Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24/03/2024, 03:52
Behavioral task
behavioral1
Sample
d721976d1cda5b317fd29d178ec24e55.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d721976d1cda5b317fd29d178ec24e55.exe
Resource
win10v2004-20240226-en
General
-
Target
d721976d1cda5b317fd29d178ec24e55.exe
-
Size
69KB
-
MD5
d721976d1cda5b317fd29d178ec24e55
-
SHA1
2f9988f7f4ac6f482bd4fb1203ebd5257be719c1
-
SHA256
376d1f424ec2944ab983f78cf50ec55d0acf56b5e7074ce1d1a2639569c83eeb
-
SHA512
f928a28c582cbac9abf9211c53209d9d2a956eee852a99030fef60b54d09a46dff3277ec7b6c0787b35a3b19f62c5d5195f66133349e9a17095615a07e547683
-
SSDEEP
1536:HZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2Lkvd9:PBounVyFHpfMqqDL2/Lkvd
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qtjimveyxsg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d721976d1cda5b317fd29d178ec24e55.exe" d721976d1cda5b317fd29d178ec24e55.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\H: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\I: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\N: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\T: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\L: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\M: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\O: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\Q: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\A: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\E: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\G: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\K: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\S: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\X: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\U: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\B: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\J: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\P: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\R: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\V: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\W: d721976d1cda5b317fd29d178ec24e55.exe File opened (read-only) \??\Y: d721976d1cda5b317fd29d178ec24e55.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d721976d1cda5b317fd29d178ec24e55.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString d721976d1cda5b317fd29d178ec24e55.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier d721976d1cda5b317fd29d178ec24e55.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4508 d721976d1cda5b317fd29d178ec24e55.exe 4508 d721976d1cda5b317fd29d178ec24e55.exe 4508 d721976d1cda5b317fd29d178ec24e55.exe 4508 d721976d1cda5b317fd29d178ec24e55.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4508 wrote to memory of 1636 4508 d721976d1cda5b317fd29d178ec24e55.exe 94 PID 4508 wrote to memory of 1636 4508 d721976d1cda5b317fd29d178ec24e55.exe 94 PID 4508 wrote to memory of 1636 4508 d721976d1cda5b317fd29d178ec24e55.exe 94 PID 4508 wrote to memory of 3260 4508 d721976d1cda5b317fd29d178ec24e55.exe 99 PID 4508 wrote to memory of 3260 4508 d721976d1cda5b317fd29d178ec24e55.exe 99 PID 4508 wrote to memory of 3260 4508 d721976d1cda5b317fd29d178ec24e55.exe 99 PID 4508 wrote to memory of 3016 4508 d721976d1cda5b317fd29d178ec24e55.exe 105 PID 4508 wrote to memory of 3016 4508 d721976d1cda5b317fd29d178ec24e55.exe 105 PID 4508 wrote to memory of 3016 4508 d721976d1cda5b317fd29d178ec24e55.exe 105 PID 4508 wrote to memory of 5016 4508 d721976d1cda5b317fd29d178ec24e55.exe 107 PID 4508 wrote to memory of 5016 4508 d721976d1cda5b317fd29d178ec24e55.exe 107 PID 4508 wrote to memory of 5016 4508 d721976d1cda5b317fd29d178ec24e55.exe 107 PID 4508 wrote to memory of 3112 4508 d721976d1cda5b317fd29d178ec24e55.exe 110 PID 4508 wrote to memory of 3112 4508 d721976d1cda5b317fd29d178ec24e55.exe 110 PID 4508 wrote to memory of 3112 4508 d721976d1cda5b317fd29d178ec24e55.exe 110 PID 4508 wrote to memory of 3740 4508 d721976d1cda5b317fd29d178ec24e55.exe 112 PID 4508 wrote to memory of 3740 4508 d721976d1cda5b317fd29d178ec24e55.exe 112 PID 4508 wrote to memory of 3740 4508 d721976d1cda5b317fd29d178ec24e55.exe 112 PID 4508 wrote to memory of 2276 4508 d721976d1cda5b317fd29d178ec24e55.exe 114 PID 4508 wrote to memory of 2276 4508 d721976d1cda5b317fd29d178ec24e55.exe 114 PID 4508 wrote to memory of 2276 4508 d721976d1cda5b317fd29d178ec24e55.exe 114 PID 4508 wrote to memory of 1448 4508 d721976d1cda5b317fd29d178ec24e55.exe 118 PID 4508 wrote to memory of 1448 4508 d721976d1cda5b317fd29d178ec24e55.exe 118 PID 4508 wrote to memory of 1448 4508 d721976d1cda5b317fd29d178ec24e55.exe 118 PID 4508 wrote to memory of 2308 4508 d721976d1cda5b317fd29d178ec24e55.exe 120 PID 4508 wrote to memory of 2308 4508 d721976d1cda5b317fd29d178ec24e55.exe 120 PID 4508 wrote to memory of 2308 4508 d721976d1cda5b317fd29d178ec24e55.exe 120 PID 4508 wrote to memory of 2548 4508 d721976d1cda5b317fd29d178ec24e55.exe 122 PID 4508 wrote to memory of 2548 4508 d721976d1cda5b317fd29d178ec24e55.exe 122 PID 4508 wrote to memory of 2548 4508 d721976d1cda5b317fd29d178ec24e55.exe 122 PID 4508 wrote to memory of 3728 4508 d721976d1cda5b317fd29d178ec24e55.exe 124 PID 4508 wrote to memory of 3728 4508 d721976d1cda5b317fd29d178ec24e55.exe 124 PID 4508 wrote to memory of 3728 4508 d721976d1cda5b317fd29d178ec24e55.exe 124 PID 4508 wrote to memory of 2472 4508 d721976d1cda5b317fd29d178ec24e55.exe 126 PID 4508 wrote to memory of 2472 4508 d721976d1cda5b317fd29d178ec24e55.exe 126 PID 4508 wrote to memory of 2472 4508 d721976d1cda5b317fd29d178ec24e55.exe 126 PID 4508 wrote to memory of 2080 4508 d721976d1cda5b317fd29d178ec24e55.exe 128 PID 4508 wrote to memory of 2080 4508 d721976d1cda5b317fd29d178ec24e55.exe 128 PID 4508 wrote to memory of 2080 4508 d721976d1cda5b317fd29d178ec24e55.exe 128 PID 4508 wrote to memory of 488 4508 d721976d1cda5b317fd29d178ec24e55.exe 130 PID 4508 wrote to memory of 488 4508 d721976d1cda5b317fd29d178ec24e55.exe 130 PID 4508 wrote to memory of 488 4508 d721976d1cda5b317fd29d178ec24e55.exe 130 PID 4508 wrote to memory of 3216 4508 d721976d1cda5b317fd29d178ec24e55.exe 132 PID 4508 wrote to memory of 3216 4508 d721976d1cda5b317fd29d178ec24e55.exe 132 PID 4508 wrote to memory of 3216 4508 d721976d1cda5b317fd29d178ec24e55.exe 132 PID 4508 wrote to memory of 4896 4508 d721976d1cda5b317fd29d178ec24e55.exe 134 PID 4508 wrote to memory of 4896 4508 d721976d1cda5b317fd29d178ec24e55.exe 134 PID 4508 wrote to memory of 4896 4508 d721976d1cda5b317fd29d178ec24e55.exe 134 PID 4508 wrote to memory of 2860 4508 d721976d1cda5b317fd29d178ec24e55.exe 136 PID 4508 wrote to memory of 2860 4508 d721976d1cda5b317fd29d178ec24e55.exe 136 PID 4508 wrote to memory of 2860 