Trojan.InstallCore.2833

Technical Information

Modifies file system

Creates the following files

%TEMP%\0010b827.log
%TEMP%\inh109~1\locale\fr.locale
%TEMP%\inh109~1\locale\id.locale
%TEMP%\inh109~1\locale\it.locale
%TEMP%\inh109~1\locale\ja.locale
%TEMP%\inh109~1\locale\ko.locale
%TEMP%\inh109~1\locale\nl.locale
%TEMP%\inh109~1\locale\no.locale
%TEMP%\inh109~1\locale\pl.locale
%TEMP%\inh109~1\locale\pt.locale
%TEMP%\inh109~1\locale\ru.locale
%TEMP%\inh109~1\locale\sv.locale
%TEMP%\inh109~1\locale\tr.locale
%TEMP%\inh109~1\locale\zh.locale
%TEMP%\0010b8e3.log
%TEMP%\d9074888533471.dat
%TEMP%\d9074888533472.dat
%TEMP%\inh109~1\enigmaencode.exe
%TEMP%\in43a9003c\145718a2_stp\osutils.vbs
%TEMP%\in43a9~1\145718~1.cis
%TEMP%\in43a9~1\145718~1.par
%TEMP%\in43a9~1\1e8a08~1.exe
%TEMP%\in43a9003c\10e53364_stp\icut.dat
%TEMP%\001109c0.log
%TEMP%\in43a9003c\252052dd_stp\wp24.html
%TEMP%\in43a9~1\10e533~1.par
%TEMP%\in43a9003c\252052dd_stp\we23.html
%TEMP%\in43a9~1\10e533~1.cis
%TEMP%\in43a9~1\252052~1.cis
%TEMP%\in43a9~1\252052~1.par
%TEMP%\inh109571955256\bootstrap_30677.html
%TEMP%\0010c293.log
%TEMP%\in43a9003c\145718a2_stp\run.vbs
%TEMP%\inh109~1\locale\es.locale
%TEMP%\inh109~1\locale\en.locale
%TEMP%\inh109~1\locale\el.locale
%TEMP%\inh109~1\css\ie6_main.css
%TEMP%\inh109~1\css\main.css
%TEMP%\inh109~1\css\sdk-ui\browse.css
%TEMP%\inh109~1\css\sdk-ui\button.css
%TEMP%\inh109~1\css\sdk-ui\checkbox.css
%TEMP%\inh109~1\css\sdk-ui\images\button-bg.png
%TEMP%\inh109~1\css\sdk-ui\images\progress-bg-corner.png
%TEMP%\inh109~1\css\sdk-ui\images\progress-bg.png
%TEMP%\inh109~1\css\sdk-ui\images\progress-bg2.png
%TEMP%\inh109~1\css\sdk-ui\progress-bar.css
%TEMP%\inh109~1\csshover3.htc
%TEMP%\inh109~1\form.bmp.mask
%TEMP%\inh109~1\images\bg.png
%TEMP%\inh109~1\images\close.png
%TEMP%\inh109~1\images\close_hover.png
%TEMP%\inh109~1\images\color_button.png
%TEMP%\inh109~1\images\color_button_hover.png
%TEMP%\inh109~1\locale\da.locale
%TEMP%\inh109~1\locale\cs.locale
%TEMP%\inh109~1\images\sponsored.png
%TEMP%\inh109~1\images\resume_button.png
%TEMP%\inh109~1\images\quick_specs.png
%TEMP%\inh109~1\images\progressbar.png
%TEMP%\inh109~1\images\pause_button.png
%TEMP%\inh109~1\images\progress.png
%TEMP%\inh109~1\images\minimize_hover.png
%TEMP%\inh109~1\images\minimize.png
%TEMP%\inh109~1\images\loader.gif
%TEMP%\inh109~1\images\icon_generic.png
%TEMP%\inh109~1\images\grey_button_hover.png
%TEMP%\inh109~1\images\grey_button.png
%TEMP%\inh109~1\locale\de.locale
%TEMP%\in43a9~1\1e8a08~1.par

