2a6f0b0ceefcd0f292bcbbfd4fe6ad9c3ddd2dee37521b93086417f18102db1a

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04aba3724c6090d8df501b86be52080f.exe
Size

69KB
MD5

04aba3724c6090d8df501b86be52080f
SHA1

0300fbdbdb9c4482ab85bf8e2dc1bea3954208e3
SHA256

2a6f0b0ceefcd0f292bcbbfd4fe6ad9c3ddd2dee37521b93086417f18102db1a
SHA512

95aa691fcbc605534b5be0455d3e25c6f07250f309203b03aa30aa7466b0c0582710864e756320b21ee305769b51256a167abce6999209094b48651ff536fba2
SSDEEP

1536:kZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2Lkvd9:6BounVyFHpfMqqDL2/Lkvd

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhzrgaqempt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04aba3724c6090d8df501b86be52080f.exe"	04aba3724c6090d8df501b86be52080f.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\O:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\P:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\S:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\Y:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\A:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\E:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\K:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\V:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\W:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\B:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\I:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\R:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\U:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\H:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\J:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\T:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\Q:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\X:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\Z:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\G:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\L:	04aba3724c6090d8df501b86be52080f.exe
File opened (read-only)	\??\N:	04aba3724c6090d8df501b86be52080f.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	04aba3724c6090d8df501b86be52080f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	04aba3724c6090d8df501b86be52080f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	04aba3724c6090d8df501b86be52080f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2180	04aba3724c6090d8df501b86be52080f.exe
2180	04aba3724c6090d8df501b86be52080f.exe
2180	04aba3724c6090d8df501b86be52080f.exe
2180	04aba3724c6090d8df501b86be52080f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2560	2180	04aba3724c6090d8df501b86be52080f.exe	88
PID 2180 wrote to memory of 2560	2180	04aba3724c6090d8df501b86be52080f.exe	88
PID 2180 wrote to memory of 2560	2180	04aba3724c6090d8df501b86be52080f.exe	88
PID 2180 wrote to memory of 4016	2180	04aba3724c6090d8df501b86be52080f.exe	92
PID 2180 wrote to memory of 4016	2180	04aba3724c6090d8df501b86be52080f.exe	92
PID 2180 wrote to memory of 4016	2180	04aba3724c6090d8df501b86be52080f.exe	92
PID 2180 wrote to memory of 544	2180	04aba3724c6090d8df501b86be52080f.exe	94
PID 2180 wrote to memory of 544	2180	04aba3724c6090d8df501b86be52080f.exe	94
PID 2180 wrote to memory of 544	2180	04aba3724c6090d8df501b86be52080f.exe	94
PID 2180 wrote to memory of 2124	2180	04aba3724c6090d8df501b86be52080f.exe	96
PID 2180 wrote to memory of 2124	2180	04aba3724c6090d8df501b86be52080f.exe	96
PID 2180 wrote to memory of 2124	2180	04aba3724c6090d8df501b86be52080f.exe	96
PID 2180 wrote to memory of 2884	2180	04aba3724c6090d8df501b86be52080f.exe	98
PID 2180 wrote to memory of 2884	2180	04aba3724c6090d8df501b86be52080f.exe	98
PID 2180 wrote to memory of 2884	2180	04aba3724c6090d8df501b86be52080f.exe	98
PID 2180 wrote to memory of 1828	2180	04aba3724c6090d8df501b86be52080f.exe	100
PID 2180 wrote to memory of 1828	2180	04aba3724c6090d8df501b86be52080f.exe	100
PID 2180 wrote to memory of 1828	2180	04aba3724c6090d8df501b86be52080f.exe	100
PID 2180 wrote to memory of 708	2180	04aba3724c6090d8df501b86be52080f.exe	102
PID 2180 wrote to memory of 708	2180	04aba3724c6090d8df501b86be52080f.exe	102
PID 2180 wrote to memory of 708	2180	04aba3724c6090d8df501b86be52080f.exe	102
PID 2180 wrote to memory of 904	2180	04aba3724c6090d8df501b86be52080f.exe	104
PID 2180 wrote to memory of 904	2180	04aba3724c6090d8df501b86be52080f.exe	104
PID 2180 wrote to memory of 904	2180	04aba3724c6090d8df501b86be52080f.exe	104
PID 2180 wrote to memory of 2244	2180	04aba3724c6090d8df501b86be52080f.exe	106
PID 2180 wrote to memory of 2244	2180	04aba3724c6090d8df501b86be52080f.exe	106
PID 2180 wrote to memory of 2244	2180	04aba3724c6090d8df501b86be52080f.exe	106
PID 2180 wrote to memory of 2960	2180	04aba3724c6090d8df501b86be52080f.exe	108
PID 2180 wrote to memory of 2960	2180	04aba3724c6090d8df501b86be52080f.exe	108
PID 2180 wrote to memory of 2960	2180	04aba3724c6090d8df501b86be52080f.exe	108
PID 2180 wrote to memory of 744	2180	04aba3724c6090d8df501b86be52080f.exe	110
PID 2180 wrote to memory of 744	2180	04aba3724c6090d8df501b86be52080f.exe	110
PID 2180 wrote to memory of 744	2180	04aba3724c6090d8df501b86be52080f.exe	110
PID 2180 wrote to memory of 1608	2180	04aba3724c6090d8df501b86be52080f.exe	112
PID 2180 wrote to memory of 1608	2180	04aba3724c6090d8df501b86be52080f.exe	112
PID 2180 wrote to memory of 1608	2180	04aba3724c6090d8df501b86be52080f.exe	112
PID 2180 wrote to memory of 2344	2180	04aba3724c6090d8df501b86be52080f.exe	114
PID 2180 wrote to memory of 2344	2180	04aba3724c6090d8df501b86be52080f.exe	114
PID 2180 wrote to memory of 2344	2180	04aba3724c6090d8df501b86be52080f.exe	114
PID 2180 wrote to memory of 320	2180	04aba3724c6090d8df501b86be52080f.exe	116
PID 2180 wrote to memory of 320	2180	04aba3724c6090d8df501b86be52080f.exe	116
PID 2180 wrote to memory of 320	2180	04aba3724c6090d8df501b86be52080f.exe	116
PID 2180 wrote to memory of 4380	2180	04aba3724c6090d8df501b86be52080f.exe	118
PID 2180 wrote to memory of 4380	2180	04aba3724c6090d8df501b86be52080f.exe	118
PID 2180 wrote to memory of 4380	2180	04aba3724c6090d8df501b86be52080f.exe	118
PID 2180 wrote to memory of 5108	2180	04aba3724c6090d8df501b86be52080f.exe	120
PID 2180 wrote to memory of 5108	2180	04aba3724c6090d8df501b86be52080f.exe	120
PID 2180 wrote to memory of 5108	2180	04aba3724c6090d8df501b86be52080f.exe	120
PID 2180 wrote to memory of 3500	2180	04aba3724c6090d8df501b86be52080f.exe	122
PID 2180 wrote to memory of 3500	2180	04aba3724c6090d8df501b86be52080f.exe	122
PID 2180 wrote to memory of 3500	2180	04aba3724c6090d8df501b86be52080f.exe	122
PID 2180 wrote to memory of 228	2180	04aba3724c6090d8df501b86be52080f.exe	124
PID 2180 wrote to memory of 228	2180	04aba3724c6090d8df501b86be52080f.exe	124
PID 2180 wrote to memory of 228	2180	04aba3724c6090d8df501b86be52080f.exe	124
PID 2180 wrote to memory of 4740	2180	04aba3724c6090d8df501b86be52080f.exe	126
PID 2180 wrote to memory of 4740	2180	04aba3724c6090d8df501b86be52080f.exe	126
PID 2180 wrote to memory of 4740	2180	04aba3724c6090d8df501b86be52080f.exe	126
PID 2180 wrote to memory of 4552	2180	04aba3724c6090d8df501b86be52080f.exe	130
PID 2180 wrote to memory of 4552	2180	04aba3724c6090d8df501b86be52080f.exe	130
PID 2180 wrote to memory of 4552	2180	04aba3724c6090d8df501b86be52080f.exe	130
PID 2180 wrote to memory of 4576	2180	04aba3724c6090d8df501b86be52080f.exe	132
PID 2180 wrote to memory of 4576	2180	04aba3724c6090d8df501b86be52080f.exe	132
PID 2180 wrote to memory of 4576	2180	04aba3724c6090d8df501b86be52080f.exe	132
PID 2180 wrote to memory of 4600	2180	04aba3724c6090d8df501b86be52080f.exe	134

