Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Process Protection Class Program Keying' = 'C:\hpqpfgb\ttzmwugca.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Access Networking File Collector] 'ImagePath' = 'C:\hpqpfgb\ttzmwugca.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Access Networking File Collector] 'Start' = '00000002'
- 'C:\hpqpfgb\epnccsd.exe' "c:\hpqpfgb\ttzmwugca.exe"
- 'C:\hpqpfgb\ttzmwugca.exe'
- 'C:\hpqpfgb\ck3bsxvyvpixeszi.exe'
- C:\hpqpfgb\ttzmwugca.exe
- C:\hpqpfgb\epnccsd.exe
- C:\hpqpfgb\ck3bsxvyvpixeszi.exe
- %WINDIR%\hpqpfgb\oalptndbivpm
- C:\hpqpfgb\oalptndbivpm
- C:\hpqpfgb\epnccsd.exe
- C:\hpqpfgb\ttzmwugca.exe
- C:\hpqpfgb\ck3bsxvyvpixeszi.exe
- %WINDIR%\hpqpfgb\oalptndbivpm
- 'fr###close.net':80
- 'ex####enceclose.net':80
- 'fr###yellow.net':80
- 'ex#####nceyellow.net':80
- 'ge####mantravel.net':80
- 'al####ytravel.net':80
- 'ge####manspace.net':80
- 'al####yspace.net':80
- 'ex#####ncetravel.net':80
- 'fi###object.net':80
- 'pa####hildhood.net':80
- 'fi###third.net':80
- 'pa###object.net':80
- 'ex####encespace.net':80
- 'fr###travel.net':80
- 'fi####hildhood.net':80
- 'fr###space.net':80
- 'me###rclose.net':80
- 'be###space.net':80
- 'me####yellow.net':80
- 'fo###wclose.net':80
- 'kn###travel.net':80
- 'be###yellow.net':80
- 'kn###space.net':80
- 'be###travel.net':80
- 'fo####yellow.net':80
- 'ge####manclose.net':80
- 'al####yclose.net':80
- 'ge####manyellow.net':80
- 'al####yyellow.net':80
- 'fo####travel.net':80
- 'me####travel.net':80
- 'fo###wspace.net':80
- 'me###rspace.net':80
- 'pa###third.net':80
- 'cr###third.net':80
- 'su####object.net':80
- 'cr####tation.net':80
- 'su###rthird.net':80
- 'cr####hildhood.net':80
- 'th####tstation.net':80
- 'cr###object.net':80
- 'su####childhood.net':80
- 'su####station.net':80
- 'be###third.net':80
- 'kn###third.net':80
- 'be####tation.net':80
- 'kn####tation.net':80
- 'be####hildhood.net':80
- 'kn####hildhood.net':80
- 'be###object.net':80
- 'kn###object.net':80
- 'wo###object.net':80
- 'sm###object.net':80
- 'wo###third.net':80
- 'sm###third.net':80
- 'pa####tation.net':80
- 'fi####tation.net':80
- 'wo####hildhood.net':80
- 'sm####hildhood.net':80
- 'sm####tation.net':80
- 'wa###third.net':80
- 'th####tobject.net':80
- 'wa####tation.net':80
- 'th####tthird.net':80
- 'wa####hildhood.net':80
- 'wo####tation.net':80
- 'wa###object.net':80
- 'th#####childhood.net':80
- http://fr###close.net/index.php
- http://ex####enceclose.net/index.php
- http://fr###yellow.net/index.php
- http://ex#####nceyellow.net/index.php
- http://ge####mantravel.net/index.php
- http://al####ytravel.net/index.php
- http://ge####manspace.net/index.php
- http://al####yspace.net/index.php
- http://ex#####ncetravel.net/index.php
- http://fi###object.net/index.php
- http://pa####hildhood.net/index.php
- http://fi###third.net/index.php
- http://pa###object.net/index.php
- http://ex####encespace.net/index.php
- http://fr###travel.net/index.php
- http://fi####hildhood.net/index.php
- http://fr###space.net/index.php
- http://me###rclose.net/index.php
- http://be###space.net/index.php
- http://me####yellow.net/index.php
- http://fo###wclose.net/index.php
- http://kn###travel.net/index.php
- http://be###yellow.net/index.php
- http://kn###space.net/index.php
- http://be###travel.net/index.php
- http://fo####yellow.net/index.php
- http://ge####manclose.net/index.php
- http://al####yclose.net/index.php
- http://ge####manyellow.net/index.php
- http://al####yyellow.net/index.php
- http://fo####travel.net/index.php
- http://me####travel.net/index.php
- http://fo###wspace.net/index.php
- http://me###rspace.net/index.php
- http://pa###third.net/index.php
- http://cr###third.net/index.php
- http://su####object.net/index.php
- http://cr####tation.net/index.php
- http://su###rthird.net/index.php
- http://cr####hildhood.net/index.php
- http://th####tstation.net/index.php
- http://cr###object.net/index.php
- http://su####childhood.net/index.php
- http://su####station.net/index.php
- http://be###third.net/index.php
- http://kn###third.net/index.php
- http://be####tation.net/index.php
- http://kn####tation.net/index.php
- http://be####hildhood.net/index.php
- http://kn####hildhood.net/index.php
- http://be###object.net/index.php
- http://kn###object.net/index.php
- http://wo###object.net/index.php
- http://sm###object.net/index.php
- http://wo###third.net/index.php
- http://sm###third.net/index.php
- http://pa####tation.net/index.php
- http://fi####tation.net/index.php
- http://wo####hildhood.net/index.php
- http://sm####hildhood.net/index.php
- http://sm####tation.net/index.php
- http://wa###third.net/index.php
- http://th####tobject.net/index.php
- http://wa####tation.net/index.php
- http://th####tthird.net/index.php
- http://wa####hildhood.net/index.php
- http://wo####tation.net/index.php
- http://wa###object.net/index.php
- http://th#####childhood.net/index.php
- DNS ASK fr###close.net
- DNS ASK ex####enceclose.net
- DNS ASK fr###yellow.net
- DNS ASK ex#####nceyellow.net
- DNS ASK ge####mantravel.net
- DNS ASK al####ytravel.net
- DNS ASK ge####manspace.net
- DNS ASK al####yspace.net
- DNS ASK ex#####ncetravel.net
- DNS ASK fi###object.net
- DNS ASK pa####hildhood.net
- DNS ASK fi###third.net
- DNS ASK pa###object.net
- DNS ASK ex####encespace.net
- DNS ASK fr###travel.net
- DNS ASK fi####hildhood.net
- DNS ASK fr###space.net
- DNS ASK ge####manyellow.net
- DNS ASK be###space.net
- DNS ASK kn###space.net
- DNS ASK fo###wclose.net
- DNS ASK me###rclose.net
- DNS ASK be###yellow.net
- DNS ASK kn###yellow.net
- DNS ASK be###travel.net
- DNS ASK kn###travel.net
- DNS ASK me####yellow.net
- DNS ASK al####yclose.net
- DNS ASK fo###wspace.net
- DNS ASK al####yyellow.net
- DNS ASK ge####manclose.net
- DNS ASK me####travel.net
- DNS ASK fo####yellow.net
- DNS ASK me###rspace.net
- DNS ASK fo####travel.net
- DNS ASK cr###third.net
- DNS ASK su####object.net
- DNS ASK cr####tation.net
- DNS ASK su###rthird.net
- DNS ASK cr####hildhood.net
- DNS ASK th####tstation.net
- DNS ASK cr###object.net
- DNS ASK su####childhood.net
- DNS ASK su####station.net
- DNS ASK be###third.net
- DNS ASK kn###third.net
- DNS ASK be####tation.net
- DNS ASK kn####tation.net
- DNS ASK be####hildhood.net
- DNS ASK kn####hildhood.net
- DNS ASK be###object.net
- DNS ASK kn###object.net
- DNS ASK wa####tation.net
- DNS ASK sm###object.net
- DNS ASK wo####hildhood.net
- DNS ASK sm###third.net
- DNS ASK wo###object.net
- DNS ASK fi####tation.net
- DNS ASK pa###third.net
- DNS ASK sm####hildhood.net
- DNS ASK pa####tation.net
- DNS ASK wo###third.net
- DNS ASK th####tobject.net
- DNS ASK wa###object.net
- DNS ASK th####tthird.net
- DNS ASK wa###third.net
- DNS ASK wo####tation.net
- DNS ASK sm####tation.net
- DNS ASK th#####childhood.net
- DNS ASK wa####hildhood.net
- ClassName: 'Shell_TrayWnd' WindowName: ''