Deletes the following files

%TEMP%\0010b827.log
%TEMP%\0010b8e3.log
%TEMP%\d9074888533471.dat
%TEMP%\d9074888533472.dat
%TEMP%\0010c293.log
%TEMP%\inh109571955256\bootstrap_30677.html
%TEMP%\001109c0.log

Moves the following files

from %TEMP%\in43a9003c\252052dd_stp\we23.html to %TEMP%\bf_yl\we23.html
from %TEMP%\in43a9003c\252052dd_stp\wp24.html to %TEMP%\bf_yl\wp24.html

Substitutes the following files

%TEMP%\0010c293.log

Network activity

TCP

HTTP GET requests

http://cd#.#aleco.com/gen/microsoft-office-2010-100x100.png
http://cd###.#orumeritcdn.com/img/Fonawemi/logo_new.png
http://cd###.#orumeritcdn.com/img/Tavasat/31Aug20/checkmark.png
http://cd###.#orumeritcdn.com/img/Tavasat/31Aug20/v2/BG_A.png
http://cd###.#orumeritcdn.com/img/Sibarasawi/TPC_win_bg_250820.png
http://cd###.#orumeritcdn.com/img/Vavavag/V2/NL.png
http://cd###.#orumeritcdn.com/img/Pomusam/win_NTB_bg_250820.png
http://cd###.#orumeritcdn.com/ofr/Niniwic/YL/Niniwic_Tefenece_12Apr16
http://cd###.#orumeritcdn.com/ofr/Solululadul/icut_v2_2
http://cd###.#orumeritcdn.com/img/Pomusam/win_NTB_bg_250820_rtl.png
http://cd###.#orumeritcdn.com/img/Jimomoromoj/Jimomoromoj_logo_080320.png
http://cd###.#orumeritcdn.com/img/Tefenece/Tefenece_logo_new2.png
http://cd###.#orumeritcdn.com/img/Vosivisevob/logo1.png
http://cd###.#orumeritcdn.com/img/Sibarasawi/TPC_win_bg_flipped_250820.png
http://dl.##ndl.com/FR/microsoft-office-2010.exe
http://cd###.#orumeritcdn.com/ofr/Solululadul/osutils

HTTP POST requests

http://in##.##rumeritcdn.com/?v=####################################
http://os.###umeritcdn.com/IMDownloader/?v=##########################
http://rp.###umeritcdn.com/?v=###############################
http://rp.###umeritcdn.com/?v=##############################

UDP

DNS ASK rp.###umeritcdn.com
DNS ASK in##.##rumeritcdn.com
DNS ASK os.###umeritcdn.com
DNS ASK cd#.#aleco.com
DNS ASK cd###.#orumeritcdn.com
DNS ASK dl.##ndl.com

Miscellaneous

Searches for the following windows

ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'MS_WebCheckMonitor' WindowName: ''

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c TIMEOUT 1 & cmd /d /c copy /B /Y "%TEMP%\D9074888533471.dat"+"%TEMP%\D9074888533472.dat" "%TEMP%\INH109~1\EnigmaEncode.exe" & cmd /d /c del "%TEMP%\D9074888533471.dat" & cmd /d /c del "%TEMP...
'%WINDIR%\syswow64\timeout.exe' 1
'%WINDIR%\syswow64\cmd.exe' /d /c copy /B /Y "%TEMP%\D9074888533471.dat"+"%TEMP%\D9074888533472.dat" "%TEMP%\INH109~1\EnigmaEncode.exe"
'%WINDIR%\syswow64\cmd.exe' /d /c del "%TEMP%\D9074888533471.dat"
'%WINDIR%\syswow64\cmd.exe' /d /c del "%TEMP%\D9074888533472.dat"

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial