Malware Analysis Report

2024-09-23 06:19

Sample ID 240616-qwdgtsvfkd
Target b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118
SHA256 c29c545819bf556787d920164c5ad6ae9da655c62fa6b9ac2614bea4823e208e
Tags
gandcrab persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c29c545819bf556787d920164c5ad6ae9da655c62fa6b9ac2614bea4823e208e

Threat Level: Known bad

The file b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gandcrab persistence

GandCrab payload

Gandcrab family

Adds Run key to start application

Enumerates connected drives

Unsigned PE

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-16 13:36

Signatures

GandCrab payload

Description Indicator Process Target
N/A N/A N/A N/A

Gandcrab family

gandcrab

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 13:36

Reported

2024-06-16 13:38

Platform

win7-20240611-en

Max time kernel

146s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cgnckskubid = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2348 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe"

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipv4bot.whatismyipaddress.com udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 13:36

Reported

2024-06-16 13:38

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\juzbrjkxcez = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1624 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 1624 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b3c70a9d0c3fe47f89a0ed6a4d7ca9ac_JaffaCakes118.exe"

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipv4bot.whatismyipaddress.com udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp

Files

N/A