Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service] 'ImagePath' = '%TEMP%\fqwvimjj.sys'
Creates the following services
- 'Micorsoft Windows Service' %TEMP%\fqwvimjj.sys
Malicious functions
To bypass firewall, removes or modifies the following registry keys
- [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Firewall
- Windows Update
- Windows Security Center
- Windows Defender
blocks the following features:
- User Account Control (UAC)
- Windows Security Center
Injects code into
the following system processes:
- %WINDIR%\syswow64\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\phtjkrpg.exe
- %LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-696ee77f-10b8.pma
- %LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-696ee782-3cc.pma
- %LOCALAPPDATA%\microsoft\edge\user data\default\heavy_ad_intervention_opt_out.db-journal
- %LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\manifest-000001
- %LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\000001.dbtmp
- %LOCALAPPDATA%\microsoft\edge\user data\default\heavy_ad_intervention_opt_out.db
- %LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\manifest-000002
- %LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\000002.dbtmp
- %LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\log
- %LOCALAPPDATA%\microsoft\edge\user data\default\previews_opt_out.db-journal
- %LOCALAPPDATA%\microsoft\edge\user data\default\previews_opt_out.db
- %LOCALAPPDATA%\microsoft\edge\user data\last browser
- %LOCALAPPDATA%\microsoft\edge\user data\default\preferredapps
- %LOCALAPPDATA%\microsoft\edge\user data\default\budgetdatabase\manifest-000001
- %LOCALAPPDATA%\microsoft\edge\user data\default\budgetdatabase\000001.dbtmp
- %LOCALAPPDATA%\microsoft\edge\user data\default\budgetdatabase\log
- %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\manifest-000001
- %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\000001.dbtmp
- %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\log
- %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\000003.log
- %TEMP%\fqwvimjj.sys
- %LOCALAPPDATA%\microsoft\windows\actioncentercache\windows-systemtoast-securityandmaintenance_10_0.png
Deletes following files that it created itself
- %LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-696ee77f-10b8.pma
- %LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-696ee782-3cc.pma
- %LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\manifest-000001
- %TEMP%\fqwvimjj.sys
Moves the following files
- from %LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\current
- from %LOCALAPPDATA%\microsoft\edge\user data\default\budgetdatabase\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\budgetdatabase\current
- from %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\current
Modifies the following files
- %LOCALAPPDATA%\microsoft\edge\user data\last version
- %LOCALAPPDATA%\microsoft\edge\user data\default\sync data\leveldb\log
- %LOCALAPPDATA%\microsoft\edge\user data\default\site characteristics database\log
- %LOCALAPPDATA%\microsoft\edge\user data\default\sync data\leveldb\000003.log
- %LOCALAPPDATA%\microsoft\tokenbroker\cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Substitutes the following files
- %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Platform Notifications\LOG
- %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Network activity
Connects to
- 'co####.edge.skype.com':443
TCP
Other
- 'co####.edge.skype.com':443
UDP
- DNS ASK co####.edge.skype.com
Miscellaneous
Searches for the following windows
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
- ClassName: 'Chrome_MessageWindow' WindowName: '%LOCALAPPDATA%\Microsoft\Edge\User Data'
Creates and executes the following
- '%TEMP%\phtjkrpg.exe' elevate
- '%TEMP%\phtjkrpg.exe' admin
Executes the following
- '%WINDIR%\syswow64\svchost.exe'
- '%ProgramFiles(x86)%\internet explorer\iexplore.exe'
- '%ProgramFiles%\internet explorer\iexplore.exe'
- '%ProgramFiles(x86)%\microsoft\edge\application\89.0.774.68\bho\ie_to_edge_stub.exe' --from-ie-to-edge=3 --ie-frame-hwnd=12002c
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --from-ie-to-edge=3 --ie-frame-hwnd=12002c
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --from-ie-to-edge=3 --ie-frame-hwnd=12002c --flag-switches-begin --flag-switches-end --do-not-de-elevate
- '%WINDIR%\syswow64\cmd.exe' /C ""%TEMP%\phtjkrpg.exe"" admin
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --from-ie-to-edge=3 --ie-frame-hwnd=12002c --flag-switches-begin --flag-switches-end --do-not-de-elevate' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C ""%TEMP%\phtjkrpg.exe"" admin' (with hidden window)
