Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] 'Client Server Runtime Subsystem' = '"%ALLUSERSPROFILE%\Windows\csrss.exe"'
Creates the following files on removable media
- <Drive name for removable media>:\readme1.txt
- <Drive name for removable media>:\readme2.txt
- <Drive name for removable media>:\readme3.txt
- <Drive name for removable media>:\readme4.txt
- <Drive name for removable media>:\readme5.txt
- <Drive name for removable media>:\readme6.txt
- <Drive name for removable media>:\readme7.txt
- <Drive name for removable media>:\readme8.txt
- <Drive name for removable media>:\readme9.txt
- <Drive name for removable media>:\readme10.txt
Malicious functions
Reads files which store third party applications passwords
- %HOMEPATH%\desktop\weeklysheet1215.doc
- %HOMEPATH%\desktop\testee.cer
- %HOMEPATH%\desktop\testcertificate.cer
- %HOMEPATH%\desktop\split.avi
- %HOMEPATH%\desktop\sdszfo.docx
- %HOMEPATH%\desktop\sdksampleunprivdeveloper.cer
- %HOMEPATH%\desktop\ovp25012015.doc
- %HOMEPATH%\desktop\nwfieldnotes1966.docx
- %HOMEPATH%\desktop\join.avi
- %HOMEPATH%\desktop\holycrosschurchinstructions.docx
- %HOMEPATH%\desktop\dashborder_120.bmp
- %HOMEPATH%\desktop\contosoroot_1.cer
- %HOMEPATH%\desktop\contosoroot.cer
- %HOMEPATH%\desktop\adhd_and_obesity.docx
- %HOMEPATH%\desktop\508softwareandos.doc
Modifies file system
Creates the following files
- %ALLUSERSPROFILE%\windows\csrss.exe
- C:\readme8.txt
- C:\readme7.txt
- C:\readme6.txt
- C:\readme5.txt
- C:\readme4.txt
- C:\readme3.txt
- C:\readme2.txt
- C:\readme1.txt
- D:\readme10.txt
- D:\readme9.txt
- D:\readme8.txt
- D:\readme7.txt
- D:\readme6.txt
- D:\readme5.txt
- D:\readme4.txt
- D:\readme3.txt
- D:\readme2.txt
- D:\readme1.txt
- %TEMP%\cached-microdescs.new
- %TEMP%\cached-microdesc-consensus.tmp
- %TEMP%\cached-certs.tmp
- %TEMP%\unverified-microdesc-consensus.tmp
- %TEMP%\state.tmp
- C:\readme9.txt
- C:\readme10.txt
Deletes the following files
- %TEMP%\unverified-microdesc-consensus
- %TEMP%\state
Moves the following files
- from %TEMP%\state.tmp to %TEMP%\state
- from %TEMP%\dotnetfx.log to %TEMP%\dnpsw9qtgp-aclqynib5vl0fkij62y0qm2rx0fsqdps=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\dd_wcf_ca_smci_20200611_031101_060.txt to %TEMP%\xxrvsamkfjxgy6tunp0eauvglkefdparvdyx-usswpxym64ndiuud1szvks9ikwwuxvkuochbl6zwtk8tm-kovh0+jr-fheu+m4xd+6gwls=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\dd_wcf_ca_smci_20200611_031056_919.txt to %TEMP%\7zebu403n522v+umehymyzaoggdzkyckjy9bx2ul90gqmzo1brarbiesldx3jl0oe635rxc-cvpk2e1vqzql73rgyqpilho++xnk+ii9hoo=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\dd_wcf_ca_smci_20151217_052908_497.txt to %TEMP%\9wjqptlccpt0pp5xbr3us1a5o74kkjoac8dcgguoibqenppiwwkrqdy1bn7vbhy3jtpmtnwhzmfeamoc+rqbktywsasa5z+s5jbp7eabxtk=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\dd_wcf_ca_smci_20151217_052858_840.txt to %TEMP%\9mjyhtdhsjcjgqwwkxuywyi6fqsmb8rrloeid7y5jo8qx4p8otp2rg9oumf-wkcardrdxaqvde8rmnrtrv9afsd2d17bhgkwviyrgoemaok=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\dd_vcredist_x86_20151216210157_001_vcruntimeadditional_x86.log to %TEMP%\wvdqtevdhvs6hodcq2plxj4+quytss+1yp9ff7ohz6beagt3a+lxhj9utoan8hdm94l54-hmqtxxavrlkhpwzcgee+imxmujwmu-ogrmsbgf12wxpgql+nf1wl93bny-3z151qjnxgupaqda6mwqay0xytxsmgkdunym5g0upvm=.8299e5ecf260e...
