Some more info. It modifies the registry to run on boot-up.
HKEY_CURRENT_USER → Software → Microsoft → Windows → Current Version → Run
The file is randomly named according to the C:\Users\X\Roaming[filename]
I’ll attach a picture with the virus folder name.
Please Note: The virus folders and executables files are randomly named each time and are not consistant!!
Additionally: Once the file has been run, it caps your CPU to max levels then drops. In order to delete the Roaming folder you need kill the proccess in Task Manager. Note again it will be randomly named and signed by Kemliz (Close, will modify that when I get home) MBAM works against this variant of Zbot.