Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Auto Panel Config Task Certificate Registry' = 'C:\tzrtgcvmgf\qe3osykkf.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Notification Source File Credential WMI Services] 'ImagePath' = 'C:\tzrtgcvmgf\qe3osykkf.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Notification Source File Credential WMI Services] 'Start' = '00000002'
Modifies file system:
Creates the following files:
- C:\tzrtgcvmgf\qe3osykkf.exe
- C:\tzrtgcvmgf\egcdchiqvm8hv.exe
- C:\tzrtgcvmgf\thjmaftz5dv
- %WINDIR%\tzrtgcvmgf\hflzacbymvw
- C:\tzrtgcvmgf\hflzacbymvw
- C:\tzrtgcvmgf\jzohvzp2fjwvewbnvidqvu.exe
Sets the 'hidden' attribute to the following files:
- C:\tzrtgcvmgf\egcdchiqvm8hv.exe
- C:\tzrtgcvmgf\qe3osykkf.exe
Deletes the following files:
- C:\tzrtgcvmgf\jzohvzp2fjwvewbnvidqvu.exe
- %WINDIR%\tzrtgcvmgf\hflzacbymvw
Substitutes the following files:
- %WINDIR%\tzrtgcvmgf\hflzacbymvw
Network activity:
Connects to:
- 'co#####uscristians.net':80
- 'ma#####nethompsett.net':80
- 'co#####usthompsett.net':80
- 'ma#####necristians.net':80
- 'ch#####assamuelson.net':80
- 'sh#####nestevenson.net':80
- 'ch#####asstevenson.net':80
- 'ra#####lecristians.net':80
- 'co#####ercristians.net':80
- 'ra#####lethompsett.net':80
- 'co#####usstevenson.net':80
- 'ma#####nesamuelson.net':80
- 'co#####ussamuelson.net':80
- 'ma#####nestevenson.net':80
- 'sh#####nesamuelson.net':80
- 'co#####nethompsett.net':80
- 'ka#####nethompsett.net':80
- 'co#####nesamuelson.net':80
- 'ka#####necristians.net':80
- 'ra#####festevenson.net':80
- 'ro#####ltstevenson.net':80
- 'co#####necristians.net':80
- 'ch#####ascristians.net':80
- 'sh#####nethompsett.net':80
- 'ch#####asthompsett.net':80
- 'sh#####necristians.net':80
- 'ka#####nesamuelson.net':80
- 'co#####nestevenson.net':80
- 'ka#####nestevenson.net':80
- 'co#####erthompsett.net':80
- 'jo#####nestevenson.net':80
- 'qu#####lagrenville.net':80
- 'ma#####negrenville.net':80
- 'se#####nastevenson.net':80
- 'jo#####nethompsett.net':80
- 'se#####nasamuelson.net':80
- 'jo#####nesamuelson.net':80
- 'qu#####lapickering.net':80
- 'ma#####nepickering.net':80
- 'ra#####fegrenville.net':80
- 'ma#####neeccleston.net':80
- 'qu#####lageorgeson.net':80
- 'ma#####negeorgeson.net':80
- 'qu#####laeccleston.net':80
- 'se#####nathompsett.net':80
- 'se#####ercristians.net':80
- 'tr#####ancristians.net':80
- 'se#####erthompsett.net':80
- 'co#####erstevenson.net':80
- 'ra#####lesamuelson.net':80
- 'co#####ersamuelson.net':80
- 'ra#####lestevenson.net':80
- 'tr#####anstevenson.net':80
- 'se#####nacristians.net':80
- 'jo#####necristians.net':80
- 'se#####erstevenson.net':80
- 'tr#####anthompsett.net':80
- 'se#####ersamuelson.net':80
- 'tr#####ansamuelson.net':80
TCP:
HTTP GET requests:
- http://co#####uscristians.net/index.php
- http://ma#####nethompsett.net/index.php
- http://co#####usthompsett.net/index.php
- http://ma#####necristians.net/index.php
- http://ch#####assamuelson.net/index.php
- http://sh#####nestevenson.net/index.php
- http://ch#####asstevenson.net/index.php
- http://ra#####lecristians.net/index.php
- http://co#####ercristians.net/index.php
- http://ra#####lethompsett.net/index.php
- http://co#####usstevenson.net/index.php
- http://ma#####nesamuelson.net/index.php
- http://co#####ussamuelson.net/index.php
- http://ma#####nestevenson.net/index.php
- http://sh#####nesamuelson.net/index.php
- http://co#####nethompsett.net/index.php
- http://ka#####nethompsett.net/index.php
- http://co#####nesamuelson.net/index.php
- http://ka#####necristians.net/index.php
- http://ra#####festevenson.net/index.php
- http://ro#####ltstevenson.net/index.php
- http://co#####necristians.net/index.php
- http://ch#####ascristians.net/index.php
