Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 16:22
Behavioral task
behavioral1
Sample
1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe
-
Size
69KB
-
MD5
1873c05ebf79bf8392d184e579094ac8
-
SHA1
53a2e7bab6484a197b54b8db20647bda90b0ab29
-
SHA256
9a2565629a171a9bd2903d6df4ada42fb6613ae85be66c8b54b58cd4569c87f3
-
SHA512
633af5f513074897aaada4892176b7243fa3e835b64b18710ad96d1e0674adc1aee101ff1a7c8aa508b9834136e1757d825151442c13c5fd67a3f07809ea1f7e
-
SSDEEP
1536:5ZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2Lkvd9:lBounVyFHpfMqqDL2/Lkvd
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yeeqmhcugsi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe" 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\J: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\L: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\T: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\X: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\B: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\N: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\P: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\S: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\W: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\Z: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\G: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\E: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\I: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\O: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\A: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\M: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\Q: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\R: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\U: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\V: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\Y: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe File opened (read-only) \??\K: 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4448 wrote to memory of 1996 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 88 PID 4448 wrote to memory of 1996 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 88 PID 4448 wrote to memory of 1996 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 88 PID 4448 wrote to memory of 216 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 96 PID 4448 wrote to memory of 216 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 96 PID 4448 wrote to memory of 216 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 96 PID 4448 wrote to memory of 220 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 100 PID 4448 wrote to memory of 220 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 100 PID 4448 wrote to memory of 220 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 100 PID 4448 wrote to memory of 4108 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 103 PID 4448 wrote to memory of 4108 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 103 PID 4448 wrote to memory of 4108 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 103 PID 4448 wrote to memory of 3980 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 107 PID 4448 wrote to memory of 3980 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 107 PID 4448 wrote to memory of 3980 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 107 PID 4448 wrote to memory of 2276 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 109 PID 4448 wrote to memory of 2276 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 109 PID 4448 wrote to memory of 2276 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 109 PID 4448 wrote to memory of 3748 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 111 PID 4448 wrote to memory of 3748 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 111 PID 4448 wrote to memory of 3748 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 111 PID 4448 wrote to memory of 920 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 113 PID 4448 wrote to memory of 920 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 113 PID 4448 wrote to memory of 920 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 113 PID 4448 wrote to memory of 1692 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 115 PID 4448 wrote to memory of 1692 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 115 PID 4448 wrote to memory of 1692 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 115 PID 4448 wrote to memory of 4780 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 117 PID 4448 wrote to memory of 4780 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 117 PID 4448 wrote to memory of 4780 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 117 PID 4448 wrote to memory of 452 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 119 PID 4448 wrote to memory of 452 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 119 PID 4448 wrote to memory of 452 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 119 PID 4448 wrote to memory of 3956 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 122 PID 4448 wrote to memory of 3956 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 122 PID 4448 wrote to memory of 3956 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 122 PID 4448 wrote to memory of 4484 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 125 PID 4448 wrote to memory of 4484 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 125 PID 4448 wrote to memory of 4484 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 125 PID 4448 wrote to memory of 3204 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 127 PID 4448 wrote to memory of 3204 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 127 PID 4448 wrote to memory of 3204 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 127 PID 4448 wrote to memory of 5012 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 129 PID 4448 wrote to memory of 5012 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 129 PID 4448 wrote to memory of 5012 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 129 PID 4448 wrote to memory of 4308 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 131 PID 4448 wrote to memory of 4308 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 131 PID 4448 wrote to memory of 4308 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 131 PID 4448 wrote to memory of 4636 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 133 PID 4448 wrote to memory of 4636 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 133 PID 4448 wrote to memory of 4636 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 133 PID 4448 wrote to memory of 4828 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 135 PID 4448 wrote to memory of 4828 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 135 PID 4448 wrote to memory of 4828 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 135 PID 4448 wrote to memory of 4492 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 137 PID 4448 wrote to memory of 4492 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 137 PID 4448 wrote to memory of 4492 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 137 PID 4448 wrote to memory of 3780 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 139 PID 4448 wrote to memory of 3780 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 139 PID 4448 wrote to memory of 3780 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 139 PID 4448 wrote to memory of 1172 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 141 PID 4448 wrote to memory of 1172 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 141 PID 4448 wrote to memory of 1172 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 141 PID 4448 wrote to memory of 4184 4448 1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe 143
Processes
-
C:\Users\Admin\AppData\Local\Temp\1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1873c05ebf79bf8392d184e579094ac8_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:1996
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:216
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:220
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:4108
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:3980
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2276
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:3748
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:920
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:1692
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:4780
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:452
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:3956
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:4484
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:3204
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:5012
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:4308
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:4636
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:4828
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:4492
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:3780
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:1172
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:4184
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:2896
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:1968
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:536
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:516
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:1784
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:2584
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:4180
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:4644
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:2812
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:5040
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:1120
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:4904
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:2308
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:540
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:400
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:5108
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:3532
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:3924
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:4700
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2112
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:4048
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:5028
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:468
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:4152
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:1600
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:4412
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:3796
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:4480
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:2240
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:4072
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:924
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:3432
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:3308
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:1100
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:4576
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:3932
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:2504
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:4628
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:868
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:3132
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:3900
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:1468
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:1488
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:1720
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:1296
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:4544
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:4552
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:1896
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:2532
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2000
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:4476
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:4536
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:368
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:3804
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:2848
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:1848
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:624
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:4236
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:4104
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:2324
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:4264
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:436
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:4596
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:3552
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:1876
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:4588
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:2344
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:3456
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:2180
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:4836
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:1128
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:3944
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns2.soprodns.ru2⤵PID:5096
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:3196
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns1.soprodns.ru2⤵PID:3208
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:3940
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns2.soprodns.ru2⤵PID:2668
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.coin dns2.soprodns.ru2⤵PID:1796
-