Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'AiDLauncher' = 'C:\ProgramData\AiDSoft\AL_Agent.exe "<Full path to file>"'
Modifies file system
Creates the following files
- D:\users\user\appdata\local\temp\aut950e.tmp
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\qkr46vql\cm_b_1129596[1].jpg
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\bm8skz0v\pop_ad[1].php
- D:\windows\system32\config\system
- D:\windows\system32\config\system.log1
- D:\windows\system32\winevt\logs\security.evtx
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\qkr46vql\pop_ad[1].php
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0y9o17dr\210[1].png
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\qkr46vql\210[1].png
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\ugsx1com\728[2].php
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\ugsx1com\728[1].php
- D:\windows\system32\winevt\logs\microsoft-windows-networkprofile%4operational.evtx
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\bm8skz0v\wp_ad_728[1].php
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0y9o17dr\wp_ad_728[1].php
- D:\users\user\appdata\local\temp\tardf27.tmp
- D:\users\user\appdata\local\temp\cabdf26.tmp
- D:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\14561bf7422bb6f70a9cb14f5aa8a7da_362c56ed9243ab753d1007df38a8c6fd
- D:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\14561bf7422bb6f70a9cb14f5aa8a7da_362c56ed9243ab753d1007df38a8c6fd
- D:\windows\system32\winevt\logs\system.evtx
- D:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\b398b80134f72209547439db21ab308d_23fffdcaabb8e63694ad1202ed02bf57
- D:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\b398b80134f72209547439db21ab308d_23fffdcaabb8e63694ad1202ed02bf57
- D:\users\user\appdata\local\temp\tardafe.tmp
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\qkr46vql\cm_b_1129596[2].jpg
- D:\windows\system32\config\software.log1
- D:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8
- D:\windows\system32\config\software
- D:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8
- D:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\ea618097e393409afa316f0f87e2c202_1e65fd33f74047223af4d58cbfd34bce
- D:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\ea618097e393409afa316f0f87e2c202_1e65fd33f74047223af4d58cbfd34bce
- D:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce
- D:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0y9o17dr\bullet[1]
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\qkr46vql\info_48[1]
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\ugsx1com\background_gradient[1]
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\bm8skz0v\httperrorpagesscripts[1]
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0y9o17dr\errorpagestrings[1]
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\ugsx1com\errorpagetemplate[1]
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\bm8skz0v\navcancl[1]
- D:\users\user\appdata\local\temp\aut2dc7.tmp
- D:\users\user\appdata\local\temp\aut20db.tmp
- D:\windows\system32\winevt\logs\application.evtx
- D:\lwptun\7-zip32.dll
- D:\users\user\appdata\local\temp\aut1536.tmp
- D:\lwptun\style.ini
- D:\programdata\aidsoft\al_agent.exe
- D:\users\user\appdata\local\temp\aut9ef.tmp
- D:\lwptun\toprank.ini
- D:\users\user\appdata\local\temp\tardb1f.tmp
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0y9o17dr\rank02[1].aspx
- D:\users\user\appdata\local\temp\cabdb1e.tmp
- D:\users\user\appdata\local\mozilla\firefox\profiles\0j9e9tku.default-release\cache2\entries\2cb84dd9abb4e1485d83397c59b193094e1abfc7
- D:\users\user\appdata\local\microsoft\windows\usrclass.dat.log1
- D:\users\user\appdata\local\mozilla\firefox\profiles\0j9e9tku.default-release\cache2\entries\bc9a334d14ae8d5cdcf1f5f5128ba1f4cdd083ac
- D:\users\user\appdata\local\mozilla\firefox\profiles\0j9e9tku.default-release\cache2\entries\dfdc36497a0baee2972009ee6deccc06c2e352c6
- D:\users\user\appdata\roaming\mozilla\firefox\profiles\0j9e9tku.default-release\prefs-1.js
- D:\windows\serviceprofiles\localservice\appdata\local\lastalive1.dat
- D:\users\user\appdata\roaming\mozilla\firefox\profiles\0j9e9tku.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
- D:\users\user\appdata\local\mozilla\firefox\profiles\0j9e9tku.default-release\cache2\entries\9c571ec4d1abdf04dec3542cba1cbcdb49632bf7
- D:\users\user\appdata\local\mozilla\firefox\profiles\0j9e9tku.default-release\cache2\entries\a4bc0c99327d7691ff360f07d11373b5791eb30c
- D:\users\user\ntuser.dat
- D:\users\user\ntuser.dat.log1
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\0x2jb3u9\desktop.ini
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\qmkahc73\desktop.ini
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\dblc1x7f\desktop.ini
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\9n70ttxr\desktop.ini
- D:\users\user\appdata\local\microsoft\windows\history\low\history.ie5\desktop.ini
- D:\users\user\appdata\local\microsoft\windows\history\low\desktop.ini
