Technical Information
Malicious functions:
Executes the following:
- '<SYSTEM32>\wermgr.exe' -queuereporting
Modifies file system :
Creates the following files:
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\background_gradient[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\info_48[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\user023_tynurl_pw[2]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\bullet[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\httpErrorPagesScripts[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\navcancl[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\user023_tynurl_pw[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\errorPageStrings[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\ErrorPageTemplate[1]
Deletes the following files:
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\user023_tynurl_pw[2]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\user023_tynurl_pw[1]
Network activity:
Connects to:
- 'us####3.tynurl.pw':80
- 'localhost':59804
TCP:
HTTP GET requests:
- us####3.tynurl.pw/
UDP:
- DNS ASK us####3.tynurl.pw
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WebCheckMonitor' WindowName: '(null)'
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
- ClassName: 'OleMainThreadWndClass' WindowName: '(null)'