Win32.HLLW.Autohit.16767

Added to the Dr.Web virus database: 2017-12-27

Virus description added: 2017-12-27

Malicious functions:

Injects code into

the following system processes:

Searches for registry branches where third party applications store passwords:

[<HKCU>\Software\SimonTatham\PuTTY\Sessions]
[<HKCU>\Software\NCH Software\ClassicFTP\FTPAccounts]
[<HKLM>\Software\NCH Software\ClassicFTP\FTPAccounts]
[<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
[<HKLM>\Software\Martin Prikryl]
[<HKLM>\Software\SimonTatham\PuTTY\Sessions]
[<HKCU>\Software\NCH Software\Fling\Accounts]
[<HKCU>\Software\Far\Plugins\FTP\Hosts]
[<HKCU>\Software\Martin Prikryl]
[<HKCU>\Software\Ghisler\Total Commander]
[<HKLM>\Software\NCH Software\Fling\Accounts]
[<HKCU>\Software\VanDyke\SecureFX]
[<HKCU>\Software\Far2\Plugins\FTP\Hosts]

Modifies file system:

Creates the following files:

%APPDATA%\Microsoft\Protect\CREDHIST
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\ec702f375e1b12d218f67ab9ef19ca23_23ef5514-3059-436f-a4a7-4cefaab20eb1
%APPDATA%\517D9D\DE2515.lck
%TEMP%\QLORMW.exe
%TEMP%\aut1.tmp
%TEMP%\hdeoaxv
%TEMP%\aut2.tmp

Deletes the following files:

%APPDATA%\517D9D\DE2515.lck
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\ec702f375e1b12d218f67ab9ef19ca23_23ef5514-3059-436f-a4a7-4cefaab20eb1
%TEMP%\aut2.tmp
%TEMP%\aut1.tmp
%TEMP%\hdeoaxv

Moves the following system files:

from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe to %APPDATA%\517D9D\DE2515.exe

Substitutes the following files:

%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\ec702f375e1b12d218f67ab9ef19ca23_23ef5514-3059-436f-a4a7-4cefaab20eb1

Network activity:

Connects to:

TCP:

HTTP POST requests:

Miscellaneous:

Creates and executes the following:

Executes the following: