Technical Information
Malicious functions:
Executes the following:
- <SYSTEM32>\wscript.exe "c:\64EE2653.vbs"
- <SYSTEM32>\taskkill.exe /f /im Ksafetray.exe
Modifies file system :
Creates the following files:
- %PROGRAM_FILES%\svchest.ini
- C:\64EE2653.vbs
- %WINDIR%\svchcst.exe
Deletes the following files:
- C:\64EE2653.vbs
Network activity:
Connects to:
- '60####7.3322.org':1993
UDP:
- DNS ASK 60####7.3322.org
- '<Private IP address>':1034
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: ''