Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\lsassl
- <SYSTEM32>\tasks\iexplore
- <SYSTEM32>\tasks\systems
- <SYSTEM32>\tasks\system
- <SYSTEM32>\tasks\idle
- <SYSTEM32>\tasks\iexplorei
- <SYSTEM32>\tasks\idlei
- <SYSTEM32>\tasks\explorer
- <SYSTEM32>\tasks\taskhost
- <SYSTEM32>\tasks\wininit
- <SYSTEM32>\tasks\explorere
- <SYSTEM32>\tasks\wininitw
- <SYSTEM32>\tasks\taskhostt
- <SYSTEM32>\tasks\lsm
- <SYSTEM32>\tasks\lsml
- <SYSTEM32>\tasks\lsass
- <SYSTEM32>\tasks\spoolsv
- <SYSTEM32>\tasks\spoolsvs
Malicious functions
Reads files which store third party applications passwords
- %ProgramFiles(x86)%\steam\config\config.vdf
- %ProgramFiles(x86)%\steam\config\dialogconfig.vdf
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %APPDATA%\opera software\opera stable\login data
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
Modifies file system
Creates the following files
- <Current directory>\lsass.exe
- nul
- %TEMP%\avo45upmqs
- %TEMP%\z4plyavisf
- %TEMP%\ogyibizroa
- %TEMP%\v2eisw9nu4
- %TEMP%\igkdhfjhgn
- %TEMP%\ypnczgzgtb
- %ProgramFiles%\malwareremoval\system.exe
- %TEMP%\aroxkt52l8
- %TEMP%\foqhganwnb
- %TEMP%\harw2xkrfh
- %TEMP%\y6a7ljyyfg
- %TEMP%\nikh1gmxvl
- %TEMP%\uczxj1h5in
- %TEMP%\cfwjrjot6g
- %TEMP%\lzrgn80k5w
- %TEMP%\rmziu7anae
- %TEMP%\tqgdfu8fr9.bat
- C:\totalcmd\language\f3b6ecef712a24
- C:\totalcmd\language\spoolsv.exe
- C:\totalcmd\language\27d1bcfc3c54e0
- <Current directory>\lsm.exe
- <Current directory>\101b941d020240
- %ProgramFiles(x86)%\windows defender\en-us\taskhost.exe
- %ProgramFiles(x86)%\windows defender\en-us\b75386f1303e64
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\wininit.exe
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\56085415360792
- %ProgramFiles%\spidernt\explorer.exe
- %TEMP%\kw54nwgdyu
- %TEMP%\rzsbbmx2hg
- %ProgramFiles%\spidernt\7a0fd90576e088
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\idle.exe
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\6ccacd8608530f
- %ProgramFiles%\savscan\iexplore.exe
- %ProgramFiles%\savscan\9db6e019d4f04e
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\spoolsv.exe
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\f3b6ecef712a24
- C:\totalcmd\language\system.exe
- <Current directory>\6203df4a6bafc7
- %ProgramFiles%\malwareremoval\27d1bcfc3c54e0
- %TEMP%\c3preimazs
Deletes the following files
- %TEMP%\rmziu7anae
- %TEMP%\lzrgn80k5w
- %TEMP%\cfwjrjot6g
- %TEMP%\uczxj1h5in
- %TEMP%\nikh1gmxvl
- %TEMP%\y6a7ljyyfg
- %TEMP%\harw2xkrfh
- %TEMP%\foqhganwnb
- %TEMP%\rzsbbmx2hg
- %TEMP%\aroxkt52l8
- %TEMP%\ypnczgzgtb
- %TEMP%\igkdhfjhgn
- %TEMP%\v2eisw9nu4
- %TEMP%\ogyibizroa
- %TEMP%\z4plyavisf
- %TEMP%\avo45upmqs
- %TEMP%\kw54nwgdyu
- %TEMP%\c3preimazs
Network activity
Connects to
- '80.#6.79.5':80
TCP
HTTP GET requests
- http://80.#6.79.5/Vm5WordpressLinux/0asyncwindows/lineProcessorbasedledownloads.php?sO###########################################################################################################...
- http://80.#6.79.5/Vm5WordpressLinux/0asyncwindows/lineProcessorbasedledownloads.php?bi###########################################################################################################...
UDP
- 'localhost':123
Miscellaneous
Creates and executes the following
- 'C:\totalcmd\language\spoolsv.exe'
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\tQGDfU8Fr9.bat"' (with hidden window)
Executes the following
- '<SYSTEM32>\schtasks.exe' /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'<Current directory>\lsass.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplorei" /sc MINUTE /mo 11 /tr "'%ProgramFiles%\SAVScan\iexplore.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc ONLOGON /tr "'%ProgramFiles%\SAVScan\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplorei" /sc MINUTE /mo 13 /tr "'%ProgramFiles%\SAVScan\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\spoolsv.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\tQGDfU8Fr9.bat"
- '<SYSTEM32>\schtasks.exe' /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\totalcmd\LANGUAGE\System.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "System" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\totalcmd\LANGUAGE\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\totalcmd\LANGUAGE\spoolsv.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsv" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\totalcmd\LANGUAGE\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\Idle.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'%ProgramFiles%\MalwareRemoval\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "taskhost" /sc ONLOGON /tr "'%ProgramFiles(x86)%\Windows Defender\en-US\taskhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsass" /sc ONLOGON /tr "'<Current directory>\lsass.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'<Current directory>\lsass.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsml" /sc MINUTE /mo 11 /tr "'<Current directory>\lsm.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsm" /sc ONLOGON /tr "'<Current directory>\lsm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsml" /sc MINUTE /mo 5 /tr "'<Current directory>\lsm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'%ProgramFiles(x86)%\Windows Defender\en-US\taskhost.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'%ProgramFiles(x86)%\Windows Defender\en-US\taskhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'%ProgramFiles%\MalwareRemoval\System.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\wininit.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "explorere" /sc MINUTE /mo 7 /tr "'%ProgramFiles%\spidernt\explorer.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "explorer" /sc ONLOGON /tr "'%ProgramFiles%\spidernt\explorer.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "explorere" /sc MINUTE /mo 10 /tr "'%ProgramFiles%\spidernt\explorer.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "System" /sc ONLOGON /tr "'%ProgramFiles%\MalwareRemoval\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\w32tm.exe' /stripchart /computer:localhost /period:5 /dataonly /samples:2