Trojan.MulDrop11.19674

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'amigo' = ''

Creates or modifies the following files

<SYSTEM32>\tasks\chrome5_logon
<SYSTEM32>\tasks\chrome5

Modifies file system

Creates the following files

%ProgramFiles(x86)%\microsoft data\<File name>.exe
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\10429640a68a23
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\gzdtvvpmfdliokg.js
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\qdevojucczmblc.js
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\azlrfyvvjvhjy.js
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\background.js
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\dwysnlcbcho.js
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\gqrsqvnhtxnvqu.js
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\icons\icon128.png
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\icons\icon16.png
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\background.js
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\icons\icon19.png
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\icons\icon48.png
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\injection.js
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\main_compiled.js
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\manifest.json
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\options.html
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\options_compiled.js
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\options_css_compiled.css
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\options_ui.js
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\ubeuaixgftyi.js
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\options_ui.js
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\ubeuaixgftyi.js
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\options_css_compiled.css
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\options_compiled.js
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\options.html
%TEMP%\folder_data_rc_adds\adds\addon.xpi
%TEMP%\folder_data_rc_adds\adds\addon.crx
%TEMP%\folder_data_rc_adds\js\ff_set.json
%TEMP%\folder_data_rc_adds\js\chr_pref.json
%TEMP%\folder_data_rc_adds\xml\op_wid.xml
%TEMP%\folder_data_rc_adds\xml\op_data.xml
%TEMP%\folder_data_rc_adds\xml\task.xml
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\gzdtvvpmfdliokg.js
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\qdevojucczmblc.js
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\10429640a68a23
%APPDATA%\opera software\opera stable\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\icons\icon32.png
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\azlrfyvvjvhjy.js
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\gqrsqvnhtxnvqu.js
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\icons\icon128.png
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\icons\icon16.png
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\icons\icon19.png
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\icons\icon32.png
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\icons\icon48.png
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\injection.js
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\main_compiled.js
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\manifest.json
%TEMP%\folder_data_rc_adds\adds\addon.oex
<LS_APPDATA>\google\chrome\user data\default\extensions\cfmnkhhioonhiehehedmnjibmampjiab\1.0.3\dwysnlcbcho.js
%APPDATA%\428068643619

Network activity

UDP

DNS ASK vb###wqhqq.ru

Miscellaneous

Executes the following

'%WINDIR%\syswow64\schtasks.exe' /create /tn chrome5_logon /XML %TEMP%\Folder_Data_RC_ADDS\xml\task.xml /f
'%WINDIR%\syswow64\schtasks.exe' /Create /SC DAILY /TN chrome5 /RL HIGHEST /ST 00:30 /TR "\"%ProgramFiles(x86)%\Microsoft Data\<File name>.exe\" /reinstall=1" /f

Your browser is obsolete!

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial

Doctor Web in social networks

For Telegram

Other Dr.Web resources