2a6f0b0ceefcd0f292bcbbfd4fe6ad9c3ddd2dee37521b93086417f18102db1a

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04aba3724c6090d8df501b86be52080f.exe
Size

69KB
MD5

04aba3724c6090d8df501b86be52080f
SHA1

0300fbdbdb9c4482ab85bf8e2dc1bea3954208e3
SHA256

2a6f0b0ceefcd0f292bcbbfd4fe6ad9c3ddd2dee37521b93086417f18102db1a
SHA512

95aa691fcbc605534b5be0455d3e25c6f07250f309203b03aa30aa7466b0c0582710864e756320b21ee305769b51256a167abce6999209094b48651ff536fba2
SSDEEP

1536:kZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2Lkvd9:6BounVyFHpfMqqDL2/Lkvd

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nekhnidduwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04aba3724c6090d8df501b86be52080f.exe"	04aba3724c6090d8df501b86be52080f.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\J:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\L:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\N:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\O:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\P:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\E:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\M:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\T:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\U:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\V:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\W:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\X:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\R:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\S:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\Z:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\A:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\B:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\G:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\H:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\K:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\Q:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\Y:	04aba3724c6090d8df501b86be52080f.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	04aba3724c6090d8df501b86be52080f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	04aba3724c6090d8df501b86be52080f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	04aba3724c6090d8df501b86be52080f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1808	04aba3724c6090d8df501b86be52080f.exe
1808	04aba3724c6090d8df501b86be52080f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2852	1808	04aba3724c6090d8df501b86be52080f.exe	28
PID 1808 wrote to memory of 2852	1808	04aba3724c6090d8df501b86be52080f.exe	28
PID 1808 wrote to memory of 2852	1808	04aba3724c6090d8df501b86be52080f.exe	28
PID 1808 wrote to memory of 2852	1808	04aba3724c6090d8df501b86be52080f.exe	28
PID 1808 wrote to memory of 2492	1808	04aba3724c6090d8df501b86be52080f.exe	30
PID 1808 wrote to memory of 2492	1808	04aba3724c6090d8df501b86be52080f.exe	30
PID 1808 wrote to memory of 2492	1808	04aba3724c6090d8df501b86be52080f.exe	30
PID 1808 wrote to memory of 2492	1808	04aba3724c6090d8df501b86be52080f.exe	30
PID 1808 wrote to memory of 2496	1808	04aba3724c6090d8df501b86be52080f.exe	33
PID 1808 wrote to memory of 2496	1808	04aba3724c6090d8df501b86be52080f.exe	33
PID 1808 wrote to memory of 2496	1808	04aba3724c6090d8df501b86be52080f.exe	33
PID 1808 wrote to memory of 2496	1808	04aba3724c6090d8df501b86be52080f.exe	33
PID 1808 wrote to memory of 2480	1808	04aba3724c6090d8df501b86be52080f.exe	36
PID 1808 wrote to memory of 2480	1808	04aba3724c6090d8df501b86be52080f.exe	36
PID 1808 wrote to memory of 2480	1808	04aba3724c6090d8df501b86be52080f.exe	36
PID 1808 wrote to memory of 2480	1808	04aba3724c6090d8df501b86be52080f.exe	36
PID 1808 wrote to memory of 2592	1808	04aba3724c6090d8df501b86be52080f.exe	37
PID 1808 wrote to memory of 2592	1808	04aba3724c6090d8df501b86be52080f.exe	37
PID 1808 wrote to memory of 2592	1808	04aba3724c6090d8df501b86be52080f.exe	37
PID 1808 wrote to memory of 2592	1808	04aba3724c6090d8df501b86be52080f.exe	37
PID 1808 wrote to memory of 2976	1808	04aba3724c6090d8df501b86be52080f.exe	40
PID 1808 wrote to memory of 2976	1808	04aba3724c6090d8df501b86be52080f.exe	40
PID 1808 wrote to memory of 2976	1808	04aba3724c6090d8df501b86be52080f.exe	40
PID 1808 wrote to memory of 2976	1808	04aba3724c6090d8df501b86be52080f.exe	40
PID 1808 wrote to memory of 2476	1808	04aba3724c6090d8df501b86be52080f.exe	41
PID 1808 wrote to memory of 2476	1808	04aba3724c6090d8df501b86be52080f.exe	41
PID 1808 wrote to memory of 2476	1808	04aba3724c6090d8df501b86be52080f.exe	41
PID 1808 wrote to memory of 2476	1808	04aba3724c6090d8df501b86be52080f.exe	41
PID 1808 wrote to memory of 2404	1808	04aba3724c6090d8df501b86be52080f.exe	43
PID 1808 wrote to memory of 2404	1808	04aba3724c6090d8df501b86be52080f.exe	43
PID 1808 wrote to memory of 2404	1808	04aba3724c6090d8df501b86be52080f.exe	43
PID 1808 wrote to memory of 2404	1808	04aba3724c6090d8df501b86be52080f.exe	43
PID 1808 wrote to memory of 2784	1808	04aba3724c6090d8df501b86be52080f.exe	45
PID 1808 wrote to memory of 2784	1808	04aba3724c6090d8df501b86be52080f.exe	45
PID 1808 wrote to memory of 2784	1808	04aba3724c6090d8df501b86be52080f.exe	45
PID 1808 wrote to memory of 2784	1808	04aba3724c6090d8df501b86be52080f.exe	45
PID 1808 wrote to memory of 2020	1808	04aba3724c6090d8df501b86be52080f.exe	47
PID 1808 wrote to memory of 2020	1808	04aba3724c6090d8df501b86be52080f.exe	47
PID 1808 wrote to memory of 2020	1808	04aba3724c6090d8df501b86be52080f.exe	47
PID 1808 wrote to memory of 2020	1808	04aba3724c6090d8df501b86be52080f.exe	47
PID 1808 wrote to memory of 1204	1808	04aba3724c6090d8df501b86be52080f.exe	49
PID 1808 wrote to memory of 1204	1808	04aba3724c6090d8df501b86be52080f.exe	49
PID 1808 wrote to memory of 1204	1808	04aba3724c6090d8df501b86be52080f.exe	49
PID 1808 wrote to memory of 1204	1808	04aba3724c6090d8df501b86be52080f.exe	49
PID 1808 wrote to memory of 1508	1808	04aba3724c6090d8df501b86be52080f.exe	53
PID 1808 wrote to memory of 1508	1808	04aba3724c6090d8df501b86be52080f.exe	53
PID 1808 wrote to memory of 1508	1808	04aba3724c6090d8df501b86be52080f.exe	53
PID 1808 wrote to memory of 1508	1808	04aba3724c6090d8df501b86be52080f.exe	53
PID 1808 wrote to memory of 2664	1808	04aba3724c6090d8df501b86be52080f.exe	55
PID 1808 wrote to memory of 2664	1808	04aba3724c6090d8df501b86be52080f.exe	55
PID 1808 wrote to memory of 2664	1808	04aba3724c6090d8df501b86be52080f.exe	55
PID 1808 wrote to memory of 2664	1808	04aba3724c6090d8df501b86be52080f.exe	55
PID 1808 wrote to memory of 2980	1808	04aba3724c6090d8df501b86be52080f.exe	57
PID 1808 wrote to memory of 2980	1808	04aba3724c6090d8df501b86be52080f.exe	57
PID 1808 wrote to memory of 2980	1808	04aba3724c6090d8df501b86be52080f.exe	57
PID 1808 wrote to memory of 2980	1808	04aba3724c6090d8df501b86be52080f.exe	57
PID 1808 wrote to memory of 760	1808	04aba3724c6090d8df501b86be52080f.exe	59
PID 1808 wrote to memory of 760	1808	04aba3724c6090d8df501b86be52080f.exe	59
PID 1808 wrote to memory of 760	1808	04aba3724c6090d8df501b86be52080f.exe	59
PID 1808 wrote to memory of 760	1808	04aba3724c6090d8df501b86be52080f.exe	59
PID 1808 wrote to memory of 932	1808	04aba3724c6090d8df501b86be52080f.exe	61
PID 1808 wrote to memory of 932	1808	04aba3724c6090d8df501b86be52080f.exe	61
PID 1808 wrote to memory of 932	1808	04aba3724c6090d8df501b86be52080f.exe	61
PID 1808 wrote to memory of 932	1808	04aba3724c6090d8df501b86be52080f.exe	61

C:\Users\Admin\AppData\Local\Temp\04aba3724c6090d8df501b86be52080f.exe
"C:\Users\Admin\AppData\Local\Temp\04aba3724c6090d8df501b86be52080f.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:2852
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2492
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:2496
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:2480
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:2592
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:2976
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:2476
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2404
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:2784
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:2020
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:1204
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:1508
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:2664
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2980
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:760
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:932
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:940
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:1944
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:1616
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:1636
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:1412
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:1148
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:2076
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:1208
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:584
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2156
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:2056
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:696
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:2916
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:1960
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:708
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:1608
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:1684
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:1104
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:456
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:1748
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:1760
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:1984
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:1916
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:2184
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:1372
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:1724
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:2100
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2576
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:2604
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:2640
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:2448
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:2504
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:2704
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2360
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:2444
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:2780
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:1076
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:1276
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:2348
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2116
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:2900
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:1976
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:928
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:108
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:1972
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2332
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:844
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:572
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:2220
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:592
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:524
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2712
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:896
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:2936
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:2120
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:332
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:1084
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:3036
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:1212
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:288
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:2204
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:1644
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:2188
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2696
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:2328
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:2896
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:2860
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:2556
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:2868
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2748
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:2676
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:2828
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:2560
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:2356
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:2484
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2776
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:2160
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:956
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:2464
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:1580
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:1768
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:944
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:948
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:1712
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:3012
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:1488
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:2312
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:1368
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:676
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:2096