Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\nvngxupdatecheckdaily_{78821544-1544-1544-1544-788215441544}
Malicious functions
Injects code into
the following system processes:
- %WINDIR%\microsoft.net\framework\v4.0.30319\addinprocess32.exe
the following user processes:
- chrome.exe
Hooks functions
in browsers
- iexplore.exe process, wininet.dll module
- firefox.exe process, nss3.dll module
Searches for registry branches where third party applications store passwords
- [<HKCU>\Software\Martin Prikryl]
- [<HKLM>\Software\Wow6432Node\Martin Prikryl]
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %APPDATA%\opera software\opera stable\login data
- %APPDATA%\mozilla\firefox\profiles.ini
- %APPDATA%\thunderbird\profiles.ini
Searches for windows to
detect analytical utilities:
- ClassName: 'OLLYDBG', WindowName: ''
- ClassName: 'GBDYLLO', WindowName: ''
- ClassName: 'pediy06', WindowName: ''
- ClassName: 'FilemonClass', WindowName: ''
- ClassName: '', WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
- ClassName: '', WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'RegmonClass', WindowName: ''
- ClassName: '', WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'
Modifies file system
Creates the following files
- %TEMP%\4dd3.tmp
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-filesystem-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-environment-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-convert-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-conio-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-util-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-timezone-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-sysinfo-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-synch-l1-2-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-synch-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-string-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-rtlsupport-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-heap-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-profile-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-processthreads-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-processenvironment-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-namedpipe-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\nssckbi.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\nss3.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\msvcp140.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\mozmapi32_inuse.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\mozmapi32.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\mozglue.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\mapiproxy_inuse.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\mapiproxy.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-processthreads-l1-1-1.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-interlocked-l1-1-0.dll
- %LOCALAPPDATA%low\machineinfo.txt
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-multibyte-l1-1-0.dll
- %LOCALAPPDATA%low\7x3qfc4di-shm
- %LOCALAPPDATA%low\7x3qfc4di
- %LOCALAPPDATA%low\vwqasjade-shm
- %LOCALAPPDATA%low\vwqasjade
- %LOCALAPPDATA%low\firefox_urls.txt
- %LOCALAPPDATA%low\nh59lvdje-shm
- %LOCALAPPDATA%low\nh59lvdje
- %LOCALAPPDATA%low\fraqbc8ws-shm
- %LOCALAPPDATA%low\fraqbc8ws
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-memory-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-localization-l1-2-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\libegl.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-libraryloader-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-heap-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-handle-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-file-l2-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-file-l1-2-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-utility-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-time-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-string-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-stdio-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-runtime-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-process-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-private-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-locale-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-math-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\lgpllibs.dll
- %TEMP%\560.tmp
- %LOCALAPPDATA%low\gxix4a2dre
- %LOCALAPPDATA%low\exuieaoeii
- %LOCALAPPDATA%low\3solbph71y
- %LOCALAPPDATA%low\x3cf3ednhm
- %LOCALAPPDATA%low\rqf69azbla
- %LOCALAPPDATA%low\rywtiizs2t
- %LOCALAPPDATA%low\1xvpfvjcrg
- %LOCALAPPDATA%low\fraqbc8wsa
- %LOCALAPPDATA%low\sqlite3.dll
- %LOCALAPPDATA%\google\chrome\user data\default\chrome.exe
- %TEMP%\cd00.tmp
- %LOCALAPPDATA%low\bbsqwy6yhk
- %TEMP%\cc72.tmp-shm
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %ALLUSERSPROFILE%\mntemp
- %TEMP%\b83a.tmp.exe
- %TEMP%\b58b.tmp.exe
- %TEMP%\9b65.tmp.exe
- %TEMP%\91f2.tmp.exe
- %APPDATA%\bhefvrf
- %APPDATA%\ffjsdhe
- %TEMP%\cc72.tmp
- nul
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\ldap60.dll
- %TEMP%\5af.tmp
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\ia2marshal.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\freebl3.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\breakpadinjector.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\accessiblemarshal.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\accessiblehandler.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\vcruntime140.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\ucrtbase.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\softokn3.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\qipcap.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\prldap60.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\nssdbm3.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\ldif60.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\ih7oe4ur9pw5zj0o.zip
