT.php
- %APPDATA%\yyfwovt.log
- %WINDIR%\oxoyoyamuzage.dll
- %TEMP%\jvowus.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\pcppgk[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\cpptuxlpc[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\ndrei[1].php
- %TEMP%\ysxenhy.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\obcptx[1].php
- %TEMP%\nsw3.tmp\IR.exe
- %TEMP%\nsw3.tmp\6tbp.exe
- %WINDIR%\tyukbk.dll
- %TEMP%\4.tmp
- %TEMP%\nsw3.tmp\taskmgr.exe
- %TEMP%\nsl2.tmp
- %TEMP%\nsw3.tmp\1EuroP.exe
- %TEMP%\nsw3.tmp\3E4U - Bucks.exe
- %TEMP%\nsw3.tmp\2IC.exe
- %WINDIR%\Temp\6.tmp
- %TEMP%\rlupkh.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\jjnaeei[1].php
- %APPDATA%\um0unx4ss.bat
- %TEMP%\hvgxrel.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\xxobo[1].php
- %APPDATA%\MouseDriver.bat
- %APPDATA%\b8sw43o.exe
- %APPDATA%\mdinstall.inf
- %TEMP%\-1998166001
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\iwwnnrvi[1].php
- %APPDATA%\MouseDriver.bat
- <DRIVERS>\etc\hosts
- %TEMP%\5.tmp
- %WINDIR%\Temp\6.tmp
- <SYSTEM32>\svchost.exe
- %APPDATA%\mdinstall.inf
- %TEMP%\nsw3.tmp\2IC.exe
- %TEMP%\nsw3.tmp\1EuroP.exe
- %TEMP%\nsw3.tmp\3E4U - Bucks.exe
- %TEMP%\nsw3.tmp\taskmgr.exe
- %TEMP%\nsw3.tmp\IR.exe
- from %TEMP%\4.tmp to %TEMP%\5.tmp
- 'w.#####ardiscover.com':888
- '21######0928.demible.net':80
- 'ca###iod.com':80
- 'localhost':1041
- ca###iod.com/pxxko/pcppgk.php?ad####################################
- ca###iod.com/pxxko/sftkxkb.php?ad####################################
- ca###iod.com/pxxko/gqquulypp.php?ad####################################
- ca###iod.com/pxxko/gggklycc.php?ad##################################################################
- ca###iod.com/pxxko/ndrei.php?ad####################################
- ca###iod.com/pxxko/cpptuxlpc.php?ad####################################
- ca###iod.com/pxxko/oyppct.php?ad####################################
- ca###iod.com/pxxko/xxobo.php?ad####################################
- ca###iod.com/pxxko/iwwnnrvi.php?ad####################################
- ca###iod.com/pxxko/jjnaeei.php?ad####################################
- ca###iod.com/pxxko/wjwjwaobfs.php?ad####################################
- ca###iod.com/pxxko/klppp.php?ad####################################
- ca###iod.com/pxxko/obcptx.php?ad####################################
- DNS ASK w.#####ardiscover.com
- DNS ASK 21######0928.demible.net
- DNS ASK cl####amwallop.in
- DNS ASK ka##ola.in
- DNS ASK ni###snimbus.in
- DNS ASK ma##h.com
- DNS ASK ti##pic.com
- DNS ASK da##.net
- DNS ASK ca###iod.com
- ClassName: 'Indicator' WindowName: '(null)'
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: 'SystemTray_Main' WindowName: '(null)'
- ClassName: 'CSCHiddenWindow' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'