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\low\desktop.ini
- D:\users\user\appdata\roaming\mozilla\firefox\profiles\0j9e9tku.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal
- D:\users\user\appdata\local\mozilla\firefox\profiles\0j9e9tku.default-release\cache2\entries\7330b218fe46e63c30e077c3456a7239baaead12
- D:\lwptun\sqlite3.dll
- D:\users\user\appdata\local\microsoft\windows\usrclass.dat
- D:\users\user\appdata\local\mozilla\firefox\profiles\0j9e9tku.default-release\cache2\entries\39d80535a21e286b3c662765c5f09aceb927e77d
- D:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\94308059b57b3142e455b38a6eb92015
- D:\system volume information\syscache.hve.log1
- D:\users\user\appdata\local\temp\tard81e.tmp
- D:\users\user\appdata\local\temp\tard81f.tmp
- D:\users\user\appdata\local\temp\cabd81d.tmp
- D:\users\user\appdata\local\temp\cabd81c.tmp
- D:\users\user\appdata\local\temp\autd2ae.tmp
- D:\lwptun\tweak.db
- D:\users\user\appdata\local\temp\autd250.tmp
- D:\lwptun\benner.html
- D:\users\user\appdata\local\temp\autd06b.tmp
- D:\lwptun\package.db
- D:\users\user\appdata\local\temp\autceb5.tmp
- D:\windows\appcompat\programs\recentfilecache.bcf
- D:\programdata\aidsoft\taskmgr.exe
- D:\users\user\appdata\local\temp\autcc25.tmp
- D:\lwptun\appdata.db
- D:\programdata\aidsoft\appdata.db
- D:\programdata\aidsoft\appdata.db-journal
- D:\lwptun\appinfo.db
- D:\programdata\aidsoft\appinfo.db
- D:\programdata\aidsoft\appinfo.db-journal
- D:\system volume information\syscache.hve
- D:\users\user\appdata\local\temp\cabdafd.tmp
- D:\windows\serviceprofiles\localservice\appdata\local\lastalive0.dat
Sets the 'hidden' attribute to the following files
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\low\desktop.ini
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\9n70ttxr\desktop.ini
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\dblc1x7f\desktop.ini
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\qmkahc73\desktop.ini
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\0x2jb3u9\desktop.ini
- D:\users\user\appdata\local\microsoft\windows\history\low\history.ie5\desktop.ini
- D:\users\user\appdata\local\microsoft\windows\history\low\desktop.ini
Deletes the following files
- D:\users\user\appdata\local\temp\aut950e.tmp
- D:\users\user\appdata\local\temp\aut20db.tmp
- D:\users\user\appdata\local\temp\aut1536.tmp
- D:\users\user\appdata\local\temp\aut9ef.tmp
- D:\users\user\appdata\local\microsoft\windows\<INETFILES>\content.ie5\qkr46vql\210[1].png
- D:\users\user\appdata\local\temp\tardf27.tmp
- D:\users\user\appdata\local\temp\cabdf26.tmp
- D:\users\user\appdata\local\temp\tardafe.tmp
- D:\users\user\appdata\local\temp\cabdafd.tmp
- D:\users\user\appdata\local\temp\tardb1f.tmp
- D:\users\user\appdata\local\temp\cabdb1e.tmp
- D:\users\user\appdata\local\temp\tard81e.tmp
- D:\users\user\appdata\local\temp\cabd81c.tmp
- D:\users\user\appdata\local\temp\tard81f.tmp
- D:\users\user\appdata\local\temp\cabd81d.tmp
- D:\users\user\appdata\local\temp\autd2ae.tmp
- D:\users\user\appdata\local\temp\autd250.tmp
- D:\users\user\appdata\local\temp\autd06b.tmp
- D:\users\user\appdata\local\temp\autceb5.tmp
- D:\users\user\appdata\local\temp\autcc25.tmp
- D:\lwptun\appdata.db
- D:\programdata\aidsoft\appdata.db-journal
- D:\programdata\aidsoft\appinfo.db-journal
- D:\users\user\appdata\roaming\mozilla\firefox\profiles\0j9e9tku.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal
- D:\lwptun\appinfo.db
- D:\users\user\appdata\local\temp\aut2dc7.tmp
Moves the following files
- from D:\users\user\appdata\roaming\mozilla\firefox\profiles\0j9e9tku.default-release\prefs-1.js to D:\users\user\appdata\roaming\mozilla\firefox\profiles\0j9e9tku.default-release\prefs.js
Substitutes the following files
- D:\users\user\appdata\roaming\mozilla\firefox\profiles\0j9e9tku.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal
- D:\users\user\appdata\roaming\mozilla\firefox\profiles\0j9e9tku.default-release\prefs-1.js
- D:\users\user\appdata\roaming\mozilla\firefox\profiles\0j9e9tku.default-release\prefs.js
- D:\programdata\aidsoft\appinfo.db-journal
- D:\programdata\aidsoft\appdata.db-journal
- D:\lwptun\appdata.db
- D:\lwptun\appinfo.db
Network activity
Connects to
- 'fi#####.###tings.services.mozilla.com':443
- 'ta##.#lickmon.co.kr':443
- 'st###.#lickmon.co.kr':443
- 'ad###.#lickmon.co.kr':443
- 'ad#####.clickmon.co.kr':443
- 'ga###rics.com':80
TCP
HTTP GET requests
- http://www.ga###rics.com/rank/Rank02.aspx
Other
- 'localhost':49158
- 'fi#####.###tings.services.mozilla.com':443
- '34.##0.144.191':443
- 'ta##.#lickmon.co.kr':443
- 'st###.#lickmon.co.kr':443
- 'ad###.#lickmon.co.kr':443
- 'ad#####.clickmon.co.kr':443
UDP
- DNS ASK ai##oft.net
- DNS ASK ta##.#lickmon.co.kr
- DNS ASK st###.#lickmon.co.kr
- DNS ASK ad###.#lickmon.co.kr
- DNS ASK ad#####.clickmon.co.kr
- DNS ASK ga###rics.com
Miscellaneous
Searches for the following windows
- ClassName: 'SystemTray_Main' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
Creates and executes the following
- 'D:\programdata\aidsoft\taskmgr.exe'