Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xapkexhydyha' = '%HOMEPATH%\xapkexhydyha.exe'
Modifies file system :
Creates the following files:
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\a36d68cf-0143-4660-8e2b-f526c007feff
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\ddf7096e-c1a6-4771-9cac-aeea5394f9f0
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\83b6a17e-8f53-4a17-8c94-86c8a406d230
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\Preferred
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\southdev[1].htm
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\industrieundhandelsverlag[1].htm
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\ec702f375e1b12d218f67ab9ef19ca23_23ef5514-3059-436f-a4a7-4cefaab20eb1
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\90691cf2-70cb-4559-913f-1b3907748272
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\9849edd0-d4bc-4d0a-9ff4-54a9eedb7d5a
- %HOMEPATH%\xapkexhydyha.exe
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\d0bb4c13-6ede-4b5d-8394-bc8e8c3b128f
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\1c326c4d-15e7-4b77-9657-26f0fdbb3ad2
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\6bd0ba12-40a7-4df2-87eb-d48faf4941ac
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\2171265d-b77f-47c7-b6b7-20cc26064c0b
Sets the 'hidden' attribute to the following files:
- %HOMEPATH%\xapkexhydyha.exe
Deletes the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\southdev[1].htm
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\industrieundhandelsverlag[1].htm
Network activity:
Connects to:
- 'in#######undhandelsverlag.de':80
- 'so###dev.com':80
- 'sm##.live.com':25
- '67.##5.160.76':25
TCP:
HTTP POST requests:
- so###dev.com/
UDP:
- DNS ASK gr###power.es
- DNS ASK bo####nder4u.com
- DNS ASK os####vogado.com.br
- DNS ASK di###onic.es
- DNS ASK ra###agym.com
- DNS ASK vi####iamonds.com
- DNS ASK lj#######.com.didtheyreadit.com
- DNS ASK ih#.com.jo
- DNS ASK fu#####okconsulting.com
- DNS ASK bl###voib.com
- DNS ASK so#####erica-photo.com
- DNS ASK ma####-shirasu.com
- DNS ASK we###orlds.com
- DNS ASK ho####oyfull.com
- DNS ASK os#f.ca
- DNS ASK ha###achiro.com
- DNS ASK te###o.com.tw
- DNS ASK ar##e.net
- DNS ASK he##ann.cz
- DNS ASK mi##a.com
- DNS ASK er##z.org
- DNS ASK bo####services.com
- DNS ASK hi###nika.pl
- DNS ASK ci###tokyo.com
- DNS ASK tu###s.anv.pl
- DNS ASK uh##.edu.ag
- DNS ASK mm###ytek.cz
- DNS ASK pr###sign.com
- DNS ASK ma####shaven.com
- DNS ASK og##ust.jp
- DNS ASK ba###kulele.com
- DNS ASK fi####ousepr.com
- DNS ASK be####stisdead.com
- DNS ASK we####ericas.com
- DNS ASK wi###amsphc.com
- DNS ASK gg#.ch
- DNS ASK yl##and.com
- DNS ASK 1b###ope.com
- DNS ASK pr####lubonline.com
- DNS ASK fj#####rkfestivalen.com
- DNS ASK da##ho.info
- DNS ASK ch####nternet.com
- DNS ASK al####riginals.com
- DNS ASK ru###rnail.com
- DNS ASK wh###pbell.com
- DNS ASK im######ioncelebration.org
- DNS ASK fl##hf.com
- DNS ASK ru###-home.net
- DNS ASK am#####ngeriatrics.org
- DNS ASK al######canprintinginc.com
- DNS ASK sy#######ic-technologies.com
- DNS ASK cs##.com
- DNS ASK of###e-gita.com
- DNS ASK na####currin.com
- DNS ASK ke###tech.com
- DNS ASK oc###rgos.org
- DNS ASK do###siding.com
- DNS ASK bu######entrum-engelshof.de
- DNS ASK se###-porn.com
- DNS ASK in#####atepartners.com
- DNS ASK y3###ans.com
- DNS ASK pa###ship.com
- DNS ASK ax####nceshoes.com
- DNS ASK im###alaton.com
- DNS ASK na###olar.com
- DNS ASK as###-gomu.com
- DNS ASK bc##ex.com
- DNS ASK mu###online.vn
- DNS ASK bc##aw.com
- DNS ASK co###abass.org
- DNS ASK st#####ter.brightok.net
- DNS ASK ch##i-o.com
- DNS ASK ia##id.org
- DNS ASK ch#####onerealty.com
- DNS ASK pr######alsavingsbank.com
- DNS ASK in####agrupo.com
- DNS ASK ta###hichi.com
- DNS ASK th#######hotelreservation.com
- DNS ASK go###are.com
- DNS ASK da###ntokyo.com
- DNS ASK sa####-kiyota.com
- DNS ASK co###ryday.org
- DNS ASK si###flex.com
- DNS ASK ma####ftbaskets.com
