Technical Information
Malicious functions
Creates and executes the following (exploit)
- '%APPDATA%\microsoft\addins\i4w9g5o5.exe'
- '%APPDATA%\microsoft\addins\d3j5v8m9.exe'
Executes the following (exploit)
- '<SYSTEM32>\certutil.exe' -decode %APPDATA%\Microsoft\AddIns\U1S1N6G7.txt %APPDATA%\Microsoft\AddIns\I4W9G5O5.exe
- '<SYSTEM32>\certutil.exe' -decode %APPDATA%\Microsoft\AddIns\H5Z3L2O4.txt %APPDATA%\Microsoft\AddIns\D3J5V8M9.exe
Modifies file system
Creates the following files
- %APPDATA%\microsoft\addins\u1s1n6g7.txt
- %APPDATA%\microsoft\addins\i4w9g5o5.exe
- %APPDATA%\microsoft\addins\h5z3l2o4.txt
- %APPDATA%\microsoft\addins\d3j5v8m9.exe
Network activity
Connects to
- '34.##.136.217':1335
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\certutil.exe' -decode %APPDATA%\Microsoft\AddIns\U1S1N6G7.txt %APPDATA%\Microsoft\AddIns\I4W9G5O5.exe' (with hidden window)
- '%APPDATA%\microsoft\addins\i4w9g5o5.exe' ' (with hidden window)
- '<SYSTEM32>\certutil.exe' -decode %APPDATA%\Microsoft\AddIns\H5Z3L2O4.txt %APPDATA%\Microsoft\AddIns\D3J5V8M9.exe' (with hidden window)
- '%APPDATA%\microsoft\addins\d3j5v8m9.exe' ' (with hidden window)
