The Trojan may arrive as a Microsoft Word document containing an exploit for the Microsoft Windows 'Win32k.sys' TrueType Font Handling Remote Code Execution Vulnerability (BID 50462). Successful exploitation of the vulnerability will enable the Trojan to be dropped and executed on the targeted computer.

When the Trojan is executed, it creates one or more of the following files:


It then creates one or more of the following registry subkeys:


The Trojan then opens a back door allowing an attacker to gather the following information from the compromised computer:

   A list of running processes, account details, and domain information
   Drive names and other information, including those of shared drives
   Network information (interfaces, routing tables, shares list, etc)
   Open window names
   Enumerated shares
   File exploration on all drives, including removable drives
   Enumeration of computers in the domain through NetServerEnum

The Trojan then sends the information gathered to a predetermined command and control (C&C) server.

It also downloads further malicious files from the C&C server.

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.