- from %TEMP%\dd_vcredist_x86_20151216210157_000_vcruntimeminimum_x86.log to %TEMP%\+s8mg02fcfwbfveuhdxjnxgqzrwn58uj86-7bhzfu0zudlirpcu8pyvlmyr+hn0sakzjazx6voprq24kszx+gmlvfa1ov6l7gah3latekoubgzi4ysvjooy1vbojpcgaen2nag7mlsis2ecgnpfuvjft4swimvks2yvzjsotaak=.8299e5ecf260e...
- from %TEMP%\dd_vcredist_x86_20151216210157.log to %TEMP%\wwmlz9-howowsrjyg20ubu+jdl6rxdkvwwe7lbiod+gm91qmtfyqlm7snsynuacgbqzdj435frnmkc-lzhfseesddx9hnr9lj+aexwwpgxg=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\dd_vcredist_amd64_20151216210341_001_vcruntimeadditional_x64.log to %TEMP%\+ra9wy0abvt66-e5yvijeqbm6p1edvz8uct+r1xtirti-obmty2f0jfysnpib5o7vv7ofleleg-yyv5ks1pvjr8aey53n6w4fg0x2tufzmbern3w-zhh62+cel50m885kcobm7nh7uvvnqcjgqeuxbcn4myz+nic8g5gz5t14ys=.8299e5ecf260e...
- from %TEMP%\msid38c.log to %TEMP%\agsb2omjfluoa6wa2i8pb+vxzhuu4xkhygmvawx6jam=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\dd_vcredist_amd64_20151216210341_000_vcruntimeminimum_x64.log to %TEMP%\hagocey9hamt102d6cn0z8jzkc57qyqxlyy4b3hea9+++9h7vseyngy5ffznaegfr4bruy8cnwsei5cgqpqabsguiv26ej7wq5ucfkarlnzenvzk+uzurfdf4yyc3+ofc+r73xl+-ezlawyqi0tybkjuocp6h8igz1d3chjojaa=.8299e5ecf260e...
- from %TEMP%\dd_setuputility.txt to %TEMP%\hl+bri+l0nnbggxijjn+ex1qkrdzggt2ble520gtmuyjdgin9mnyip8tqeeie7vc.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\dd_ndp471-kb4033342-x86-x64-allos-enu_decompression_log.txt to %TEMP%\v6ysqst5qw1utlypeioy4vlho0zvs2fktgay7w16loaxyeyxomqowrsfs2x27rohxgslkeyyszvud+frdjnlqwm+ofmy0v8eoco6texyaz4u2i5pmwusuga-e9rzivoyjxj4o9uu5lowgwebtqxls7v-dykk8lgtutu4gfeprmo=.8299e5ecf260e...
- from %TEMP%\dd_ndp452-kb2901907-x86-x64-allos-enu_decompression_log.txt to %TEMP%\ej5qono2kysg7j0lfgfiypfdmauqezdbvrofnjjzgb49fqbg-sxkq5w8pfljxunghp3v7xbwjbfpoykvisp3wus9jyxjnnioc2xotr0yi6bwntyahac70xy3ikbyzha2wqxdjnptjh99hy9c0mczdkhwlg04okdp1sdszi-ujs8=.8299e5ecf260e...
- from %TEMP%\aspnetsetup_00003.log to %TEMP%\adfyrmnflh+3fmdn8rkrhsytzxvueuepamaticsjda9-gx9mi4ylifijjj8jvmwp.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\aspnetsetup_00002.log to %TEMP%\5n-9iqu2g-zvz0krsifhimvnrykt7rtrujhfet6amow-mx6gtpro1fknowg0zo-+.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\aspnetsetup_00001.log to %TEMP%\sopuekfjyv4cc3v8pe7aywbxd9fzifpuqcwmutnwca8b9qvpb0zy-mg8r-kv1jm6.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\aspnetsetup_00000.log to %TEMP%\rp3ufsjg+zjms8r3lqsy-iewgxqgjy2hsswndoin9lksmphmezrs6fluij-txhoj.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\aspnetsetup.log to %TEMP%\xo7evu8cukcmw+ncxhzl6o3sm+oax08qlphx4gkk0+m=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\adobesfx.log to %TEMP%\pxjf9xcfxpl7hwlxuj8zuuhf2rcut8guv8mcz4f6roy=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\javadeployreg.log to %TEMP%\kthccgvhvw3f+w42opdu+w6ik-3adkwskg+djlbzcgzvshwevgzrbetrxcpzpvpz.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\dotnetfxsdk.log to %TEMP%\w92bxikghfda-9zd7cycvwkbrwjm5i1nwocy-iazlom=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\jawshtml.html to %TEMP%\smw36qfgwhdv3nkne1vuqeqwhqawwbuz70plgz-hrmm=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\jusched.log to %TEMP%\4ioylgvxssk5ozw1cwhv9qsy0e9nppd70eg8ly7bij8=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\microsoft .net framework 4.5 setup_20150506_155317844.html to %TEMP%\niy7huv8y666tlzqddkefrzggfmgb-vrjqjsots+xnatk+1dmqjkv7takt2ywe5zyxvfujniylaotnllplw6ugwmgwdng+rbpnp7qculizmmmje-zmgoqdv4h-srbvfoxsihoriwtpg+8-obmshltbj-moxlhum0hc85dn1gu-e=.8299e5ecf260e...
