Technical Information
Malicious functions
Reads files which store third party applications passwords
- %HOMEPATH%\desktop\hanni_umami_chapter.doc
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %APPDATA%\opera software\opera stable\login data
- %LOCALAPPDATA%\google\chrome\user data\default\login data
Modifies file system
Creates the following files
- %TEMP%\lzxxdytplbjlvvuvbr178bf1bf000406f17aefee0b72\72178bf1bf000406f17aefee0blzxxdytplbjlvvuvbr\grabber\hanni_umami_chapter.doc
- %TEMP%\lzxxdytplbjlvvuvbr178bf1bf000406f17aefee0b72\72178bf1bf000406f17aefee0blzxxdytplbjlvvuvbr\screenshot.jpeg
- %TEMP%\lzxxdytplbjlvvuvbr178bf1bf000406f17aefee0b72\72178bf1bf000406f17aefee0blzxxdytplbjlvvuvbr\processes.txt
- %TEMP%\lzxxdytplbjlvvuvbr178bf1bf000406f17aefee0b72\72178bf1bf000406f17aefee0blzxxdytplbjlvvuvbr\browsers\history\history_opera.txt
- %TEMP%\ls178bf1bf000406f17aefee0b.tmp
- %TEMP%\bd178bf1bf000406f17aefee0b.tmp
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %TEMP%\lzxxdytplbjlvvuvbr178bf1bf000406f17aefee0b72\72178bf1bf000406f17aefee0blzxxdytplbjlvvuvbr\computer.txt
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %TEMP%\tempdatabase2021-04-03t17_13_34.3276000-07_0099
- %TEMP%\tempdatabase2021-04-03t17_13_34.2340000-07_0099
- %TEMP%\tempdatabase2021-04-03t17_13_34.0468000-07_0099
- %TEMP%\lzxxdytplbjlvvuvbr178bf1bf000406f17aefee0b72\72178bf1bf000406f17aefee0blzxxdytplbjlvvuvbr\browsers\cookies\cookies_mozilla.txt
- %TEMP%\tempdatabase2021-04-03t17_13_33.9532000-07_0099
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %TEMP%\lzxxdytplbjlvvuvbr178bf1bf000406f17aefee0b72\dotnetzip-cde5jbef.tmp
Deletes the following files
- %TEMP%\bd178bf1bf000406f17aefee0b.tmp
- %TEMP%\ls178bf1bf000406f17aefee0b.tmp
- %TEMP%\lzxxdytplbjlvvuvbr178bf1bf000406f17aefee0b72\72178bf1bf000406f17aefee0blzxxdytplbjlvvuvbr\browsers\cookies\cookies_mozilla.txt
- %TEMP%\lzxxdytplbjlvvuvbr178bf1bf000406f17aefee0b72\72178bf1bf000406f17aefee0blzxxdytplbjlvvuvbr\browsers\history\history_opera.txt
- %TEMP%\lzxxdytplbjlvvuvbr178bf1bf000406f17aefee0b72\72178bf1bf000406f17aefee0blzxxdytplbjlvvuvbr\computer.txt
- %TEMP%\lzxxdytplbjlvvuvbr178bf1bf000406f17aefee0b72\72178bf1bf000406f17aefee0blzxxdytplbjlvvuvbr\grabber\hanni_umami_chapter.doc
- %TEMP%\lzxxdytplbjlvvuvbr178bf1bf000406f17aefee0b72\72178bf1bf000406f17aefee0blzxxdytplbjlvvuvbr\processes.txt
- %TEMP%\lzxxdytplbjlvvuvbr178bf1bf000406f17aefee0b72\72178bf1bf000406f17aefee0blzxxdytplbjlvvuvbr\screenshot.jpeg
- %TEMP%\lzxxdytplbjlvvuvbr178bf1bf000406f17aefee0b72\log_178bf1bf000406f17aefee0b.zip
Moves the following files
- from %TEMP%\lzxxdytplbjlvvuvbr178bf1bf000406f17aefee0b72\dotnetzip-cde5jbef.tmp to %TEMP%\lzxxdytplbjlvvuvbr178bf1bf000406f17aefee0b72\log_178bf1bf000406f17aefee0b.zip
Substitutes the following files
- %TEMP%\bd178bf1bf000406f17aefee0b.tmp
- %TEMP%\ls178bf1bf000406f17aefee0b.tmp
Network activity
Connects to
- 'ap#.#pify.org':443
- 'microsoft.com':80
- 'f0####25.xsph.ru':80
TCP
HTTP POST requests
- http://f0####25.xsph.ru/gate.php
UDP
- DNS ASK ap#.#pify.org
- DNS ASK microsoft.com
- DNS ASK f0####25.xsph.ru
