Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Notification Now Manager Session Installer' = '<SYSTEM32>\znoycywa.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Play Publication Scheduler Config] 'Start' = '00000002'
- Windows Security Center
- '<SYSTEM32>\tihapal.exe' "<SYSTEM32>\znoycywa.exe"
- '%WINDIR%\Temp\mnajbkcj31j5frv.exe' -r 41506 tcp
- '%TEMP%\mnajbkcj2pbhfrvbh8d49xd.exe'
- '<SYSTEM32>\znoycywa.exe'
- <SYSTEM32>\hpwleiiumvx\run
- <SYSTEM32>\hpwleiiumvx\rng
- %WINDIR%\Temp\mnajbkcj31j5frv.exe
- <SYSTEM32>\hpwleiiumvx\cfg
- <SYSTEM32>\tihapal.exe
- %TEMP%\mnajbkcj2pbhfrvbh8d49xd.exe
- <SYSTEM32>\hpwleiiumvx\tst
- <SYSTEM32>\znoycywa.exe
- <SYSTEM32>\hpwleiiumvx\etc
- <SYSTEM32>\tihapal.exe
- <SYSTEM32>\znoycywa.exe
- %WINDIR%\Temp\mnajbkcj31j5frv.exe
- <DRIVERS>\etc\hosts
- %TEMP%\mnajbkcj2pbhfrvbh8d49xd.exe
- 'th###born.net':80
- 'si###born.net':80
- 'si###august.net':80
- 'si###paid.net':80
- 'th###august.net':80
- 'ca###loth.net':80
- 'ca###ugust.net':80
- 'he###ugust.net':80
- 'he###aid.net':80
- 'he###loth.net':80
- 'ca###aid.net':80
- 'du###aid.net':80
- 'wi###ugust.net':80
- 'wi###aid.net':80
- 'wi###loth.net':80
- 'du###loth.net':80
- 'du###ugust.net':80
- 'si###cloth.net':80
- 'th###paid.net':80
- 'th###cloth.net':80
- 'wi###orn.net':80
- 'du###orn.net':80
- 'su####august.net':80
- 'mo###ugust.net':80
- 'mo###aid.net':80
- 'mo###loth.net':80
- 'su###ypaid.net':80
- 'su###yborn.net':80
- 'me###aid.net':80
- 'si###aid.net':80
- 'si###loth.net':80
- 'mo###orn.net':80
- 'me###loth.net':80
- 'th###loth.net':80
- 'qu###paid.net':80
- 'qu###cloth.net':80
- 'ca###orn.net':80
- 'he###orn.net':80
- 'th###aid.net':80
- 'th###orn.net':80
- 'su###ycloth.net':80
- 'qu###born.net':80
- 'qu###august.net':80
- 'th###ugust.net':80
- 'tr###born.net':80
- 'wi###ome.net':80
- 'jo###ver.net':80
- 'jo###ome.net':80
- 'ha###old.net':80
- 'se####bergold.net':80
- 'wi###ver.net':80
- 'wi###old.net':80
- 'de###ome.net':80
- 'jo###old.net':80
- 'jo###rain.net':80
- 'wi###rain.net':80
- 'de###lxc.com':80
- 'of###gold.net':80
- 'be##lxc.com':80
- 'ri###nstorm.net':80
- 'af###sllc.com':80
- 'ha###ome.net':80
- 'ha###rain.net':80
- 'se####bergrain.net':80
- 'se####berover.net':80
- 'se####berhome.net':80
- 'ha###ver.net':80
- 'ma###old.net':80
- 'mi###loth.net':80
- 'wr###gold.net':80
- 'wr###grain.net':80
- 'ma###rain.net':80
- 'tr###cloth.net':80
- 'tr###august.net':80
- 'mi###orn.net':80
- 'mi###ugust.net':80
- 'mi###aid.net':80
- 'tr###paid.net':80
- 'de###rain.net':80
- 'ro###rain.net':80
- 'ro###ver.net':80
- 'ro###ome.net':80
- 'de###ver.net':80
- 'de###old.net':80
- 'wr###over.net':80
- 'ma###ver.net':80
- 'ma###ome.net':80
- 'ro###old.net':80
- 'wr###home.net':80
- http://th###born.net/index.php
- http://si###born.net/index.php
- http://si###august.net/index.php
- http://si###paid.net/index.php
- http://th###august.net/index.php
- http://ca###loth.net/index.php
- http://ca###ugust.net/index.php
- http://he###ugust.net/index.php
- http://he###aid.net/index.php
- http://he###loth.net/index.php
- http://ca###aid.net/index.php
- http://du###aid.net/index.php
- http://wi###ugust.net/index.php
- http://wi###aid.net/index.php
- http://wi###loth.net/index.php
- http://du###loth.net/index.php
- http://du###ugust.net/index.php
- http://si###cloth.net/index.php
- http://th###paid.net/index.php
- http://th###cloth.net/index.php
- http://wi###orn.net/index.php
- http://du###orn.net/index.php
- http://su####august.net/index.php
- http://mo###ugust.net/index.php
- http://mo###aid.net/index.php
- http://mo###loth.net/index.php
- http://su###ypaid.net/index.php
- http://su###yborn.net/index.php
- http://me###aid.net/index.php
- http://si###aid.net/index.php
- http://si###loth.net/index.php
- http://mo###orn.net/index.php
- http://me###loth.net/index.php
- http://th###loth.net/index.php
- http://qu###paid.net/index.php
- http://qu###cloth.net/index.php
