Technical Information
Malicious functions:
Creates and executes the following:
- '<SYSTEM32>\rkqfwrmh.exe'
- '<SYSTEM32>\uxeempue.exe'
- '<SYSTEM32>\destivde.exe'
- '<SYSTEM32>\yuvyqwzj.exe'
- '<SYSTEM32>\kekcobwr.exe'
- '<SYSTEM32>\pagvyevn.exe'
- '<SYSTEM32>\vulmncnv.exe'
- '<SYSTEM32>\fgecdnab.exe'
- '<SYSTEM32>\ruihetpc.exe'
- '<SYSTEM32>\yzjmdylc.exe'
- '<SYSTEM32>\aivcochk.exe'
- '<SYSTEM32>\gajtdmup.exe'
- '<SYSTEM32>\mciarlwe.exe'
- '<SYSTEM32>\heerjocb.exe'
- '<SYSTEM32>\domzxjaf.exe'
- '<SYSTEM32>\fsvarvmq.exe'
- '<SYSTEM32>\vcsgxoie.exe'
- '<SYSTEM32>\rtbjoara.exe'
- '<SYSTEM32>\hmxngpqu.exe'
- '<SYSTEM32>\mnkxotds.exe'
- '<SYSTEM32>\ydpwxmiu.exe'
- '<SYSTEM32>\hnbgzcly.exe'
- '<SYSTEM32>\xdwnqhgq.exe'
- '<SYSTEM32>\nhehlgkn.exe'
- '<SYSTEM32>\zzbiawsk.exe'
- '<SYSTEM32>\lhyxgcdg.exe'
- '<SYSTEM32>\bgcxuxsb.exe'
- '<SYSTEM32>\lfswkalb.exe'
- '<SYSTEM32>\uydcnmrs.exe'
- '<SYSTEM32>\kmrvnqmc.exe'
- '<SYSTEM32>\nnnarlqu.exe'
- '<SYSTEM32>\eqezxxkf.exe'
- '<SYSTEM32>\nchlzyut.exe'
- '<SYSTEM32>\pjuaguxc.exe'
- '<SYSTEM32>\jgwmkyep.exe'
- '<SYSTEM32>\ngyoftxg.exe'
- '<SYSTEM32>\pgabmmhp.exe'
- '<SYSTEM32>\siflrmsg.exe'
- '<SYSTEM32>\zikwmnez.exe'
- '<SYSTEM32>\ubjzyuqj.exe'
- '<SYSTEM32>\dwfbefhz.exe'
- '<SYSTEM32>\awwgtwgt.exe'
- '<SYSTEM32>\afirvnnl.exe'
- '<SYSTEM32>\xrelmcac.exe'
- '<SYSTEM32>\qupmrlbn.exe'
- '<SYSTEM32>\zbrlzrvg.exe'
- '<SYSTEM32>\ddtokrgy.exe'
- '<SYSTEM32>\ciroqngw.exe'
- '<SYSTEM32>\pwygvbrb.exe'
- '<SYSTEM32>\kwmofiti.exe'
- '<SYSTEM32>\syzqtxnq.exe'
- '<SYSTEM32>\oalcmlrg.exe'
- '<SYSTEM32>\lxecolum.exe'
- '<SYSTEM32>\slkrfxcl.exe'
- '<SYSTEM32>\fatvamxw.exe'
- '<SYSTEM32>\wkgymrfu.exe'
- '<SYSTEM32>\xafkitku.exe'
- '<SYSTEM32>\qmrtweei.exe'
- '<SYSTEM32>\yvwoxscq.exe'
Modifies file system :
Creates the following files:
- <SYSTEM32>\rkqfwrmh.exe
- <SYSTEM32>\uxeempue.exe
- <SYSTEM32>\destivde.exe
- <SYSTEM32>\yuvyqwzj.exe
- <SYSTEM32>\kekcobwr.exe
- <SYSTEM32>\pagvyevn.exe
- <SYSTEM32>\vulmncnv.exe
- <SYSTEM32>\gajtdmup.exe
- <SYSTEM32>\ruihetpc.exe
- <SYSTEM32>\yzjmdylc.exe
- <SYSTEM32>\kmrvnqmc.exe
- <SYSTEM32>\fgecdnab.exe
- <SYSTEM32>\mciarlwe.exe
- <SYSTEM32>\heerjocb.exe
- <SYSTEM32>\aivcochk.exe
- <SYSTEM32>\fsvarvmq.exe
- <SYSTEM32>\vcsgxoie.exe
