Technical Information
Malicious functions
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %LOCALAPPDATA%\microsoft\edge\user data\default\login data
Modifies file system
Creates the following files
- %ALLUSERSPROFILE%\liduwinu\befigir
- %TEMP%\9fbc-3e13-236c-21cf.tmp
- %TEMP%\0wnlii
- %TEMP%\ctylwld0
- %TEMP%\b211-615f-0a87-275b.tmp
- %TEMP%\vr7d\mqsmuyp0\default\vvytrejk3
- %TEMP%\vr7d\mqsmuyp0\default\e0w8cdfnto\b211-615f-0a87-275b.tmp
- %TEMP%\3c95-f98e-29a0-e2c3.tmp
- %TEMP%\vr7d\mqsmuyp0\default\nzffb60c3\3c95-f98e-29a0-e2c3.tmp
- %TEMP%\f4d2-6793-ef59-642e.tmp
- %TEMP%\vr7d\fbatjo60\default\vvytrejk3
- %TEMP%\vr7d\fbatjo60\default\e0w8cdfnto\f4d2-6793-ef59-642e.tmp
- %TEMP%\5b01-1574-6cff-2032.tmp
- %TEMP%\1d07-e985-d737-c3ba.tmp
- %TEMP%\5605-981f-37c7-8845.tmp
- %TEMP%\vr7d\qwulvgs1\dnyauhh1.default-release\e0w8cdfnto
- %TEMP%\vr7d\qwulvgs1\dnyauhh1.default-release\nzffb60c3
- %TEMP%\vr7d\a0zdgj.json
- %TEMP%\j4f1.7z
- %TEMP%\0utrcl7gi
- %ALLUSERSPROFILE%\liduwinu\voho
- %ALLUSERSPROFILE%\liduwinu\noma
Deletes following files that it created itself
- %TEMP%\ctylwld0
- %TEMP%\5b01-1574-6cff-2032.tmp
- %TEMP%\1d07-e985-d737-c3ba.tmp
- %TEMP%\5605-981f-37c7-8845.tmp
- %TEMP%\0utrcl7gi
Network activity
Connects to
- 'sq######ooisacianigger.com':3333
- 'sq######ooisacianigger.com':3334
TCP
Other
- 'sq######ooisacianigger.com':3333
- 'sq######ooisacianigger.com':3334
UDP
- DNS ASK sq######ooisacianigger.com