- http://ca###orn.net/index.php
- http://he###orn.net/index.php
- http://th###aid.net/index.php
- http://th###orn.net/index.php
- http://su###ycloth.net/index.php
- http://qu###born.net/index.php
- http://qu###august.net/index.php
- http://th###ugust.net/index.php
- http://tr###born.net/index.php
- http://wi###ome.net/index.php
- http://jo###ver.net/index.php
- http://jo###ome.net/index.php
- http://ha###old.net/index.php
- http://se####bergold.net/index.php
- http://wi###ver.net/index.php
- http://wi###old.net/index.php
- http://de###ome.net/index.php
- http://jo###old.net/index.php
- http://jo###rain.net/index.php
- http://wi###rain.net/index.php
- http://de###lxc.com/index.php
- http://of###gold.net/index.php
- http://be##lxc.com/index.php
- http://ri###nstorm.net/index.php
- http://af###sllc.com/index.php
- http://ha###ome.net/index.php
- http://ha###rain.net/index.php
- http://se####bergrain.net/index.php
- http://se####berover.net/index.php
- http://se####berhome.net/index.php
- http://ha###ver.net/index.php
- http://ma###old.net/index.php
- http://mi###loth.net/index.php
- http://wr###gold.net/index.php
- http://wr###grain.net/index.php
- http://ma###rain.net/index.php
- http://tr###cloth.net/index.php
- http://tr###august.net/index.php
- http://mi###orn.net/index.php
- http://mi###ugust.net/index.php
- http://mi###aid.net/index.php
- http://tr###paid.net/index.php
- http://de###rain.net/index.php
- http://ro###rain.net/index.php
- http://ro###ver.net/index.php
- http://ro###ome.net/index.php
- http://de###ver.net/index.php
- http://de###old.net/index.php
- http://wr###over.net/index.php
- http://ma###ver.net/index.php
- http://ma###ome.net/index.php
- http://ro###old.net/index.php
- http://wr###home.net/index.php
- DNS ASK si###august.net
- DNS ASK th###born.net
- DNS ASK th###august.net
- DNS ASK th###paid.net
- DNS ASK si###paid.net
- DNS ASK si###born.net
- DNS ASK he###aid.net
- DNS ASK ca###ugust.net
- DNS ASK ca###aid.net
- DNS ASK ca###loth.net
- DNS ASK he###loth.net
- DNS ASK wi###aid.net
- DNS ASK du###aid.net
- DNS ASK du###loth.net
- DNS ASK tr###born.net
- DNS ASK wi###loth.net
- DNS ASK wi###ugust.net
- DNS ASK th###cloth.net
- DNS ASK si###cloth.net
- DNS ASK du###orn.net
- DNS ASK du###ugust.net
- DNS ASK wi###orn.net
- DNS ASK he###ugust.net
- DNS ASK su####august.net
- DNS ASK mo###ugust.net
- DNS ASK mo###aid.net
- DNS ASK mo###loth.net
- DNS ASK su###ypaid.net
- DNS ASK su###yborn.net
- DNS ASK me###aid.net
- DNS ASK si###aid.net
- DNS ASK si###loth.net
- DNS ASK mo###orn.net
- DNS ASK me###loth.net
- DNS ASK th###loth.net
- DNS ASK qu###paid.net
- DNS ASK qu###cloth.net
- DNS ASK ca###orn.net
- DNS ASK he###orn.net
- DNS ASK th###aid.net
- DNS ASK th###orn.net
- DNS ASK su###ycloth.net
- DNS ASK qu###born.net
- DNS ASK qu###august.net
- DNS ASK th###ugust.net
- DNS ASK wi###ome.net
- DNS ASK jo###ver.net
- DNS ASK jo###ome.net
- DNS ASK ha###old.net
- DNS ASK se####bergold.net
- DNS ASK wi###ver.net
- DNS ASK wi###old.net
- DNS ASK de###ome.net
- DNS ASK jo###old.net
- DNS ASK jo###rain.net
- DNS ASK wi###rain.net
- DNS ASK de###lxc.com
- DNS ASK of###gold.net
- DNS ASK be##lxc.com
- DNS ASK ri###nstorm.net
- DNS ASK af###sllc.com
- DNS ASK ha###ome.net
- DNS ASK ha###rain.net
- DNS ASK se####bergrain.net
- DNS ASK se####berover.net
- DNS ASK se####berhome.net
- DNS ASK ha###ver.net
- DNS ASK ma###old.net
- DNS ASK mi###loth.net
- DNS ASK wr###gold.net
- DNS ASK wr###grain.net
- DNS ASK ma###rain.net
- DNS ASK tr###cloth.net
- DNS ASK tr###august.net
- DNS ASK mi###orn.net
- DNS ASK mi###ugust.net
- DNS ASK mi###aid.net
- DNS ASK tr###paid.net
- DNS ASK de###rain.net
- DNS ASK ro###rain.net
- DNS ASK ro###ver.net
- DNS ASK ro###ome.net
- DNS ASK de###ver.net
- DNS ASK de###old.net
- DNS ASK wr###over.net
- DNS ASK ma###ver.net
- DNS ASK ma###ome.net
- DNS ASK ro###old.net
- DNS ASK wr###home.net
- '23#.#55.255.250':1900