- <SYSTEM32>\rtbjoara.exe
- <SYSTEM32>\hmxngpqu.exe
- <SYSTEM32>\mnkxotds.exe
- <SYSTEM32>\ydpwxmiu.exe
- <SYSTEM32>\hnbgzcly.exe
- <SYSTEM32>\bgcxuxsb.exe
- <SYSTEM32>\nhehlgkn.exe
- <SYSTEM32>\zzbiawsk.exe
- <SYSTEM32>\domzxjaf.exe
- <SYSTEM32>\xdwnqhgq.exe
- <SYSTEM32>\lfswkalb.exe
- <SYSTEM32>\uydcnmrs.exe
- <SYSTEM32>\lhyxgcdg.exe
- <SYSTEM32>\nnnarlqu.exe
- <SYSTEM32>\eqezxxkf.exe
- <SYSTEM32>\nchlzyut.exe
- <SYSTEM32>\pjuaguxc.exe
- <SYSTEM32>\jgwmkyep.exe
- <SYSTEM32>\ngyoftxg.exe
- <SYSTEM32>\pgabmmhp.exe
- <SYSTEM32>\awwgtwgt.exe
- <SYSTEM32>\zikwmnez.exe
- <SYSTEM32>\ubjzyuqj.exe
- <SYSTEM32>\siflrmsg.exe
- <SYSTEM32>\afirvnnl.exe
- <SYSTEM32>\xrelmcac.exe
- <SYSTEM32>\dwfbefhz.exe
- <SYSTEM32>\zbrlzrvg.exe
- <SYSTEM32>\ddtokrgy.exe
- <SYSTEM32>\ciroqngw.exe
- <SYSTEM32>\pwygvbrb.exe
- <SYSTEM32>\kwmofiti.exe
- <SYSTEM32>\syzqtxnq.exe
- <SYSTEM32>\oalcmlrg.exe
- <SYSTEM32>\xafkitku.exe
- <SYSTEM32>\slkrfxcl.exe
- <SYSTEM32>\fatvamxw.exe
- <SYSTEM32>\qupmrlbn.exe
- <SYSTEM32>\lxecolum.exe
- <SYSTEM32>\qmrtweei.exe
- <SYSTEM32>\yvwoxscq.exe
- <SYSTEM32>\wkgymrfu.exe
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\rkqfwrmh.exe
- <SYSTEM32>\uxeempue.exe
- <SYSTEM32>\destivde.exe
- <SYSTEM32>\yuvyqwzj.exe
- <SYSTEM32>\kekcobwr.exe
- <SYSTEM32>\pagvyevn.exe
- <SYSTEM32>\vulmncnv.exe
- <SYSTEM32>\fgecdnab.exe
- <SYSTEM32>\ruihetpc.exe
- <SYSTEM32>\yzjmdylc.exe
- <SYSTEM32>\aivcochk.exe
- <SYSTEM32>\gajtdmup.exe
- <SYSTEM32>\mciarlwe.exe
- <SYSTEM32>\heerjocb.exe
- <SYSTEM32>\domzxjaf.exe
- <SYSTEM32>\fsvarvmq.exe
- <SYSTEM32>\vcsgxoie.exe
- <SYSTEM32>\rtbjoara.exe
- <SYSTEM32>\hmxngpqu.exe
- <SYSTEM32>\mnkxotds.exe
- <SYSTEM32>\ydpwxmiu.exe
- <SYSTEM32>\hnbgzcly.exe
- <SYSTEM32>\xdwnqhgq.exe
- <SYSTEM32>\nhehlgkn.exe
- <SYSTEM32>\zzbiawsk.exe
- <SYSTEM32>\lhyxgcdg.exe
- <SYSTEM32>\bgcxuxsb.exe
- <SYSTEM32>\lfswkalb.exe
- <SYSTEM32>\uydcnmrs.exe
- <SYSTEM32>\kmrvnqmc.exe
- <SYSTEM32>\nnnarlqu.exe
- <SYSTEM32>\eqezxxkf.exe
- <SYSTEM32>\nchlzyut.exe
- <SYSTEM32>\pjuaguxc.exe
- <SYSTEM32>\jgwmkyep.exe
- <SYSTEM32>\ngyoftxg.exe
- <SYSTEM32>\pgabmmhp.exe
- <SYSTEM32>\siflrmsg.exe
- <SYSTEM32>\zikwmnez.exe
- <SYSTEM32>\ubjzyuqj.exe
- <SYSTEM32>\dwfbefhz.exe
