Technical Information
- [<HKLM>\System\CurrentControlSet\Services\nnbesdnzs] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\nnbesdnzs] 'ImagePath' = '%WINDIR%\tqqsfthu\ritzsry.exe'
- %WINDIR%\tqqsfthu\ritzsry.exe
- from <Full path to file> to %TEMP%\1102234\....\temporaryfile
- 'bk.###gminer.club':63145
- DNS ASK aj.###x0x0x0.best
- DNS ASK 1.#.#.#.in-addr.arpa
- DNS ASK 11.##.##.117.in-addr.arpa
- DNS ASK 22.##.##.117.in-addr.arpa
- DNS ASK 22#.###.67.208.in-addr.arpa
- DNS ASK xs.###x0x0x0.club
- DNS ASK ui.###x0x0x0.xyz
- DNS ASK qb.###c1c1c.best
- DNS ASK ce.###c1c1c.club
- DNS ASK jz.##1c1c1c.xyz
- DNS ASK bk.####herohero.info
- DNS ASK bk.###gminer.club
- '%WINDIR%\tqqsfthu\ritzsry.exe'
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A qb.1c1c1c1c.best 208.67.220.220' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ce.1c1c1c1c.club 8.8.8.8' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ce.1c1c1c1c.club 1.1.1.1' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ce.1c1c1c1c.club 117.50.11.11' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ce.1c1c1c1c.club 117.50.22.22' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ce.1c1c1c1c.club 208.67.222.222' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ce.1c1c1c1c.club 208.67.220.220' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A jz.1c1c1c1c.xyz 8.8.8.8' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A bk.kingminer.club 8.8.8.8' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A jz.1c1c1c1c.xyz 1.1.1.1' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A jz.1c1c1c1c.xyz 117.50.22.22' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A jz.1c1c1c1c.xyz 208.67.222.222' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A jz.1c1c1c1c.xyz 208.67.220.220' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A bk.heroherohero.info 8.8.8.8' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A bk.heroherohero.info 1.1.1.1' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A bk.heroherohero.info 117.50.11.11' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A bk.heroherohero.info 117.50.22.22' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A bk.heroherohero.info 208.67.222.222' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A bk.heroherohero.info 208.67.220.220' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ping 127.0.0.1 -n 5 & Start %WINDIR%\tqqsfthu\ritzsry.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A qb.1c1c1c1c.best 208.67.222.222' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A qb.1c1c1c1c.best 117.50.22.22' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A qb.1c1c1c1c.best 117.50.11.11' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A aj.0x0x0x0x0.best 8.8.8.8' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A aj.0x0x0x0x0.best 1.1.1.1' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A aj.0x0x0x0x0.best 117.50.11.11' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A aj.0x0x0x0x0.best 117.50.22.22' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A aj.0x0x0x0x0.best 208.67.222.222' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A aj.0x0x0x0x0.best 208.67.220.220' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A xs.0x0x0x0x0.club 8.8.8.8' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A xs.0x0x0x0x0.club 1.1.1.1' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A xs.0x0x0x0x0.club 117.50.11.11' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A jz.1c1c1c1c.xyz 117.50.11.11' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A xs.0x0x0x0x0.club 117.50.22.22' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A xs.0x0x0x0x0.club 208.67.220.220' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ui.0x0x0x0x0.xyz 