- DNS ASK pl##y.com
- DNS ASK gt#####riorsupply.com
- DNS ASK tr#####services.co.uk
- DNS ASK ma###cat.org
- DNS ASK da####lsresort.com
- DNS ASK rb##des.com
- DNS ASK au###us.qc.ca
- DNS ASK cr####rldmarine.com
- DNS ASK su####golfhomes.com
- DNS ASK in###-lock.com
- DNS ASK st####plus.com.au
- DNS ASK rc##nc.biz
- DNS ASK re###k.co.uk
- DNS ASK tb##oft.com
- DNS ASK ho###tinc.com
- DNS ASK kw###puters.com
- DNS ASK ho####otrada.com
- DNS ASK ci####indhorn.org
- DNS ASK in###napt.com
- DNS ASK ar####tcreative.com
- DNS ASK bi####etours.com
- DNS ASK ea###rnbulk.com
- DNS ASK ma####toms.com.au
- DNS ASK tb#.com.mx
- DNS ASK an####agency.com
- DNS ASK zo####siness.com
- DNS ASK lo###ttages.com
- DNS ASK te####edical.com
- DNS ASK ei##s.net
- DNS ASK ra##inc.com
- DNS ASK ny##k55.com
- DNS ASK ka##ax.com
- DNS ASK ra##as.com
- DNS ASK oi###.com.pl
- DNS ASK ow#####nd.library.on.ca
- DNS ASK bl######hcommunications.com
- DNS ASK ta###oyu.net
- DNS ASK ma##.#irmail.net
- DNS ASK yo##mfg.com
- DNS ASK bo###oil.com
- DNS ASK ba####ehotel.com
- DNS ASK zo####corisana.com
- DNS ASK mi###ral.com.au
- DNS ASK ko###ogi.net
- DNS ASK ag###pro.com
- DNS ASK id##p.com
- DNS ASK br######websitedesign.com
- DNS ASK bu####gton.co.uk
- DNS ASK ha###d.com.au
- DNS ASK se###biente.it
- DNS ASK pi###ecassi.com
- DNS ASK mp####tainment.com
- DNS ASK m-##in.ru
- DNS ASK la#####mhorserugs.com
- DNS ASK cd##i.com
- DNS ASK nj###r.com.au
- DNS ASK bu#####-altamaremma.com
- DNS ASK ha####nproton.org
- DNS ASK sm##.#ompuserve.com
- DNS ASK dt.#om.pl
- DNS ASK la####manzana.es
- DNS ASK ro###chind.com
- DNS ASK be###aire.org
- DNS ASK wi###edapts.com
- DNS ASK mo####stfriend.com
- DNS ASK he#####onranchprop.com
- DNS ASK fh##.com
- DNS ASK cj###den.com
- DNS ASK so###ack.com
- DNS ASK th#####ntingcenter.org
- DNS ASK po####wisconsin.com
- DNS ASK sm##.###global.yahoo.com
- DNS ASK sm##.#ail.yahoo.com
- DNS ASK sm##.live.com
- DNS ASK in#######undhandelsverlag.de
- DNS ASK ca#####tmarketing.com
- DNS ASK na####ziowiec.com
- DNS ASK so###dev.com
- DNS ASK pu####3.sta.net.cn
- DNS ASK ec###jp.co.jp
- DNS ASK be#####alutheran.org
- DNS ASK sm##.#irectcon.net
- DNS ASK ws##w.com
- DNS ASK gr###ahouse.it
- DNS ASK 7-###irx.com
- DNS ASK vc##z.org
- DNS ASK ta#####charlotte.com
- DNS ASK si###serv.com
- DNS ASK sq##g.com
- DNS ASK le##cy.com
- DNS ASK e-###bainu.com
- DNS ASK 3c###s.com.br
- DNS ASK ba###h-biz.com
- DNS ASK le###.com.my
- DNS ASK at##-sk.ca
- DNS ASK bo##hon.de
- DNS ASK im###ible.com
- DNS ASK hz###hai.com
- DNS ASK pe####p-pinky.com
- DNS ASK ca###oloaks.com
- DNS ASK fo#h.cz
- DNS ASK br#####olmarketing.com
- DNS ASK ka##oft.cz
- DNS ASK ev####chaels.net
- DNS ASK tu####awa-soba.com
- DNS ASK we##.co.jp
- DNS ASK se####uspeha.com
- DNS ASK ch#####efesta.com.br
- DNS ASK mj####uson.co.uk
- DNS ASK le###quare.com
- DNS ASK so#o.nl
- DNS ASK pc###dingmy.com
- DNS ASK ed###ost.com
- DNS ASK pe####-kirche.ch
- DNS ASK 10###old.com
- DNS ASK dh###tate.com
- DNS ASK ma#####rretora.com.br
- DNS ASK eu###ilms.com
- DNS ASK mi###ni.com.au
- DNS ASK hs###iguel.com
- DNS ASK fv###et.co.jp
- DNS ASK un###lse.com
- DNS ASK kh##don.net
- DNS ASK wi###p-pt.com
- DNS ASK dt##k.com
- DNS ASK al##as.org
- DNS ASK tv##ols.fi
- DNS ASK wn##.org
- DNS ASK ac###escorp.com
- DNS ASK ca###olina.com
- DNS ASK in##mex.com
- DNS ASK co####erprose.com
- DNS ASK sh####yatkinson.com
- DNS ASK im###lac.com
- DNS ASK 1c###mere.com
- DNS ASK am#######ourguesthouse.co.uk
- DNS ASK wo####fesupport.com
- DNS ASK ss##os.com
- DNS ASK cl###-tokai.com
- DNS ASK de#####arborrealty.com
- DNS ASK hi###e-aa.com
- DNS ASK su##.edu
- DNS ASK li####ineline.co.nz
- DNS ASK dr###sis.org
- DNS ASK pe###day.co.uk
- DNS ASK ho###-museum.de
- DNS ASK ca#####acionypnd.com
- DNS ASK ro####farlane.com
- DNS ASK ma####aresort.com
- DNS ASK ma######.midwestlabs.com
- DNS ASK co####uhouses.com
- DNS ASK co####appoint.co.uk
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: '(null)'