Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'ebrtucjhqgv' = '"%APPDATA%\Microsoft\thmvio.exe"'
- %APPDATA%\microsoft\thmvio.exe
- 'ip#####.#hatismyipaddress.com':80
- http://ca##er.bit/
- DNS ASK ip#####.#hatismyipaddress.com
- DNS ASK ns#.##wservers.ru
- DNS ASK ca##er.bit
- DNS ASK ra###mware.bit
- '%WINDIR%\syswow64\nslookup.exe' carder.bit ns1.wowservers.ru' (with hidden window)
- '%WINDIR%\syswow64\nslookup.exe' ransomware.bit ns2.wowservers.ru' (with hidden window)
- '%WINDIR%\syswow64\nslookup.exe' carder.bit ns2.wowservers.ru' (with hidden window)
- '%WINDIR%\syswow64\nslookup.exe' ransomware.bit ns1.wowservers.ru' (with hidden window)
- '%WINDIR%\syswow64\nslookup.exe' carder.bit ns1.wowservers.ru
- '%WINDIR%\syswow64\nslookup.exe' ransomware.bit ns2.wowservers.ru
- '%WINDIR%\syswow64\nslookup.exe' carder.bit ns2.wowservers.ru
- '%WINDIR%\syswow64\nslookup.exe' ransomware.bit ns1.wowservers.ru