Adware.Downware.11824

Technical Information

Modifies file system

Creates the following files

%TEMP%\is-4q28m.tmp\<File name>.tmp
%TEMP%\is-5clkk.tmp\innocallback.dll
%TEMP%\is-5clkk.tmp\itdownload.dll
%TEMP%\is-5clkk.tmp\isskin.dll
%TEMP%\is-5clkk.tmp\_isetup\_shfoldr.dll
%TEMP%\is-5clkk.tmp\_isetup\_setup64.tmp
%TEMP%\is-2rors.tmp\gentlemjmp_ieeuu.tmp
%TEMP%\is-5clkk.tmp\ex.bat
%TEMP%\is-llb51.tmp\favicon.ico
%TEMP%\is-llb51.tmp\gentlemjmp_ieeuu.exe
%TEMP%\is-llb51.tmp\checkproc.cmd
%TEMP%\is-llb51.tmp\av.txt
%TEMP%\is-llb51.tmp\ex.bat
%TEMP%\is-llb51.tmp\_isetup\_shfoldr.dll
%TEMP%\is-llb51.tmp\_isetup\_setup64.tmp
%TEMP%\is-llb51.tmp\cmd.bat
%TEMP%\is-5clkk.tmp\av.txt

Deletes the following files

%TEMP%\is-llb51.tmp\av.txt
%TEMP%\is-llb51.tmp\ex.bat
%TEMP%\is-llb51.tmp\checkproc.cmd
%TEMP%\is-llb51.tmp\favicon.ico
%TEMP%\is-5clkk.tmp\av.txt
%TEMP%\is-5clkk.tmp\ex.bat
%TEMP%\is-2rors.tmp\gentlemjmp_ieeuu.tmp
%TEMP%\is-4q28m.tmp\<File name>.tmp

Substitutes the following files

%TEMP%\is-llb51.tmp\checkproc.cmd

Network activity

Connects to

'ad#.##oud4ads.com':80

TCP

HTTP GET requests

http://ad#.##oud4ads.com/cgi-bin/advert/settags?x_################################################################################
http://ad#.##oud4ads.com/cgi-bin/advert/settags?x_###############################################################################
http://ad#.##oud4ads.com/cgi-bin/advert/settags?x_#######################################################################
http://ad#.##oud4ads.com/cgi-bin/advert/settags?x_############################################################################
http://ad#.##oud4ads.com/cgi-bin/advert/settags?x_##############################################################################
http://ad#.##oud4ads.com/cgi-bin/advert/settags?x_#####################################################################################
http://ad#.##oud4ads.com/cgi-bin/advert/settags?x_#############################################################################
http://ad#.##oud4ads.com/cgi-bin/advert/settags?x_##################################################################################

UDP

DNS ASK ad#.##oud4ads.com

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Creates and executes the following

'%TEMP%\is-4q28m.tmp\<File name>.tmp' /SL5="$A022E,2723309,56832,<Full path to file>"
'%TEMP%\is-llb51.tmp\gentlemjmp_ieeuu.exe' go=ofcourse product_id=UPD xmlsource=<Full path to file>
'%TEMP%\is-2rors.tmp\gentlemjmp_ieeuu.tmp' /SL5="$1F023E,2340988,56832,%TEMP%\is-LLB51.tmp\gentlemjmp_ieeuu.exe" go=ofcourse product_id=UPD xmlsource=<Full path to file>
'%WINDIR%\syswow64\cmd.exe' /C ""%TEMP%\is-LLB51.tmp\ex.bat""' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C ""CheckProc.cmd""' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "WINDOWTITLE eq Process Monitor*" |find "PID"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C ""%TEMP%\is-LLB51.tmp\cmd.bat""' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C netstat -na | findstr /C:":5900 " | findstr /C:"ESTABLISHED"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C netstat -na | findstr /C:":5901 " | findstr /C:"ESTABLISHED"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C netstat -na | findstr /C:":5902 " | findstr /C:"ESTABLISHED"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C netstat -na | findstr /C:":5903 " | findstr /C:"ESTABLISHED"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C netstat -na | findstr /C:":5904 " | findstr /C:"ESTABLISHED"' (with hidden window)
'%TEMP%\is-llb51.tmp\gentlemjmp_ieeuu.exe' go=ofcourse product_id=UPD xmlsource=<Full path to file>' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C ""%TEMP%\is-5CLKK.tmp\ex.bat""' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /C ""%TEMP%\is-LLB51.tmp\ex.bat""
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /C ""%TEMP%\is-LLB51.tmp\cmd.bat""
'%WINDIR%\syswow64\cmd.exe' /C netstat -na | findstr /C:":5900 " | findstr /C:"ESTABLISHED"
'%WINDIR%\syswow64\netstat.exe' -na
'%WINDIR%\syswow64\findstr.exe' /C:":5900 "
'%WINDIR%\syswow64\findstr.exe' /C:"ESTABLISHED"
'%WINDIR%\syswow64\cmd.exe' /C netstat -na | findstr /C:":5901 " | findstr /C:"ESTABLISHED"
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq Taskmgr.exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV
'%WINDIR%\syswow64\findstr.exe' /C:":5901 "
'%WINDIR%\syswow64\cmd.exe' /C netstat -na | findstr /C:":5903 " | findstr /C:"ESTABLISHED"
'%WINDIR%\syswow64\findstr.exe' /C:":5903 "
'%WINDIR%\syswow64\cmd.exe' /C netstat -na | findstr /C:":5904 " | findstr /C:"ESTABLISHED"
'%WINDIR%\syswow64\findstr.exe' /C:":5904 "
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq DFServ.exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /C netstat -na | findstr /C:":5902 " | findstr /C:"ESTABLISHED"
'%WINDIR%\syswow64\findstr.exe' /C:":5902 "
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq regedit.exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /C ""CheckProc.cmd""
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq newversion.exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq newversion.tmp" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq Setup.exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq Setup (1).exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq Setup (2).exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5...
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq Fiddler.exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq Wireshark.exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq Capsa.exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq ipscan.exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq Procmon.exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "WINDOWTITLE eq Process Monitor*" |find "PID"
'%WINDIR%\syswow64\tasklist.exe' /FI "WINDOWTITLE eq Process Monitor*"
'%WINDIR%\syswow64\find.exe' "PID"
'%WINDIR%\syswow64\cmd.exe' /c tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV
'%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV
'%WINDIR%\syswow64\cmd.exe' /C ""%TEMP%\is-5CLKK.tmp\ex.bat""

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial