Technical Information
Malicious functions:
Executes the following:
- '<SYSTEM32>\wbem\wmiadap.exe' /R /T
Modifies file system :
Deletes the following files:
- <SYSTEM32>\PerfStringBackup.TMP
- <SYSTEM32>\wbem\Performance\WmiApRpl.ini
Network activity:
Connects to:
- 'www.ky##go.com':808
- 'localhost':1038
UDP:
- DNS ASK www.ky##go.com