- %TEMP%\6f1.tmp-shm
- %TEMP%\6f1.tmp
- %TEMP%\6c1.tmp
- %TEMP%\6c0.tmp
- %TEMP%\6af.tmp
- %TEMP%\6ae.tmp
- %TEMP%\68e.tmp
- %TEMP%\68d.tmp
- %TEMP%\66d.tmp
- %TEMP%\66c.tmp
- %TEMP%\5b0.tmp
- %TEMP%\55f.tmp
- %LOCALAPPDATA%low\nx1cyhaz3qe.zip
Sets the 'hidden' attribute to the following files
- %APPDATA%\ffjsdhe
- %APPDATA%\bhefvrf
Deletes the following files
- %TEMP%\cc72.tmp-shm
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-runtime-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-process-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-private-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-multibyte-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-math-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-locale-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-heap-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-filesystem-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-environment-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-convert-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-conio-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-util-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-timezone-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-sysinfo-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-synch-l1-2-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-synch-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-string-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-rtlsupport-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-profile-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-processthreads-l1-1-1.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-processthreads-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-stdio-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-time-l1-1-0.dll
- %LOCALAPPDATA%low\sqlite3.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-utility-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\vcruntime140.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\ucrtbase.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\softokn3.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\qipcap.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\prldap60.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\nssdbm3.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\nssckbi.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\nss3.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\msvcp140.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\mozmapi32_inuse.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\mozmapi32.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\mozglue.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\mapiproxy_inuse.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\mapiproxy.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\libegl.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\lgpllibs.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\ldif60.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\ldap60.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\ia2marshal.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\freebl3.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\breakpadinjector.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-processenvironment-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-crt-string-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-namedpipe-l1-1-0.dll
- %TEMP%\6c1.tmp
- %TEMP%\6af.tmp
- %TEMP%\6ae.tmp
- %TEMP%\68e.tmp
- %TEMP%\68d.tmp
- %TEMP%\66d.tmp
- %TEMP%\66c.tmp
- %TEMP%\5b0.tmp
- %TEMP%\5af.tmp
- %TEMP%\560.tmp
- %TEMP%\55f.tmp
- %LOCALAPPDATA%low\bbsqwy6yhk
- %LOCALAPPDATA%low\gxix4a2dre
- %LOCALAPPDATA%low\exuieaoeii
- %LOCALAPPDATA%low\3solbph71y
- %LOCALAPPDATA%low\x3cf3ednhm
- %LOCALAPPDATA%low\rqf69azbla
- %LOCALAPPDATA%low\rywtiizs2t
- %LOCALAPPDATA%low\1xvpfvjcrg
- %LOCALAPPDATA%low\fraqbc8wsa
- %TEMP%\cd00.tmp
- %TEMP%\cc72.tmp
- %TEMP%\6c0.tmp
- %TEMP%\6f1.tmp-shm
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-localization-l1-2-0.dll
- %TEMP%\6f1.tmp
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-libraryloader-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-interlocked-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-heap-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-handle-l1-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-file-l2-1-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-file-l1-2-0.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\accessiblemarshal.dll
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\accessiblehandler.dll
- %LOCALAPPDATA%low\machineinfo.txt
- %LOCALAPPDATA%low\firefox_urls.txt
- %LOCALAPPDATA%low\nx1cyhaz3qe.zip
- %LOCALAPPDATA%low\7x3qfc4di
- %LOCALAPPDATA%low\7x3qfc4di-shm
- %LOCALAPPDATA%low\vwqasjade
- %LOCALAPPDATA%low\vwqasjade-shm
- %LOCALAPPDATA%low\nh59lvdje
- %LOCALAPPDATA%low\nh59lvdje-shm
- %LOCALAPPDATA%low\fraqbc8ws
- %LOCALAPPDATA%low\fraqbc8ws-shm
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\ih7oe4ur9pw5zj0o.zip
- %TEMP%\b58b.tmp.exe
- %LOCALAPPDATA%low\pf2qc1gg7yh8hi1o\api-ms-win-core-memory-l1-1-0.dll
- %LOCALAPPDATA%\google\chrome\user data\default\chrome.exe
Deletes itself.
