Technical Information
Malicious functions:
Executes the following:
- <SYSTEM32>\rundll32.exe ""%TEMP%\ins1.tmp"",gugsaxfq install
Modifies file system :
Creates the following files:
- %TEMP%\ins1.tmp
Deletes itself.
Network activity:
Connects to:
- 'cr##.ce.ms':80
TCP:
HTTP GET requests:
- cr##.ce.ms/umVSSholKShdc07c5im3RAaPX8sQbd5nZ4spBVJ/xvU6sgtLhU46ES6jH8CKc/vEzlIWOygyKU1/cHLCWYq+tzEvt6nhsm2qwppk6O6JJEFWWg==
- cr##.ce.ms/KQUNgCTTlYQcHtgZzcMPrXJoA+5xRKUQulPsWy68bETXqGydqgzcnVBNOPJ3QJJKMrIoPyHDI+9XDY6GVFskPuWU+fV8A0PKfLFFyw88gxIfS3R9iJ2F8MfEn2c2PLnE0PNTaYm0w+kCRHAnVOIKrUItWjox+eePs1eSCmWFSKxXQwGzcFr5hIP6kva8Q31sv+rgIaSa5Hw=
UDP:
- DNS ASK cr##.ce.ms
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