- from %TEMP%\cached-certs.tmp to %TEMP%\cached-certs
- from %TEMP%\cached-microdesc-consensus.tmp to %TEMP%\cached-microdesc-consensus
- from %TEMP%\wmsetup.log to %TEMP%\z0fkgrsfqykhq7jzq0azi4b5gygqgegisdtskrm+kwy=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\wallpaper.bmp to %TEMP%\vbwthpvksttfamx98nfeot1nveycsf8xqnqis+xep7a=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\user.bmp to %TEMP%\vzxb59emgrhjsdcevhtnxa==.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\setupexe(20160310140634718).log to %TEMP%\0y-sdfyn9--u3cuetztjwp4gvdsvajluut6nceytogdhr7-rr5wlpybbvratzhfk428lfdyfgj1ka6mgpheo7q==.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\setupexe(201603101200226dc).log to %TEMP%\zgtfj8trqavd9ocqr529dqm8hp6awridf7k2x-rzerfai2ng3t52llbhfkvdwvkraoko7nsmgdwxznlkuziqhq==.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\setupexe(20151124155624744).log to %TEMP%\6lfmmxwtvn6pdswgwgsvcwltqn85s2fhbebjo39tnxoah4xbn0zvuanjbunuwogndqsvxrw7teqow83x6u6llq==.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\msieb217.log to %TEMP%\fok5rlkwrbxxxvwgi2oxseyohkwu5deobveoqpbpm+m=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\adobearm_notlocked.log to %TEMP%\d8a8wjfiiv9jylphi8eldswbhttecd8o5p9k+lmeyhn-afz4xlogue2m008fi93u.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\dd_vcredist_amd64_20151216210341.log to %TEMP%\qogtahera-cufnpv7tgwlfpfdbdrbw+oa-vs2cyk0nn6pvcdsfb5ygbjcgfblp39m+6ahett0h7dybthk1n9p7jzd8r2m9a-jbh9+njtio8=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\msie45bf.log to %TEMP%\rzdappsjoy3vpe7wpnjmptfapfcy0f5fnrmy-0ecqmm=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\msi1cfbe.log to %TEMP%\ovxal+dhgfw1pxkh6v4drru9pim6obrihtj6yc+r8ui=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\microsoft visual c++ 2010 x86 redistributable setup_20150506_155226438.html to %TEMP%\nbk7p2zu3k7sost7isvs0ntn-jaydchyrkd3z5-c6uyvals0fpi3q+-dlhgz454mm8udt-zskdbyttr68+wnnt04jfeohhgeexmwxuj3cw78dpy88fvaw5kzgs8efkvbhfmumop3oqwnvegfnolmwxpwgl-xhwp1-+nkbxbdztqc8qsel2ts3ck3kg...
- from %TEMP%\microsoft .net framework 4.7.1 setup_20200610_200621826.html to %TEMP%\lhcp+jcvp9eowwupzqadzlt41czbuwdq9u964mhidorefighxy-tnzfmvcxwltyotidsnrys8rdshxc8zohbkntu4l8odon7gfp0ysr8qecwwdutfcb6aficlastmsgduewlsokjmfxwbvqjwe+oc3kresmw7jjq5asotcfgf44=.8299e5ecf260e...
- from %TEMP%\microsoft .net framework 4.7.1 setup_20200610_200621826-msi_netfx_full_x64.msi.txt to %TEMP%\vydiuicf+xm2im-c2ouucjwoyoj8i+eyy5399kkumlxtlcatvol86dtlab-w4uafpf-z53p-ejk78x7gi+fdsu-c94o3taqahdfe3ix0dbrmmbeb0hvyotnqvk-wubfy4cdfrqqcc+pqsnhzqb2i482jfaezk+itpgvrqnxzshruml6qzqkfzby4fx...
- from %TEMP%\microsoft .net framework 4.7.1 setup_20200610_200621826-msi_netfx_full_x64.msi.txt to %TEMP%\microsoft .net framework 4.7.1 setup_20200610_200621826-msi_netfx_full_x64.msi.txt.heisenberg
- from %TEMP%\microsoft .net framework 4.7.1 setup_20200610_195959602.html to %TEMP%\dvnuzwxps4xcca5kcx4pyzaixomao5qrh8zahkyml6r3ugdppbu1k6pc1ymrbpwcl7g3sfk3m4eyrsfmsz1ql-qsk5mptbmlclc4+gbk3gd2uvvim682yzjudbf0kz-vyu4upegeep7gavqt5cy+txco2vp0f8icmclwtbaiioq=.8299e5ecf260e...