- http://sh#####nethompsett.net/index.php
- http://ch#####asthompsett.net/index.php
- http://sh#####necristians.net/index.php
- http://ka#####nesamuelson.net/index.php
- http://co#####nestevenson.net/index.php
- http://ka#####nestevenson.net/index.php
- http://co#####erthompsett.net/index.php
- http://jo#####nestevenson.net/index.php
- http://qu#####lagrenville.net/index.php
- http://ma#####negrenville.net/index.php
- http://se#####nastevenson.net/index.php
- http://jo#####nethompsett.net/index.php
- http://se#####nasamuelson.net/index.php
- http://jo#####nesamuelson.net/index.php
- http://qu#####lapickering.net/index.php
- http://ma#####nepickering.net/index.php
- http://ra#####fegrenville.net/index.php
- http://ma#####neeccleston.net/index.php
- http://qu#####lageorgeson.net/index.php
- http://ma#####negeorgeson.net/index.php
- http://qu#####laeccleston.net/index.php
- http://se#####nathompsett.net/index.php
- http://se#####ercristians.net/index.php
- http://tr#####ancristians.net/index.php
- http://se#####erthompsett.net/index.php
- http://co#####erstevenson.net/index.php
- http://ra#####lesamuelson.net/index.php
- http://co#####ersamuelson.net/index.php
- http://ra#####lestevenson.net/index.php
- http://tr#####anstevenson.net/index.php
- http://se#####nacristians.net/index.php
- http://jo#####necristians.net/index.php
- http://se#####erstevenson.net/index.php
- http://tr#####anthompsett.net/index.php
- http://se#####ersamuelson.net/index.php
- http://tr#####ansamuelson.net/index.php
UDP:
- DNS ASK ma#####necristians.net
- DNS ASK co#####uscristians.net
- DNS ASK ma#####nethompsett.net
- DNS ASK ch#####asstevenson.net
- DNS ASK sh#####nesamuelson.net
- DNS ASK ch#####assamuelson.net
- DNS ASK sh#####nestevenson.net
- DNS ASK co#####usthompsett.net
- DNS ASK ra#####lecristians.net
- DNS ASK co#####ercristians.net
- DNS ASK ra#####lethompsett.net
- DNS ASK co#####usstevenson.net
- DNS ASK ma#####nesamuelson.net
- DNS ASK co#####ussamuelson.net
- DNS ASK ma#####nestevenson.net
- DNS ASK ka#####necristians.net
- DNS ASK co#####nethompsett.net
- DNS ASK ka#####nethompsett.net
- DNS ASK co#####necristians.net
- DNS ASK ro#####ltsamuelson.net
- DNS ASK ra#####festevenson.net
- DNS ASK ro#####ltstevenson.net
- DNS ASK co#####nesamuelson.net
- DNS ASK ch#####ascristians.net
- DNS ASK sh#####nethompsett.net
- DNS ASK ch#####asthompsett.net
- DNS ASK sh#####necristians.net
- DNS ASK ka#####nesamuelson.net
- DNS ASK co#####nestevenson.net
- DNS ASK ka#####nestevenson.net
- DNS ASK se#####nastevenson.net
- DNS ASK jo#####nestevenson.net
- DNS ASK qu#####lagrenville.net
- DNS ASK jo#####nesamuelson.net
- DNS ASK se#####nathompsett.net
- DNS ASK jo#####nethompsett.net
- DNS ASK se#####nasamuelson.net
- DNS ASK ma#####negrenville.net
- DNS ASK qu#####lapickering.net
- DNS ASK ma#####nepickering.net
- DNS ASK ra#####fegrenville.net
- DNS ASK ma#####neeccleston.net
- DNS ASK qu#####lageorgeson.net
- DNS ASK ma#####negeorgeson.net
- DNS ASK qu#####laeccleston.net
- DNS ASK co#####erstevenson.net
- DNS ASK se#####ercristians.net
- DNS ASK tr#####ancristians.net
- DNS ASK ra#####lestevenson.net
- DNS ASK co#####erthompsett.net
- DNS ASK ra#####lesamuelson.net
- DNS ASK co#####ersamuelson.net
- DNS ASK se#####erthompsett.net
- DNS ASK tr#####anstevenson.net
- DNS ASK se#####nacristians.net
- DNS ASK jo#####necristians.net
- DNS ASK se#####erstevenson.net
- DNS ASK tr#####anthompsett.net
- DNS ASK se#####ersamuelson.net
- DNS ASK tr#####ansamuelson.net
Miscellaneous:
Creates and executes the following:
- 'C:\tzrtgcvmgf\egcdchiqvm8hv.exe' "c:\tzrtgcvmgf\qe3osykkf.exe"
- 'C:\tzrtgcvmgf\qe3osykkf.exe'
- 'C:\tzrtgcvmgf\jzohvzp2fjwvewbnvidqvu.exe'