C:\Users\Admin\AppData\Local\Temp\04aba3724c6090d8df501b86be52080f.exe
"C:\Users\Admin\AppData\Local\Temp\04aba3724c6090d8df501b86be52080f.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:2560
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:4016
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:544
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:2124
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:2884
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:1828
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:708
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:904
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:2244
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:2960
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:744
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:1608
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:2344
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:320
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:4380
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:5108
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:3500
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:228
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:4740
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:4552
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:4576
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:4600
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:1096
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:3184
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:2740
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:3804
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:4168
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:3956
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:3088
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:4164
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:936
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2156
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:2596
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:2632
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:2352
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:3724
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:1380
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2756
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:3780
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:3692
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:3888
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:920
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:4540
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2856
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:1012
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:2368
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:456
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:3784
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:1768
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2092
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:924
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:3764
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:4028
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:4316
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:788
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:4060
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:4968
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:4416
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:1040
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:3400
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:3996
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2348
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:3976
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:2028
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:3392
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:3480
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:724
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:1112
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:2916
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:4528
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:4184
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:3568
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:1288
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:4280
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:1808
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:1632
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:3276
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:3308
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:232
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2360
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:1680
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:1700
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:2376
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:4424
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:984
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2556
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:4980
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:3968
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:3972
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:4012
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:1760
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:3140
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:5016
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:3120
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:4588
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:4720
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:4840
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:5036
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:4320
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:3776
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:1832
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:424
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns1.soprodns.ru
  2⤵
  PID:3100
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:1588
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns2.soprodns.ru
  2⤵
  PID:2976
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.coin dns2.soprodns.ru
  2⤵
  PID:3796
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns2.soprodns.ru
  2⤵
  PID:5032