4508 d721976d1cda5b317fd29d178ec24e55.exe 136 PID 4508 wrote to memory of 3096 4508 d721976d1cda5b317fd29d178ec24e55.exe 138 PID 4508 wrote to memory of 3096 4508 d721976d1cda5b317fd29d178ec24e55.exe 138 PID 4508 wrote to memory of 3096 4508 d721976d1cda5b317fd29d178ec24e55.exe 138 PID 4508 wrote to memory of 4536 4508 d721976d1cda5b317fd29d178ec24e55.exe 140 PID 4508 wrote to memory of 4536 4508 d721976d1cda5b317fd29d178ec24e55.exe 140 PID 4508 wrote to memory of 4536 4508 d721976d1cda5b317fd29d178ec24e55.exe 140 PID 4508 wrote to memory of 4180 4508 d721976d1cda5b317fd29d178ec24e55.exe 142 PID 4508 wrote to memory of 4180 4508 d721976d1cda5b317fd29d178ec24e55.exe 142 PID 4508 wrote to memory of 4180 4508 d721976d1cda5b317fd29d178ec24e55.exe 142 PID 4508 wrote to memory of 4636 4508 d721976d1cda5b317fd29d178ec24e55.exe 144 PID 4508 wrote to memory of 4636 4508 d721976d1cda5b317fd29d178ec24e55.exe 144 PID 4508 wrote to memory of 4636 4508 d721976d1cda5b317fd29d178ec24e55.exe 144 PID 4508 wrote to memory of 4408 4508 d721976d1cda5b317fd29d178ec24e55.exe 147
Processes
-
C:\Users\Admin\AppData\Local\Temp\d721976d1cda5b317fd29d178ec24e55.exe"C:\Users\Admin\AppData\Local\Temp\d721976d1cda5b317fd29d178ec24e55.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:1636
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:3260
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:3016
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:5016
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:3112
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:3740
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:2276
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:1448
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:2308
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:2548
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:3728
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2472
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:2080
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:488
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:3216
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:4896
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:2860
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:3096
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:4536
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:4180
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:4636
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:4408
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:2060
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:4300
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:2556
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:4852
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:1680
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:4872
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:4164
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:3560
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:4684
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:4304
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:2600
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:2232
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:1716
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:3700
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:1984
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:4220
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:3664
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:1880
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:1732
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2068
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:1236
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:4236
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:2224
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:1672
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:2040
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:4652
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:3952
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:2592
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:4628
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:3064
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:2008
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:3940
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:2604
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:1444
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:5060
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:3452
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:3468
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:5020
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:984
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:3456
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:2312
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:3132
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:2468
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2728
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:4540
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:2024
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:4148
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:336
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:3800
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:4344
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:452
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:4444
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:3696
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:4948
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:4416
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:1588
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:1276
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:3992
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:1580
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:4252
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:2776
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:4028
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:1416
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:1232
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:2140
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:4376
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:1888
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:1272
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:1420
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:4132
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:3760
-