8.8.8.8' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ui.0x0x0x0x0.xyz 1.1.1.1' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.11.11' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.22.22' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.222.222' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.220.220' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A qb.1c1c1c1c.best 8.8.8.8' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A qb.1c1c1c1c.best 1.1.1.1' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A xs.0x0x0x0x0.club 208.67.222.222' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A bk.kingminer.club 1.1.1.1' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ping 127.0.0.1 -n 5 & Start %WINDIR%\tqqsfthu\ritzsry.exe
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A jz.1c1c1c1c.xyz 1.1.1.1
- '%WINDIR%\syswow64\nslookup.exe' -qt=A jz.1c1c1c1c.xyz 8.8.8.8
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A jz.1c1c1c1c.xyz 8.8.8.8
- '%WINDIR%\syswow64\nslookup.exe' -qt=A ce.1c1c1c1c.club 208.67.220.220
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ce.1c1c1c1c.club 208.67.220.220
- '%WINDIR%\syswow64\nslookup.exe' -qt=A ce.1c1c1c1c.club 208.67.222.222
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ce.1c1c1c1c.club 208.67.222.222
- '%WINDIR%\syswow64\nslookup.exe' -qt=A ce.1c1c1c1c.club 117.50.22.22
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A jz.1c1c1c1c.xyz 117.50.11.11
- '%WINDIR%\syswow64\nslookup.exe' -qt=A jz.1c1c1c1c.xyz 1.1.1.1
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ce.1c1c1c1c.club 117.50.11.11
- '%WINDIR%\syswow64\nslookup.exe' -qt=A ce.1c1c1c1c.club 1.1.1.1
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ce.1c1c1c1c.club 1.1.1.1
- '%WINDIR%\syswow64\nslookup.exe' -qt=A ce.1c1c1c1c.club 8.8.8.8
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ce.1c1c1c1c.club 8.8.8.8
- '%WINDIR%\syswow64\nslookup.exe' -qt=A qb.1c1c1c1c.best 208.67.220.220
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A qb.1c1c1c1c.best 208.67.220.220
- '%WINDIR%\syswow64\nslookup.exe' -qt=A qb.1c1c1c1c.best 208.67.222.222
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ce.1c1c1c1c.club 117.50.22.22
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A xs.0x0x0x0x0.club 208.67.222.222
- '%WINDIR%\syswow64\nslookup.exe' -qt=A jz.1c1c1c1c.xyz 117.50.11.11
- '%WINDIR%\syswow64\nslookup.exe' -qt=A bk.kingminer.club 8.8.8.8
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A bk.kingminer.club 8.8.8.8
- '%WINDIR%\syswow64\nslookup.exe' -qt=A bk.heroherohero.info 208.67.220.220
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A bk.heroherohero.info 208.67.220.220
- '%WINDIR%\syswow64\nslookup.exe' -qt=A bk.heroherohero.info 208.67.222.222
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A bk.heroherohero.info 208.67.222.222
- '%WINDIR%\syswow64\nslookup.exe' -qt=A bk.heroherohero.info 117.50.22.22
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A bk.heroherohero.info 117.50.22.22
- '%WINDIR%\syswow64\nslookup.exe' -qt=A bk.heroherohero.info 117.50.11.11
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A bk.heroherohero.info 117.50.11.11
- '%WINDIR%\syswow64\nslookup.exe' -qt=A bk.heroherohero.info 1.1.1.1
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A bk.heroherohero.info 1.1.1.1
- '%WINDIR%\syswow64\nslookup.exe' -qt=A bk.heroherohero.info 8.8.8.8
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A bk.heroherohero.info 8.8.8.8
- '%WINDIR%\syswow64\nslookup.exe' -qt=A jz.1c1c1c1c.xyz 208.67.220.220
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A jz.1c1c1c1c.xyz 208.67.220.220
- '%WINDIR%\syswow64\nslookup.exe' -qt=A jz.1c1c1c1c.xyz 208.67.222.222
