gandcrab | ae2c6195bd01c093fd74dabd9df9ace3fc59a418fb3b4e386b1287fd204bbf47

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 02:30 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
Size

167KB
MD5

e0aa5dad1156a7bf96c5d516e0e65e2e
SHA1

e28121899aecfad7406811a51a0c5bc8b359e29f
SHA256

ae2c6195bd01c093fd74dabd9df9ace3fc59a418fb3b4e386b1287fd204bbf47
SHA512

569694bb6fd48d96206ba9cd6e7442909780ef9a48fc2e00914fededc126bc36e051e4570b7ad67dff3f4381739826f9fd0a933fe7fcd4ada5d684e8192c60c1
SSDEEP

3072:DYHVHd2NFMqqDL2/mr3IdE8we0Avu5r++ygLIaa4jRv9OtNZped:DyZqqDL6oREzZpK

Score

10^/10

gandcrab backdoor discovery persistence ransomware upx

Malware Config

Signatures

GandCrab payload 2 IoCs

resource	yara_rule
behavioral2/memory/3700-0-0x0000000000400000-0x000000000042C000-memory.dmp	family_gandcrab
behavioral2/memory/3700-4-0x0000000000400000-0x000000000042C000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iedskxlaesh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe"	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\N:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\O:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\R:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\V:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\Z:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\A:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\B:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\J:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\K:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\L:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\M:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\Y:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\E:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\H:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\S:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\T:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\I:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\P:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\W:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\X:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\Q:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
File opened (read-only)	\??\U:	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3700-0-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/3700-4-0x0000000000400000-0x000000000042C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 3448	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	87
PID 3700 wrote to memory of 3448	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	87
PID 3700 wrote to memory of 3448	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	87
PID 3700 wrote to memory of 1636	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	97
PID 3700 wrote to memory of 1636	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	97
PID 3700 wrote to memory of 1636	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	97
PID 3700 wrote to memory of 3192	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	102
PID 3700 wrote to memory of 3192	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	102
PID 3700 wrote to memory of 3192	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	102
PID 3700 wrote to memory of 4348	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	108
PID 3700 wrote to memory of 4348	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	108
PID 3700 wrote to memory of 4348	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	108
PID 3700 wrote to memory of 212	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	114
PID 3700 wrote to memory of 212	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	114
PID 3700 wrote to memory of 212	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	114
PID 3700 wrote to memory of 1340	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	118
PID 3700 wrote to memory of 1340	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	118
PID 3700 wrote to memory of 1340	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	118
PID 3700 wrote to memory of 3964	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	123
PID 3700 wrote to memory of 3964	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	123
PID 3700 wrote to memory of 3964	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	123
PID 3700 wrote to memory of 2420	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	127
PID 3700 wrote to memory of 2420	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	127
PID 3700 wrote to memory of 2420	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	127
PID 3700 wrote to memory of 1076	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	131
PID 3700 wrote to memory of 1076	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	131
PID 3700 wrote to memory of 1076	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	131
PID 3700 wrote to memory of 3708	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	140
PID 3700 wrote to memory of 3708	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	140
PID 3700 wrote to memory of 3708	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	140
PID 3700 wrote to memory of 1792	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	147
PID 3700 wrote to memory of 1792	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	147
PID 3700 wrote to memory of 1792	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	147
PID 3700 wrote to memory of 1176	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	151
PID 3700 wrote to memory of 1176	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	151
PID 3700 wrote to memory of 1176	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	151
PID 3700 wrote to memory of 3304	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	155
PID 3700 wrote to memory of 3304	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	155
PID 3700 wrote to memory of 3304	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	155
PID 3700 wrote to memory of 5084	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	162
PID 3700 wrote to memory of 5084	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	162
PID 3700 wrote to memory of 5084	3700	2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe	162

C:\Users\Admin\AppData\Local\Temp\2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3448
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1636
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3192
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4348
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:212
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1340
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3964
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2420
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1076
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3708
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1792
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1176
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3304
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5084

Network

DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

20.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.160.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

ipv4bot.whatismyipaddress.com

2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe

Remote address:

8.8.8.8:53

Request

ipv4bot.whatismyipaddress.com

IN A

Response
DNS

dns1.soprodns.ru

nslookup.exe

Remote address:

8.8.8.8:53

Request

dns1.soprodns.ru

IN A

Response
DNS

8.8.8.8.in-addr.arpa

nslookup.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN A

Response
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN AAAA

Response
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN A

Response
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN AAAA

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

dns1.soprodns.ru

nslookup.exe

Remote address:

