Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WindowsTab' = '"%ALLUSERSPROFILE%\WindowsTab\windowstabup.exe"'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WINDOWSTAB_UC' = '"%LOCALAPPDATA%\windowstab\windowstab_uc.exe" /run '
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\windowstab_uc.lnk
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\windowstab_mon] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\windowstab_mon] 'ImagePath' = '%LOCALAPPDATA%\windowstab\windowstab_mon.exe'
Creates the following services
- 'windowstab_mon' %LOCALAPPDATA%\windowstab\windowstab_mon.exe
Modifies file system
Creates the following files
- %TEMP%\nsr6ca8.tmp\uac.dll
- %TEMP%\160c522.tmp
- %TEMP%\160bc7c.tmp
- %TEMP%\160b961.tmp
- %TEMP%\160b412.tmp
- %TEMP%\160b4ae.tmp
- %TEMP%\160b261.tmp
- %LOCALAPPDATA%\windowstab\windowstab_mon.exe
- %TEMP%\windowstab_mon.exe
- %TEMP%\160ac19.tmp
- %LOCALAPPDATA%\windowstab\windowstab_unins.exe
- %LOCALAPPDATA%\microsoft\windows\history\history.ie5\mshist012021010320210104\index.dat
- %LOCALAPPDATA%\windowstab\windowstab_uc.exe
- %TEMP%\160a0d1.tmp
- %TEMP%\16098a6.tmp
- %ALLUSERSPROFILE%\windowstab\windowstab_move.exe
- %ALLUSERSPROFILE%\windowstab\trash\windowstab_move.exe
- %ALLUSERSPROFILE%\windowstab\trash\windowstabup.exe
- %ALLUSERSPROFILE%\windowstab\uninst.exe
- %ALLUSERSPROFILE%\windowstab\windowstab.exe
- %ALLUSERSPROFILE%\windowstab\windowstabup.exe
- %TEMP%\nsr6ca8.tmp\accesscontrol.dll
- %TEMP%\nsr6ca8.tmp\system.dll
- %LOCALAPPDATA%\windowstab\windowstab.exe
- %TEMP%\160cb5a.tmp
Deletes the following files
- %TEMP%\nsr6ca8.tmp\accesscontrol.dll
- %TEMP%\160bc7c.tmp
- %TEMP%\160b412.tmp
- %ALLUSERSPROFILE%\windowstab\windowstab_move.exe
- %ALLUSERSPROFILE%\windowstab\windowstab.exe
- %ALLUSERSPROFILE%\windowstab\uninst.exe
- %TEMP%\160b261.tmp
- %TEMP%\160b961.tmp
- %TEMP%\windowstab_mon.exe
- %TEMP%\16098a6.tmp
- %ALLUSERSPROFILE%\windowstab\trash\windowstab_move.exe
- %ALLUSERSPROFILE%\windowstab\trash\windowstabup.exe
- %ALLUSERSPROFILE%\windowstab\windowstabup.exe
- %TEMP%\nsr6ca8.tmp\uac.dll
- %TEMP%\nsr6ca8.tmp\system.dll
- %TEMP%\160ac19.tmp
- %TEMP%\160cb5a.tmp
Substitutes the following files
- %ALLUSERSPROFILE%\windowstab\windowstabup.exe
Network activity
TCP
HTTP GET requests
- http://www.mu##.co.kr/count/auction21/install.php?pt################################################
- http://c.##1st.com/js/common/ui.js
- http://c.##1st.com/js/lib/jquery/jquery-3.1.1.min.js
- http://c.##1st.com/css/fonts/11StreetGothic_Light_Optimizing.woff)%20format(%22woff2%22),%20url(/css/fonts/11StreetGothic_Light_Optimizing.woff)%20format(%22woff%22
- http://c.##1st.com/css/fonts/11StreetGothic_Optimizing.woff)%20format(%22woff2%22),%20url(/css/fonts/11StreetGothic_Optimizing.woff)%20format(%22woff%22
- http://c.##1st.com/js/rake/shuttle/Log11stClientSentinelShuttle-2.0.3-62.js
- http://v.##1st.com/latest/pc.polyfills.js
- http://v.##1st.com/latest/pc.util_l.js
- http://v.##1st.com/latest/pc.main.js
- http://oc##.#ectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQh80WaEMqmyEvaHjlisSfVM4p8SAQUF9nWJSdn%2BTHCSUPZMDZEjGypT%2BsCEQDwhMFI0axQPIEJdwhTvilc
- http://c.##1st.com/css/event/upgrade_explorer.css
- http://c.##1st.com/img/event/upgrade_explorer/bg_head.gif
- http://c.##1st.com/img/event/upgrade_explorer/sp_upgrade.png
- http://c.##1st.com/img/common/v2/bg_dimlayer.png
- http://www.go#####analytics.com/plugins/ua/ec.js
- http://c.##1st.com/js/rake/rakeLog-pc-1.0.2.js
- http://c.##1st.com/js/rake/bundle/rake.bundle-ie8.js
- http://cr#.#ectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl
- http://id#.##planet.com/pixel
- http://id#.##planet.com/getuid?cb#####################