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A jz.1c1c1c1c.xyz 208.67.222.222
- '%WINDIR%\syswow64\nslookup.exe' -qt=A jz.1c1c1c1c.xyz 117.50.22.22
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A qb.1c1c1c1c.best 208.67.222.222
- '%WINDIR%\syswow64\nslookup.exe' -qt=A ce.1c1c1c1c.club 117.50.11.11
- '%WINDIR%\syswow64\nslookup.exe' -qt=A qb.1c1c1c1c.best 117.50.22.22
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A qb.1c1c1c1c.best 117.50.22.22
- '%WINDIR%\syswow64\nslookup.exe' -qt=A qb.1c1c1c1c.best 117.50.11.11
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A aj.0x0x0x0x0.best 208.67.222.222
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A xs.0x0x0x0x0.club 117.50.11.11
- '%WINDIR%\syswow64\nslookup.exe' -qt=A xs.0x0x0x0x0.club 1.1.1.1
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A xs.0x0x0x0x0.club 1.1.1.1
- '%WINDIR%\syswow64\nslookup.exe' -qt=A xs.0x0x0x0x0.club 8.8.8.8
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A xs.0x0x0x0x0.club 8.8.8.8
- '%WINDIR%\syswow64\nslookup.exe' -qt=A aj.0x0x0x0x0.best 208.67.220.220
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A aj.0x0x0x0x0.best 208.67.220.220
- '%WINDIR%\syswow64\nslookup.exe' -qt=A aj.0x0x0x0x0.best 208.67.222.222
- '%WINDIR%\syswow64\nslookup.exe' -qt=A aj.0x0x0x0x0.best 117.50.22.22
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A xs.0x0x0x0x0.club 117.50.22.22
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A aj.0x0x0x0x0.best 117.50.22.22
- '%WINDIR%\syswow64\nslookup.exe' -qt=A aj.0x0x0x0x0.best 117.50.11.11
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A aj.0x0x0x0x0.best 117.50.11.11
- '%WINDIR%\syswow64\nslookup.exe' -qt=A aj.0x0x0x0x0.best 1.1.1.1
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A aj.0x0x0x0x0.best 1.1.1.1
- '%WINDIR%\syswow64\nslookup.exe' -qt=A aj.0x0x0x0x0.best 8.8.8.8
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A aj.0x0x0x0x0.best 8.8.8.8
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 5
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A bk.kingminer.club 1.1.1.1
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A jz.1c1c1c1c.xyz 117.50.22.22
- '%WINDIR%\syswow64\nslookup.exe' -qt=A xs.0x0x0x0x0.club 117.50.22.22
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A xs.0x0x0x0x0.club 208.67.220.220
- '%WINDIR%\syswow64\nslookup.exe' -qt=A xs.0x0x0x0x0.club 117.50.11.11
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A qb.1c1c1c1c.best 117.50.11.11
- '%WINDIR%\syswow64\nslookup.exe' -qt=A qb.1c1c1c1c.best 1.1.1.1
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A qb.1c1c1c1c.best 1.1.1.1
- '%WINDIR%\syswow64\nslookup.exe' -qt=A qb.1c1c1c1c.best 8.8.8.8
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A qb.1c1c1c1c.best 8.8.8.8
- '%WINDIR%\syswow64\nslookup.exe' -qt=A ui.0x0x0x0x0.xyz 208.67.220.220
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.220.220
- '%WINDIR%\syswow64\nslookup.exe' -qt=A ui.0x0x0x0x0.xyz 208.67.222.222
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.222.222
- '%WINDIR%\syswow64\nslookup.exe' -qt=A ui.0x0x0x0x0.xyz 117.50.22.22
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.22.22
- '%WINDIR%\syswow64\nslookup.exe' -qt=A ui.0x0x0x0x0.xyz 117.50.11.11
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.11.11
- '%WINDIR%\syswow64\nslookup.exe' -qt=A ui.0x0x0x0x0.xyz 1.1.1.1
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ui.0x0x0x0x0.xyz 1.1.1.1
- '%WINDIR%\syswow64\nslookup.exe' -qt=A ui.0x0x0x0x0.xyz 8.8.8.8
- '%WINDIR%\syswow64\cmd.exe' /c nslookup -qt=A ui.0x0x0x0x0.xyz 8.8.8.8
- '%WINDIR%\syswow64\nslookup.exe' -qt=A xs.0x0x0x0x0.club 208.67.220.220
- '%WINDIR%\syswow64\nslookup.exe' -qt=A xs.0x0x0x0x0.club 208.67.222.222
- '%WINDIR%\syswow64\nslookup.exe' -qt=A bk.kingminer.club 1.1.1.1