8.8.8.8:53

Request

dns1.soprodns.ru

IN A

Response
DNS

8.8.8.8.in-addr.arpa

nslookup.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN A

Response
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN AAAA

Response
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN A

Response
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN AAAA

Response
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

dns1.soprodns.ru

nslookup.exe

Remote address:

8.8.8.8:53

Request

dns1.soprodns.ru

IN A

Response
DNS

8.8.8.8.in-addr.arpa

nslookup.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

gandcrab.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

gandcrab.bit

IN A

Response
DNS

gandcrab.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

gandcrab.bit

IN AAAA

Response
DNS

gandcrab.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

gandcrab.bit

IN A

Response
DNS

gandcrab.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

gandcrab.bit

IN AAAA

Response
DNS

212.20.149.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.20.149.52.in-addr.arpa

IN PTR

Response
DNS

dns1.soprodns.ru

nslookup.exe

Remote address:

8.8.8.8:53

Request

dns1.soprodns.ru

IN A

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

8.8.8.8.in-addr.arpa

nslookup.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN A

Response
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN AAAA

Response
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN A

Response
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN AAAA

Response
DNS

75.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.117.19.2.in-addr.arpa

IN PTR

Response

75.117.19.2.in-addr.arpa

IN PTR

a2-19-117-75deploystaticakamaitechnologiescom
DNS

dns1.soprodns.ru

nslookup.exe

Remote address:

8.8.8.8:53

Request

dns1.soprodns.ru

IN A

Response
DNS

8.8.8.8.in-addr.arpa

nslookup.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN A

Response
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN AAAA
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN A

Response
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN AAAA

Response
DNS

dns1.soprodns.ru

nslookup.exe

Remote address:

8.8.8.8:53

Request

dns1.soprodns.ru

IN A

Response
DNS

8.8.8.8.in-addr.arpa

nslookup.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

gandcrab.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

gandcrab.bit

IN A

Response
DNS

gandcrab.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

gandcrab.bit

IN AAAA

Response
DNS

gandcrab.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

gandcrab.bit

IN A

Response
DNS

gandcrab.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

gandcrab.bit

IN AAAA

Response
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

dns1.soprodns.ru

nslookup.exe

Remote address:

8.8.8.8:53

Request

dns1.soprodns.ru

IN A

Response
DNS

8.8.8.8.in-addr.arpa

nslookup.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN A

Response
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN AAAA

Response
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN A

Response
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN AAAA

Response
DNS

dns1.soprodns.ru

nslookup.exe

Remote address:

8.8.8.8:53

Request

dns1.soprodns.ru

IN A

Response
DNS

dns1.soprodns.ru

nslookup.exe

Remote address:

8.8.8.8:53

Request

dns1.soprodns.ru

IN A
DNS

8.8.8.8.in-addr.arpa

nslookup.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN A

Response
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN AAAA

Response
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN A

Response
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN AAAA

Response
DNS

dns1.soprodns.ru

nslookup.exe

Remote address:

