Technical Information
Malicious functions
Executes the following
- '%WINDIR%\syswow64\taskkill.exe' /im WindowsFormsApp12
- '%WINDIR%\syswow64\taskkill.exe' /im WindowsFormsApp9
- '%WINDIR%\syswow64\taskkill.exe' /im WindowsFormsApp11
- '%WINDIR%\syswow64\taskkill.exe' /im BSOD.exe
Modifies file system
Creates the following files
- %WINDIR% cache backup\imsorry.txt
- %TEMP%\ndf5dac.tmp
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\diagpackage.diagpkg
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\diagpackage.dll
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\htinteractiveres.ps1
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\interactiveres.ps1
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\networkdiagnosticsresolve.ps1
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\networkdiagnosticstroubleshoot.ps1
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\networkdiagnosticsverify.ps1
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\startdpsservice.ps1
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\utilityfirewall.ps1
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\utilityfunctions.ps1
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\utilitysetconstants.ps1
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\en-us\diagpackage.dll.mui
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\en-us\localizationdata.psd1
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\result\results.xsl
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\result\debugreport.xml
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\result\resultreport.xml
- %LOCALAPPDATA%\elevateddiagnostics\460911090\2021022422.001\debugreport.xml
- %LOCALAPPDATA%\elevateddiagnostics\460911090\2021022422.001\resultreport.xml
- %LOCALAPPDATA%\elevateddiagnostics\460911090\2021022422.001\results.xsl
- %LOCALAPPDATA%\elevateddiagnostics\460911090\2021022422.001\results.xml
- %TEMP%\pla56bf.tmp
- %TEMP%\pla52ff.tmp
- %TEMP%\pla59da.tmp
- %TEMP%\pla7a4a.tmp
- %LOCALAPPDATA%\elevateddiagnostics\460911090\latest.cab
- %TEMP%\pla56a9.tmp
- %TEMP%\pla5dc9.tmp
- %TEMP%\pla3fdc.tmp
- %WINDIR% cache backup\payload310.vbs
- %WINDIR% cache backup\bsod.exe
- %TEMP%\ndf4be0.tmp
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\diagpackage.diagpkg
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\diagpackage.dll
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\htinteractiveres.ps1
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\interactiveres.ps1
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\networkdiagnosticsresolve.ps1
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\networkdiagnosticstroubleshoot.ps1
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\networkdiagnosticsverify.ps1
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\startdpsservice.ps1
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\utilityfirewall.ps1
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\utilityfunctions.ps1
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\utilitysetconstants.ps1
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\en-us\diagpackage.dll.mui
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\en-us\localizationdata.psd1
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\result\results.xsl
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\result\debugreport.xml
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\result\resultreport.xml
- %LOCALAPPDATA%\elevateddiagnostics\460911090\2021022422.000\debugreport.xml
- %LOCALAPPDATA%\elevateddiagnostics\460911090\2021022422.000\resultreport.xml
- %LOCALAPPDATA%\elevateddiagnostics\460911090\2021022422.000\results.xsl
- %LOCALAPPDATA%\elevateddiagnostics\460911090\2021022422.000\results.xml
- %TEMP%\pla566.tmp
- %TEMP%\pla550a.tmp
- %TEMP%\pla4c45.tmp
- %LOCALAPPDATA%\microsoft\windows\wer\reportarchive\noncritical_iexplore.exe_e5b78f97cb738f91a0c4b56a158b4724b0a32897_0bf16bcc\report.wer
Deletes the following files
- %TEMP%\pla550a.tmp
- %TEMP%\pla56bf.tmp
- %TEMP%\pla59da.tmp
- %TEMP%\pla56a9.tmp
- %TEMP%\pla7a4a.tmp
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\diagpackage.diagpkg
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\diagpackage.dll
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\en-us\diagpackage.dll.mui