- <SYSTEM32>\awwgtwgt.exe
- <SYSTEM32>\afirvnnl.exe
- <SYSTEM32>\xrelmcac.exe
- <SYSTEM32>\qupmrlbn.exe
- <SYSTEM32>\zbrlzrvg.exe
- <SYSTEM32>\ddtokrgy.exe
- <SYSTEM32>\ciroqngw.exe
- <SYSTEM32>\pwygvbrb.exe
- <SYSTEM32>\kwmofiti.exe
- <SYSTEM32>\syzqtxnq.exe
- <SYSTEM32>\oalcmlrg.exe
- <SYSTEM32>\lxecolum.exe
- <SYSTEM32>\slkrfxcl.exe
- <SYSTEM32>\fatvamxw.exe
- <SYSTEM32>\wkgymrfu.exe
- <SYSTEM32>\xafkitku.exe
- <SYSTEM32>\qmrtweei.exe
- <SYSTEM32>\yvwoxscq.exe
Deletes the following files:
- %TEMP%\~DF861F.tmp
- %TEMP%\~DFA171.tmp
- %TEMP%\~DFE5D4.tmp
- %TEMP%\~DF4218.tmp
- %TEMP%\~DFBEEE.tmp
- %TEMP%\~DFE229.tmp
- %TEMP%\~DF1E9C.tmp
- %TEMP%\~DFC978.tmp
- %TEMP%\~DFD21.tmp
- %TEMP%\~DF31E4.tmp
- %TEMP%\~DFA4FE.tmp
- %TEMP%\~DF9E8.tmp
- %TEMP%\~DF45F5.tmp
- %TEMP%\~DF695F.tmp
- %TEMP%\~DF830D.tmp
- %TEMP%\~DF94D1.tmp
- %TEMP%\~DFD8E9.tmp
- %TEMP%\~DFFC2A.tmp
- %TEMP%\~DF7AD4.tmp
- %TEMP%\~DFD4ED.tmp
- %TEMP%\~DF10F5.tmp
- %TEMP%\~DF3517.tmp
- %TEMP%\~DFFF99.tmp
- %TEMP%\~DF1AB0.tmp
- %TEMP%\~DF6007.tmp
- %TEMP%\~DFBB90.tmp
- %TEMP%\~DF380A.tmp
- %TEMP%\~DF5BDA.tmp
- %TEMP%\~DF9866.tmp
- %TEMP%\~DFFF82.tmp
- %TEMP%\~DF4385.tmp
- %TEMP%\~DF5FEA.tmp
- %TEMP%\~DFDC2A.tmp
- %TEMP%\~DF403A.tmp
- %TEMP%\~DF7BDC.tmp
- %TEMP%\~DFA016.tmp
- %TEMP%\~DF6355.tmp
- %TEMP%\~DFCAAA.tmp
- %TEMP%\~DF2AA6.tmp
- %TEMP%\~DF27AB.tmp
- %TEMP%\~DFA366.tmp
- %TEMP%\~DFC747.tmp
- %TEMP%\~DF30B.tmp
- %TEMP%\~DF1C2D.tmp
- %TEMP%\~DF35E9.tmp
- %TEMP%\~DF51FD.tmp
- %TEMP%\~DF95AC.tmp
- %TEMP%\~DFF16C.tmp
- %TEMP%\~DF6CA4.tmp
- %TEMP%\~DF927B.tmp
- %TEMP%\~DFCCB8.tmp
- %TEMP%\~DF78AF.tmp
- %TEMP%\~DFBC8E.tmp
- %TEMP%\~DFD86A.tmp
- %TEMP%\~DF5589.tmp
- %TEMP%\~DFB995.tmp
- %TEMP%\~DFF57B.tmp
- %TEMP%\~DF190D.tmp
- %TEMP%\~DF740D.tmp
- %TEMP%\~DF92E4.tmp
- %TEMP%\~DFD26C.tmp
- %TEMP%\~DF2CE2.tmp
- %TEMP%\~DFAF08.tmp
- %TEMP%\~DF1558.tmp
- %TEMP%\~DFCE24.tmp
- %TEMP%\~DFB0AA.tmp
- %TEMP%\~DFF73B.tmp
- %TEMP%\~DF17B4.tmp
- %TEMP%\~DF50AB.tmp
- %TEMP%\~DFF21E.tmp
- %TEMP%\~DF3175.tmp
- %TEMP%\~DF981E.tmp
- %TEMP%\~DF6F96.tmp
- %TEMP%\~DF8F04.tmp
- %TEMP%\~DFC138.tmp
- %TEMP%\~DFEDB9.tmp
- %TEMP%\~DF6E86.tmp
- %TEMP%\~DFBBE7.tmp
- %TEMP%\~DF1222.tmp
- %TEMP%\~DF2815.tmp
- %TEMP%\~DFF1E2.tmp
- %TEMP%\~DF1122.tmp