Network activity
Connects to
- 'de###orta.xyz':80
TCP
HTTP GET requests
- http://10##########older1002-0139251002202035.site/raccon.exe
- http://ch#####.amazonaws.com/
HTTP POST requests
- http://10##########older33417-01242510022020.space/
- http://10############6831-service1002012510022020.space/
- http://10##########older1002-0139251002202035.site/
- http://17#.##.40.83:35200/IRemotePanel via 17#.#0.40.83
- http://de###orta.xyz/IRemotePanel
UDP
- DNS ASK 10###########lder1002002131-service1002.space
- DNS ASK 10##########older100221-service1022020.ru
- DNS ASK 10##########older100231-service1022020.ru
- DNS ASK 10###########lder100241-service1002010022020.ru
- DNS ASK 10###########lder100251-service2510022020.ru
- DNS ASK 10############dert161-service100201242510022020.ru
- DNS ASK 10###########t151-service100201242510022020.ru
- DNS ASK 10###########est561-service1002012510022020.ru
- DNS ASK 10#########folder1002-01252510022020.ml
- DNS ASK 10###########est981-service1002012510022020.ru
- DNS ASK 10###########est871-service1002012510022020.ru
- DNS ASK 10###########est971-service1002012510022020.ru
- DNS ASK 10###########est341-service1002012510022020.ru
- DNS ASK 10###########est251-service1002012510022020.ru
- DNS ASK 10#############er1002-service100201blog2510022020.ru
- DNS ASK 10#############er1002-service100201life2510022020.ru
- DNS ASK 10#############er1002-service100201shop2510022020.ru
- DNS ASK 10###########est451-service1002012510022020.ru
- DNS ASK 10#########folder1002-01262510022020.ga
- DNS ASK 10#########folder1002-01272510022020.cf
- DNS ASK 10#########folder1002-01282510022020.gq
- DNS ASK wh###.iana.org
- DNS ASK ch#####.amazonaws.com
- DNS ASK ap#.ip.sb
- DNS ASK pb#.#aditee.ru
- DNS ASK ha####artsch.top
- DNS ASK te##te.in
- DNS ASK 10##########older1002-0139251002202035.site
- DNS ASK 10##########older1002-0138251002202035.site
- DNS ASK 10##########older1002-0137251002202035.site
- DNS ASK 10##########older1002-0136251002202035.site
- DNS ASK 10##########older1002-0135251002202035.site
- DNS ASK 10##########older1002-0134251002202035.site
- DNS ASK 10##########older1002-0133251002202035.site
- DNS ASK 10##########older1002-0132251002202035.site
- DNS ASK 10##########older1002-0131251002202035.site
- DNS ASK 10##########older1002-0130251002202035.site
- DNS ASK 10##########older1002-01292510022020.com
- DNS ASK 10###########lder241-service1002012510022020.ru
- DNS ASK WH###.RIPE.NET
- DNS ASK 10###########lder351-service1002012510022020.ru
- DNS ASK 10###########lder481-service1002012510022020.ru
- DNS ASK 10############671-service1002012510022020.online
- DNS ASK 10###########5671-service1002012510022020.tech
- DNS ASK 10###########3461-service1002012510022020.net
- DNS ASK 10###########4781-service1002012510022020.info
- DNS ASK 10###########3561-service1002012510022020.su
- DNS ASK 10###########3481-service1002012510022020.ru
- DNS ASK 10###########3531-service100201242510022020.ru
- DNS ASK 10###########1341-service1002012510022020.ru
- DNS ASK 10############4831-service1002012510022020.space
- DNS ASK 10############6831-service1002012510022020.space
- DNS ASK 10############5831-service1002012510022020.space
- DNS ASK 10##########older33417-01242510022020.space
- DNS ASK 10###########lder1002002531-service1002.space
- DNS ASK 10###########lder1002002431-service1002.space
- DNS ASK 10##########older3100231-service1002.space
- DNS ASK 10###########lder1002002231-service1002.space
- DNS ASK 10############7831-service1002012510022020.space
- DNS ASK 10###########1-service100201dom2510022020.ru
- DNS ASK 10###########1-service1002012510022020.website
- DNS ASK 10##########51-service1002012510022020.xyz
- DNS ASK 10###########st361-service1002012510022020.ru
- DNS ASK 10###########st371-service1002012510022020.ru
- DNS ASK 10##########231-service1002012510022020.fun
- DNS ASK 10###########61-service1002012510022020.host
- DNS ASK 10##########571-service1002012510022020.pro
- DNS ASK 10##########481-service1002012510022020.ru
- DNS ASK 10##########391-service1002012510022020.ru
- DNS ASK 10###########st231-service1002012510022020.ru
- DNS ASK 10###########st251-service1002012510022020.ru
- DNS ASK 10###########61-service1002012510022020.space
- DNS ASK 10##########281-service1002012510022020.ru
- DNS ASK 10###########st213-service1002012510022020.ru
- DNS ASK 10############der4561-service1002012510022020.ru
- DNS ASK 10###########1-service1002012510022020.press
- DNS ASK 10##########21-service1002012510022020.eu
- DNS ASK 10###########1-service100201rus2510022020.ru
- DNS ASK 10###########1-service100201pro2510022020.ru
- DNS ASK 10###########lder471-service1002012510022020.ru
- DNS ASK de###orta.xyz
Miscellaneous
Searches for the following windows
- ClassName: '18467-41' WindowName: ''
Creates and executes the following
- '%TEMP%\91f2.tmp.exe'
- '%TEMP%\9b65.tmp.exe'
- '%TEMP%\b58b.tmp.exe'
- '%TEMP%\b83a.tmp.exe'
- '%LOCALAPPDATA%\google\chrome\user data\default\chrome.exe'
Executes the following
- '%WINDIR%\syswow64\explorer.exe'
- '%WINDIR%\explorer.exe'
- '%WINDIR%\syswow64\cmd.exe' /C ping 127.0.0.1 -n 3 > nul &del "%TEMP%\B58B.tmp.exe"
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 3
- '%WINDIR%\syswow64\cmd.exe' /C ping 127.0.0.1 -n 3 > nul &del "%LOCALAPPDATA%\Google\Chrome\User Data\Default\chrome.exe"
- '%WINDIR%\microsoft.net\framework\v4.0.30319\addinprocess32.exe'