- from %TEMP%\microsoft .net framework 4.5.2 setup_20151216_212237215.html to %TEMP%\vshulvugojzj3lljb8luqhthpgnmyztqasf4g9xj30c7zs7ibmiar9jpdwz9mz4cohhfp5yeadx76zq87jfayuk2-1xbhpap5tlagjaia5j5zhf43boi0qpx1o0sxtdguljj7eajozfq7mlog14zq1oluqrokne+ynwqlytidgi=.8299e5ecf260e...
- from %TEMP%\microsoft .net framework 4.5.2 setup_20151216_212237215-msi_netfx_full_gdr_x64.msi.txt to %TEMP%\w5jgelyasbliqyczwsnhltr7qgqcyhsisuoao58bie581zkkb11age16r65qr5a8wraaahottglrjvjunyjqgnc0+4lyjpnaw1zkqwhbgzdpotwcfjbluxregjau8n5wjzvdeo8sauvbo5ozkbwg+lt-eefdmlwsqzoileeiydrrwtykeyo9moo5ot...
- from %TEMP%\microsoft .net framework 4.5.2 setup_20151216_212237215-msi_netfx_full_gdr_x64.msi.txt to %TEMP%\microsoft .net framework 4.5.2 setup_20151216_212237215-msi_netfx_full_gdr_x64.msi.txt.heisenberg
- from %TEMP%\unverified-microdesc-consensus.tmp to %TEMP%\unverified-microdesc-consensus
- from %TEMP%\msic204f.log to %TEMP%\dgvwxei9q4oujzi1i4ef6ogcgec6nrikql0zjsgz0q4=.8299e5ecf260e360bc26.breaking_bad
- from %TEMP%\adobearm.log to %TEMP%\oglpv5pmf1xovexptfoeobnaxlyzhn0mldjsv0nikoa=.8299e5ecf260e360bc26.breaking_bad
Modifies the following files
- D:\install.log
- %TEMP%\microsoft .net framework 4.7.1 setup_20200610_200621826-msi_netfx_full_x64.msi.txt
- %TEMP%\msi1cfbe.log
- %TEMP%\msic204f.log
- %TEMP%\msid38c.log
- %TEMP%\msie45bf.log
- %TEMP%\msieb217.log
- %TEMP%\setupexe(20151124155624744).log
- %TEMP%\setupexe(201603101200226dc).log
- %TEMP%\setupexe(20160310140634718).log
- %TEMP%\wmsetup.log
- %TEMP%\adobe_admlogs\adobe_adm.log
- %TEMP%\adobe_admlogs\adobe_gde.log
- %TEMP%\opera installer\opera_installer_20150506170826.log
- %TEMP%\opera installer\opera_installer_20150506170843.log
- %TEMP%\opera installer\opera_installer_20150506170857.log
- %TEMP%\webinstaller\qnzuposrqouvfisa\data.txt
- %TEMP%\webinstaller\qnzuposrqouvfisa\variant.js
- %HOMEPATH%\desktop\holycrosschurchinstructions.docx
- %HOMEPATH%\desktop\join.avi
- %HOMEPATH%\desktop\nwfieldnotes1966.docx
- %HOMEPATH%\desktop\ovp25012015.doc
- %HOMEPATH%\desktop\sdksampleunprivdeveloper.cer
- %HOMEPATH%\desktop\sdszfo.docx
- %HOMEPATH%\desktop\split.avi
- %HOMEPATH%\desktop\testcertificate.cer
- %HOMEPATH%\desktop\testee.cer
- %HOMEPATH%\desktop\weeklysheet1215.doc
- %TEMP%\microsoft .net framework 4.5.2 setup_20151216_212237215-msi_netfx_full_gdr_x64.msi.txt
- %TEMP%\jusched.log
Modifies multiple files.
Substitutes the following files
- %TEMP%\state.tmp
- %TEMP%\state
Modifies user data files (Trojan.Encoder).
Network activity
Connects to
- 'localhost':49172
- '12#.31.0.39':9101
- '13#.#88.40.189':443
- '46.##6.151.217':9001
- '18#.#6.148.90':443
- '14#.#51.41.235':9001
- 'localhost':48539
TCP
- '12#.31.0.39':9101
- '13#.#88.40.189':443
- '46.##6.151.217':9001
- '14#.#51.41.235':9001
- '18#.#6.148.90':443
- 'localhost':48539
- 'localhost':49179
- 'localhost':49180
- 'localhost':49181
- 'localhost':49182
- 'localhost':49183