- %TEMP%\~DF509D.tmp
- %TEMP%\~DFAAFC.tmp
- %TEMP%\~DF2D6B.tmp
- %TEMP%\~DF93A2.tmp
- %TEMP%\~DF4BD8.tmp
- %TEMP%\~DFEE8A.tmp
- %TEMP%\~DF29DD.tmp
- %TEMP%\~DF4E93.tmp
- %TEMP%\~DFCAF3.tmp
- %TEMP%\~DF265D.tmp
- %TEMP%\~DF6242.tmp
- %TEMP%\~DF8697.tmp
- %TEMP%\~DF51DC.tmp
- %TEMP%\~DF752A.tmp
- %TEMP%\~DFB152.tmp
- %TEMP%\~DFE3D.tmp
- %TEMP%\~DF89F6.tmp
- %TEMP%\~DFADF9.tmp
- %TEMP%\~DFF1A0.tmp
- %TEMP%\~DF27F.tmp
- %TEMP%\~DF1C2E.tmp
- %TEMP%\~DF37B2.tmp
- %TEMP%\~DF7BCD.tmp
- %TEMP%\~DFD6ED.tmp
- %TEMP%\~DF54FD.tmp
- %TEMP%\~DF7807.tmp
- %TEMP%\~DFB45A.tmp
- %TEMP%\~DF5E30.tmp
- %TEMP%\~DFA26A.tmp
- %TEMP%\~DFC712.tmp
- %TEMP%\~DF3ABC.tmp
- %TEMP%\~DF9F72.tmp
- %TEMP%\~DFDB87.tmp
- %TEMP%\~DFFF7C.tmp
Network activity:
Connects to:
- 'localhost':1117
- 'localhost':1115
- 'localhost':1113
- 'localhost':1119
- 'localhost':1125
- 'localhost':1123
- 'localhost':1121
- 'localhost':1111
- 'localhost':1101
- 'localhost':1099
- 'localhost':1097
- 'localhost':1103
- 'localhost':1109
- 'localhost':1107
- 'localhost':1105
- 'localhost':1147
- 'localhost':1145
- 'localhost':1143
- 'localhost':1149
- 'localhost':1155
- 'localhost':1153
- 'localhost':1151
- 'localhost':1141
- 'localhost':1131
- 'localhost':1129
- 'localhost':1127
- 'localhost':1133
- 'localhost':1139
- 'localhost':1137
- 'localhost':1135
- 'localhost':1057
- 'localhost':1055
- 'localhost':1053
- 'localhost':1059
- 'localhost':1065
- 'localhost':1063
- 'localhost':1061
- 'localhost':1051
- 'localhost':1041
- 'localhost':1039
- 'bl##.naver.com':80
- 'localhost':1043
- 'localhost':1049
- 'localhost':1047
- 'localhost':1045
- 'localhost':1087
- 'localhost':1085
- 'localhost':1083
- 'localhost':1089
- 'localhost':1095
- 'localhost':1093
- 'localhost':1091
- 'localhost':1081
- 'localhost':1071
- 'localhost':1069
- 'localhost':1067
- 'localhost':1073
- 'localhost':1079
- 'localhost':1077
- 'localhost':1075
TCP:
HTTP GET requests:
- bl##.naver.com/PostView.nhn?bl################################################################################################################################################################################################
UDP:
- DNS ASK bl##.naver.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
