Technical Information
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion:
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath "%LOCALAPPDATA%\Microsoft\Windows\fonthost.exe"
Reads files which store third party applications passwords
- %LOCALAPPDATA%\microsoft\edge\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %LOCALAPPDATA%\microsoft\edge\user data\default\web data
Modifies file system
Creates the following files
- %LOCALAPPDATA%\microsoft\windows\fonthost.exe
- %LOCALAPPDATA%\fonthosts.ver
- %TEMP%\x3eg.0
- %TEMP%\x3eg.0-shm
- %TEMP%\x3eg.1
- %TEMP%\x3eg.2
- %TEMP%\x3eg.3
- %TEMP%\x3eg.4
Network activity
Connects to
- 'uk#####yyqyigueq.xyz':443
TCP
HTTP GET requests
HTTP POST requests
- http://uk######yqyigueq.xyz:443/api/client/new via uk#####yyqyigueq.xyz
- http://uk######yqyigueq.xyz:443/tasks/get_worker via uk#####yyqyigueq.xyz
UDP
- DNS ASK uk#####yyqyigueq.xyz
Miscellaneous
Executes the following
- '%WINDIR%\syswow64\systeminfo.exe'
