Technical Information
Malicious functions:
Executes the following:
- '<SYSTEM32>\wbem\wmiadap.exe' /R /T
Modifies file system :
Creates the following files:
- %APPDATA%\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg
Deletes the following files:
- <SYSTEM32>\PerfStringBackup.TMP
- <SYSTEM32>\wbem\Performance\WmiApRpl.ini
Network activity:
Connects to:
- 'www.75##.com':80
TCP:
HTTP GET requests:
- www.75##.com/T1.txt
UDP:
- DNS ASK www.75##.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''