Technical Information
Malicious functions:
Searches for registry branches where third party applications store passwords:
- [<HKLM>\Software\Ghisler\Total Commander]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKCU>\Software\Microsoft\Internet Explorer\IntelliForms\Storage2]
- [<HKCU>\Software\Google\Google Talk\Accounts]
- [<HKLM>\SOFTWARE\FlashFXP]
Modifies file system:
Creates the following files:
- <Current directory>\ufr_files\NO_PWDS_report_05-08-2016_03-08-07-LPPO.bin
- %TEMP%\NO_PWDS_report_05-08-2016_03-08-07-LPPO.bin
- %TEMP%\report_05-08-2016_03-08-07-LPPO.bin
Deletes the following files:
- %TEMP%\NO_PWDS_report_05-08-2016_03-08-07-LPPO.bin
Moves the following files:
- from %TEMP%\report_05-08-2016_03-08-07-LPPO.bin to %TEMP%\NO_PWDS_report_05-08-2016_03-08-07-LPPO.bin