SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  Gepys.AA_13
Gepys.AA_13 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious way. Trojans do not replicate or spread to other computers.

File Related Changes
It drops the following file(s) on the system:
  • "c:\Users\Admin\AppData\Local\Temp\runme7.exe"
  • "c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EQUQ9Q00\activator_windows8[1].exe"
  • "c:\ProgramData\Mozilla\bgrzokh.exe"

Process Related Changes
It creates the following mutex(es):
  • "ConnHashTable<3432>_HashTable_Mutex"
  • "SmartScreen_ClientId_Mutex"
  • "CritOpMutex"
  • "SmartScreen_UrsCacheMutex_2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2High_S-1-5-21-239287854-1939494589-2009181562-1001"
  • "IESQMMUTEX_0_208"
  • "DBWinMutex"

It creates the following process(es):
  • C:\Users\Admin\AppData\Local\Temp\runme7.exe [ runme7.exe ]
  • C:\Windows\System32\WScript.exe
  • c:\Program Files\Internet Explorer\iexplore.exe [ \c:\Program Files\Internet Explorer\iexplore.exe SCODEF:3432 CREDAT:14337 ]
  • c:\Program Files\Internet Explorer\iexplore.exe [ \c:\Program Files\Internet Explorer\iexplore.exe -nohome ]

Network Activity
It attempts to connect to the following remote servers:
  • urs.microsoft.com.nsatc.net:443 (134.170xxxxxx)
  • certrevoc.vo.msecnd.net:80 (157.56.xxxxxx)
  • get-files20.ru:80 (91.219.xxxxxx)
  • cdp1.public-trust.com:80 (64.18xxxxxx)

We observed the following DNS query/queries:
  • get-files20.ru
  • cdp1.public-trust.com
  • mscrl.microsoft.com
  • urs.microsoft.com
  • www.download.windowsupdate.com


Relevant Information