Technical Information
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'qavikgurbem' = '"%APPDATA%\Microsoft\gofbsl.exe"'
- %WINDIR%\cejigulise zewawopeguzo dekelalujuhi raxujedikedu lakulopa
- %APPDATA%\microsoft\gofbsl.exe
- 'ip#####.#hatismyipaddress.com':80
- http://bi###fender.com/
- DNS ASK ip#####.#hatismyipaddress.com
- DNS ASK ns#.#irmach.ru
- DNS ASK po####aromana.bit
- DNS ASK ma#####hunterteam.bit
- '%WINDIR%\syswow64\nslookup.exe' politiaromana.bit ns1.virmach.ru' (with hidden window)
- '%WINDIR%\syswow64\nslookup.exe' malwarehunterteam.bit ns1.virmach.ru' (with hidden window)
- '%WINDIR%\syswow64\nslookup.exe' gdcb.bit ns2.virmach.ru' (with hidden window)
- '%WINDIR%\syswow64\nslookup.exe' politiaromana.bit ns2.virmach.ru' (with hidden window)
- '%WINDIR%\syswow64\nslookup.exe' malwarehunterteam.bit ns2.virmach.ru' (with hidden window)
- '%WINDIR%\syswow64\nslookup.exe' politiaromana.bit ns1.virmach.ru
- '%WINDIR%\syswow64\nslookup.exe' malwarehunterteam.bit ns1.virmach.ru
- '%WINDIR%\syswow64\nslookup.exe' gdcb.bit ns2.virmach.ru
- '%WINDIR%\syswow64\nslookup.exe' politiaromana.bit ns2.virmach.ru
- '%WINDIR%\syswow64\nslookup.exe' malwarehunterteam.bit ns2.virmach.ru