Technical Information
- <SYSTEM32>\tasks\nvngxupdatecheckdaily_{78821544-1544-1544-1544-788215441544}
- %WINDIR%\syswow64\explorer.exe
- %WINDIR%\explorer.exe
- iexplore.exe
- [<HKCU>\Software\Martin Prikryl]
- [<HKLM>\Software\Wow6432Node\Martin Prikryl]
- %ProgramFiles(x86)%\steam\config\config.vdf
- %ProgramFiles(x86)%\steam\config\dialogconfig.vdf
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %APPDATA%\opera software\opera stable\login data
- %APPDATA%\mozilla\firefox\profiles.ini
- %APPDATA%\thunderbird\profiles.ini
- %TEMP%\4dd3.tmp
- %LOCALAPPDATA%low\rqf69azbla
- %TEMP%\c67f.tmp
- %TEMP%\c690.tmp
- %TEMP%\c6a1.tmp
- %TEMP%\c6a2.tmp
- %TEMP%\c6a3.tmp
- %TEMP%\c6a4.tmp
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %TEMP%\c6b4.tmp
- %TEMP%\c6d5.tmp
- %TEMP%\c6d5.tmp-shm
- %LOCALAPPDATA%low\x3cf3ednhm
- %LOCALAPPDATA%low\3solbph71y
- %LOCALAPPDATA%low\exuieaoeii
- %LOCALAPPDATA%low\gxix4a2dre
- %LOCALAPPDATA%low\bbsqwy6yhk
- %LOCALAPPDATA%low\1xvpfvjcrg
- %LOCALAPPDATA%low\rywtiizs2t
- %TEMP%\c344.tmp
- %TEMP%\c333.tmp
- %TEMP%\c332.tmp
- %APPDATA%\ircwgju
- %TEMP%\4b23.tmp.exe
- %TEMP%\51e7.tmp.exe
- %TEMP%\66b0.tmp.exe
- %TEMP%\74f3.tmp.exe
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %TEMP%\iahibjie.exe
- %TEMP%\c6c5.tmp
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %LOCALAPPDATA%low\sqlite3.dll
- %TEMP%\a874.tmp.exe
- %LOCALAPPDATA%low\fraqbc8wsa
- %TEMP%\c274.tmp
- %TEMP%\c274.tmp-shm
- %TEMP%\c294.tmp
- %TEMP%\c312.tmp
- %APPDATA%\gwrufeb
- %TEMP%\933e.tmp.exe
- %TEMP%\idjijjgg.exe
- %APPDATA%\gwrufeb
- %APPDATA%\ircwgju
- %LOCALAPPDATA%low\fraqbc8wsa
- %LOCALAPPDATA%low\exuieaoeii
- %LOCALAPPDATA%low\3solbph71y
- %LOCALAPPDATA%low\x3cf3ednhm
- %TEMP%\c6d5.tmp
- %TEMP%\c6d5.tmp-shm
- %TEMP%\c6c5.tmp
- %TEMP%\c6b4.tmp
- %TEMP%\c6a4.tmp
- %TEMP%\c6a3.tmp
- %TEMP%\c6a2.tmp
- %TEMP%\c6a1.tmp
- %TEMP%\c690.tmp
- %TEMP%\c67f.tmp
- %LOCALAPPDATA%low\rqf69azbla
- %LOCALAPPDATA%low\rywtiizs2t
- %LOCALAPPDATA%low\1xvpfvjcrg
- %TEMP%\c344.tmp
- %TEMP%\c333.tmp
- %TEMP%\c332.tmp
- %TEMP%\c312.tmp
- %TEMP%\c294.tmp
- %TEMP%\c274.tmp
- %TEMP%\c274.tmp-shm
- %LOCALAPPDATA%low\gxix4a2dre
- %LOCALAPPDATA%low\bbsqwy6yhk
- http://10############6831-service1002012510022020.space/raccon.exe
- http://www.to####firsat.com/tau.exe
- http://ca####viceno1.top/gate/sqlite3.dll
- http://10############6831-service1002012510022020.space/reestr.exe
- http://ic####stitute.com/soc.exe
- http://www.ph#####tinvestments.com/tntn.exe
- http://10##########older33417-01242510022020.space/
- http://11#.#0.149.143/cfg/
- http://11#.#0.149.143/log/
- http://ca####viceno1.top/gate/log.php
- http://11#.#0.149.143/loader/complete/
- http://10############6831-service1002012510022020.space/
- DNS ASK 10###########lder1002002131-service1002.space
- DNS ASK 10###########lder1002002231-service1002.space
- DNS ASK 10##########older3100231-service1002.space
- DNS ASK 10###########lder1002002431-service1002.space
- DNS ASK 10###########lder1002002531-service1002.space
- DNS ASK 10##########older33417-01242510022020.space
- DNS ASK 10############5831-service1002012510022020.space
- DNS ASK 10############6831-service1002012510022020.space
- DNS ASK 10############7831-service1002012510022020.space
- DNS ASK te##te.in
- DNS ASK to####firsat.com
- DNS ASK ca####viceno1.top
- DNS ASK ic####stitute.com
- DNS ASK ph#####tinvestments.com
- '%TEMP%\4b23.tmp.exe'
- '%TEMP%\51e7.tmp.exe'
- '%TEMP%\66b0.tmp.exe'
- '%TEMP%\74f3.tmp.exe'
- '%TEMP%\933e.tmp.exe'
- '%TEMP%\a874.tmp.exe'
- '%TEMP%\iahibjie.exe'
- '%TEMP%\idjijjgg.exe'
- '%APPDATA%\gwrufeb'
- '%TEMP%\iahibjie.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "%TEMP%\iAhiBjIE.exe"' (with hidden window)
- '%TEMP%\idjijjgg.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "%TEMP%\IDJIjJGg.exe"' (with hidden window)
- '%APPDATA%\gwrufeb' ' (with hidden window)
- '%WINDIR%\syswow64\explorer.exe'
- '%WINDIR%\explorer.exe'
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "%TEMP%\iAhiBjIE.exe"
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "%TEMP%\IDJIjJGg.exe"
- '%WINDIR%\syswow64\schtasks.exe' /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "%TEMP%\iAhiBjIE.exe"
- '%WINDIR%\syswow64\cmd.exe' timeout /t 3 & del /f /q %TEMP%\74F3.tmp.exe
- '<SYSTEM32>\taskeng.exe' {BB43D13A-294F-4E16-8B86-A6D73C8C6320} S-1-5-21-1960123792-2022915161-3775307078-1001:qsfnlptzkyc\user:Interactive:[1]
- '%WINDIR%\syswow64\schtasks.exe' /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "%TEMP%\IDJIjJGg.exe"
- '%WINDIR%\syswow64\timeout.exe' /t 3