- http://c.##1st.com/css/main/main.css
- http://s.##1st.com/img/common/icon/favicon.ico
- http://www.go#####agmanager.com/gtm.js?id##########################
- http://www.11##.co.kr/main?ut######################################################################################################################################
- http://www.mu##.co.kr/app/auction21/info/infow.php?pt#########
- http://fi##.muuk.co.kr/app/windowstab/files/2013042901/windowstabup.exe
- http://www.mu##.co.kr/count/auction21/boot.php?pt###############################################################################################
- http://fi##.muuk.co.kr/app/windowstab/change/windowstab_move.exe
- http://www.mu##.co.kr/count/auction21/boot.php?pt#######################################################################################################################
- http://www.mu##.co.kr/app/windowstab/windowstab.php?ki##################################################################################################################
- http://fi##.muuk.co.kr/app/windowstab/windowstab/install.zip
- http://fi##.muuk.co.kr/app/windowstab/windowstab/windowstab_mon.zip
- http://www.mu##.co.kr/count/windowstab/boot.php?pt###############################################################################################################################################...
- http://www.mu##.co.kr/app/windowstab/windowstab.php?ki######################################################################################################
- http://www.mu##.co.kr/app/windowstab/windowstab.php?ki###########################################################################################################################################...
- http://fi##.muuk.co.kr/app/windowstab/windowstab/windowstab.exe
- http://www.mu##.co.kr/count/windowstab/page.php?pt############################################################################
- http://www.ab###-tab.com/windowstab/tabview.asp?pt##########################################################
- http://www.11##.co.kr/connect/Gateway.tmall?me######################################################################################
- http://www.11##.co.kr/js/common/headerCommonJs.js
- http://www.11##.co.kr/html/reserveKeywordList.js
- http://www.11##.co.kr/favicon.ico
- http://www.11##.co.kr/html/main.html?ut######################################################################################################################################
- http://www.go#####analytics.com/analytics.js
- http://id#.##planet.com/getuid?cb####################
UDP
- DNS ASK mu##.co.kr
- DNS ASK fi##.muuk.co.kr
- DNS ASK sh##.soonwe.com
- DNS ASK ab###-tab.com
- DNS ASK 11##.co.kr
- DNS ASK go#####analytics.com
- DNS ASK go#####agmanager.com
- DNS ASK c.##1st.com
- DNS ASK v.##1st.com
- DNS ASK microsoft.com
- DNS ASK oc##.#ectigo.com
- DNS ASK cr#.#ectigo.com
- DNS ASK s.##1st.com
- DNS ASK id#.##planet.com
Miscellaneous
Searches for the following windows
- ClassName: 'IEFrame' WindowName: ''
- ClassName: 'Internet Explorer_Server' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
Creates and executes the following
- '%ALLUSERSPROFILE%\windowstab\windowstabup.exe' /it
- '%ALLUSERSPROFILE%\windowstab\windowstabup.exe'
- '%ALLUSERSPROFILE%\windowstab\trash\windowstabup.exe' /self 2888 WINDOWSTABUP.EXE 2013060501
- '%ALLUSERSPROFILE%\windowstab\windowstab_move.exe'
- '%ALLUSERSPROFILE%\windowstab\windowstab.exe' livefile
- '%LOCALAPPDATA%\windowstab\windowstab.exe' /run
- '%LOCALAPPDATA%\windowstab\windowstab_uc.exe' /first
- '%LOCALAPPDATA%\windowstab\windowstab.exe' /run' (with hidden window)
- '%LOCALAPPDATA%\windowstab\windowstab_uc.exe' /first' (with hidden window)