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\en-us\localizationdata.psd1
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\htinteractiveres.ps1
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\interactiveres.ps1
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\networkdiagnosticsresolve.ps1
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\networkdiagnosticstroubleshoot.ps1
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\networkdiagnosticsverify.ps1
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\result\debugreport.xml
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\result\resultreport.xml
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\result\results.xsl
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\startdpsservice.ps1
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\utilityfirewall.ps1
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\utilityfunctions.ps1
- %TEMP%\pla52ff.tmp
- %WINDIR%\temp\sdiag_2cf10029-85af-45c5-b56f-bbd26a56e323\utilitysetconstants.ps1
- %LOCALAPPDATA%\elevateddiagnostics\460911090\latest.cab
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\utilitysetconstants.ps1
- %TEMP%\pla566.tmp
- %TEMP%\pla3fdc.tmp
- %TEMP%\pla5dc9.tmp
- %TEMP%\pla4c45.tmp
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\diagpackage.diagpkg
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\diagpackage.dll
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\en-us\diagpackage.dll.mui
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\en-us\localizationdata.psd1
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\htinteractiveres.ps1
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\interactiveres.ps1
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\networkdiagnosticsresolve.ps1
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\networkdiagnosticstroubleshoot.ps1
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\networkdiagnosticsverify.ps1
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\result\debugreport.xml
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\result\resultreport.xml
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\result\results.xsl
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\startdpsservice.ps1
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\utilityfirewall.ps1
- %WINDIR%\temp\sdiag_802368c9-47a7-4033-b649-cd93ce7ca199\utilityfunctions.ps1
- %TEMP%\ndf4be0.tmp
- %TEMP%\ndf5dac.tmp
Moves the following files
- from %LOCALAPPDATA%\elevateddiagnostics\460911090\2021022422.000\debugreport.xml to %LOCALAPPDATA%\elevateddiagnostics\460911090\2021022422.000\networkdiagnostics.0.debugreport.xml
- from %LOCALAPPDATA%\elevateddiagnostics\460911090\2021022422.001\debugreport.xml to %LOCALAPPDATA%\elevateddiagnostics\460911090\2021022422.001\networkdiagnostics.0.debugreport.xml
Modifies the following files
Substitutes the following files
- %LOCALAPPDATA%\elevateddiagnostics\460911090\latest.cab
Network activity
Connects to
- 'cd#.##scordapp.com':443
- 'gm##l.com':80
- 'google.com':443
- 'gm##l.com':443
- 'ss#.#static.com':443
- 'fo###.gstatic.com':443
- 'ac#####s.youtube.com':443
- 'go#####dservices.com':443
TCP
HTTP GET requests
- http://www.gm##l.com/
UDP
- DNS ASK cd#.##scordapp.com
- DNS ASK gm##l.com
- DNS ASK google.com
- DNS ASK microsoft.com
- DNS ASK mail.google.com
- DNS ASK accounts.google.com
- DNS ASK ss#.#static.com
- DNS ASK fo###.gstatic.com
- DNS ASK ac#####s.youtube.com
- DNS ASK go#####dservices.com
Miscellaneous
Searches for the following windows
- ClassName: 'button' WindowName: ''
- ClassName: 'DDEMLMom' WindowName: ''
- ClassName: 'IEFrame' WindowName: ''
- ClassName: 'Static' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
- ClassName: '' WindowName: ''
Creates and executes the following
- '%WINDIR% cache backup\bsod.exe'
Executes the following
- '%WINDIR%\syswow64\notepad.exe' %WINDIR% Cache Backup\ImSorry.txt
- '%WINDIR%\syswow64\wscript.exe' "%WINDIR% Cache Backup\payload310.vbs"
- '%WINDIR%\syswow64\msdt.exe' -modal 327994 -skip TRUE -path %WINDIR%\diagnostics\system\networking -af %TEMP%\NDF4BE0.tmp -ep NetworkDiagnosticsWeb
- '%WINDIR%\syswow64\msdt.exe' -modal 327994 -skip TRUE -path %WINDIR%\diagnostics\system\networking -af %TEMP%\NDF5DAC.tmp -ep NetworkDiagnosticsWeb