8.8.8.8:53

Request

dns1.soprodns.ru

IN A

Response
DNS

8.8.8.8.in-addr.arpa

nslookup.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

gandcrab.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

gandcrab.bit

IN A

Response
DNS

gandcrab.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

gandcrab.bit

IN AAAA
DNS

gandcrab.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

gandcrab.bit

IN A

Response
DNS

gandcrab.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

gandcrab.bit

IN AAAA

Response
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360264291_1OMXAE3VFGJI9A76K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360264291_1OMXAE3VFGJI9A76K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 401499
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FDB701BD900F42D6BE48F66E4690BE6F Ref B: LON601060103062 Ref C: 2024-10-15T02:32:51Z
date: Tue, 15 Oct 2024 02:32:51 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418595_19TRV8HP5YIGTZD3I&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418595_19TRV8HP5YIGTZD3I&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 787151
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 29846D36C57840A5A1785F47F99C11C9 Ref B: LON601060103062 Ref C: 2024-10-15T02:32:51Z
date: Tue, 15 Oct 2024 02:32:51 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360264303_1FV8HLP8B8WOIRSCV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360264303_1FV8HLP8B8WOIRSCV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 585223
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5BA86C51210D4E36BF450FE3537E5A5D Ref B: LON601060103062 Ref C: 2024-10-15T02:32:51Z
date: Tue, 15 Oct 2024 02:32:51 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301035_1FUDWJ8GFFIFDV49E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239317301035_1FUDWJ8GFFIFDV49E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 1054100
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EA2EC0D930BA42C7B36F20E7A697B6F7 Ref B: LON601060103062 Ref C: 2024-10-15T02:32:51Z
date: Tue, 15 Oct 2024 02:32:51 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418596_1ZW2YDLAK01V77NJD&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418596_1ZW2YDLAK01V77NJD&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 604398
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F1E97A202098462E9F96A95BB8D4D475 Ref B: LON601060103062 Ref C: 2024-10-15T02:32:51Z
date: Tue, 15 Oct 2024 02:32:51 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301468_1K7Q0DK1RQ5AV6436&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239317301468_1K7Q0DK1RQ5AV6436&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 1020983
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 973FC4C021F64F8F96361F576DFD3845 Ref B: LON601060103062 Ref C: 2024-10-15T02:32:53Z
date: Tue, 15 Oct 2024 02:32:53 GMT
DNS

dns1.soprodns.ru

nslookup.exe

Remote address:

8.8.8.8:53

Request

dns1.soprodns.ru

IN A

Response
DNS

8.8.8.8.in-addr.arpa

nslookup.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN A

Response
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN AAAA

Response
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN A

Response
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN AAAA

Response
DNS

dns1.soprodns.ru

nslookup.exe

Remote address:

8.8.8.8:53

Request

dns1.soprodns.ru

IN A

Response
DNS

8.8.8.8.in-addr.arpa

nslookup.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN A

Response
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN AAAA

Response
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN A

Response
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN AAAA

Response
DNS

dns1.soprodns.ru

nslookup.exe

Remote address:

8.8.8.8:53

Request

dns1.soprodns.ru

IN A

Response
DNS

dns1.soprodns.ru

nslookup.exe

Remote address:

8.8.8.8:53

Request

dns1.soprodns.ru

IN A

Response
DNS

8.8.8.8.in-addr.arpa

nslookup.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

gandcrab.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

gandcrab.bit

IN A

Response
DNS

gandcrab.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

gandcrab.bit

IN AAAA

Response
DNS

gandcrab.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

gandcrab.bit

IN A

Response
DNS

gandcrab.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

gandcrab.bit

IN AAAA

Response
DNS

dns1.soprodns.ru

nslookup.exe

Remote address:

8.8.8.8:53

Request

dns1.soprodns.ru

IN A

Response
DNS

8.8.8.8.in-addr.arpa

nslookup.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN A

Response
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN AAAA

Response
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN A

Response
DNS

nomoreransom.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

nomoreransom.bit

IN AAAA

Response
DNS

dns1.soprodns.ru

nslookup.exe

Remote address:

8.8.8.8:53

Request

dns1.soprodns.ru

IN A

Response
DNS

8.8.8.8.in-addr.arpa

nslookup.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN A

Response
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN AAAA

Response
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN A

Response
DNS

emsisoft.bit

nslookup.exe

Remote address:

8.8.8.8:53

Request

emsisoft.bit

IN AAAA

Response
DNS

10.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.173.189.20.in-addr.arpa

IN PTR

Response

150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.4kB
6.8kB
15
10
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.3kB
6.8kB
14
10
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301468_1K7Q0DK1RQ5AV6436&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

157.4kB
4.6MB
3371
3361

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360264291_1OMXAE3VFGJI9A76K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418595_19TRV8HP5YIGTZD3I&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360264303_1FV8HLP8B8WOIRSCV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301035_1FUDWJ8GFFIFDV49E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418596_1ZW2YDLAK01V77NJD&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301468_1K7Q0DK1RQ5AV6436&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
11
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
11

8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

20.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

20.160.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

ipv4bot.whatismyipaddress.com

dns

2024-10-15_e0aa5dad1156a7bf96c5d516e0e65e2e_gandcrab.exe

75 B
134 B
1
1

DNS Request

ipv4bot.whatismyipaddress.com
8.8.8.8:53

dns1.soprodns.ru

dns

nslookup.exe

62 B
123 B
1
1

DNS Request

dns1.soprodns.ru
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

nslookup.exe

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

dns1.soprodns.ru

dns

nslookup.exe

62 B
123 B
1
1

DNS Request

dns1.soprodns.ru
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

nslookup.exe

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

dns1.soprodns.ru

dns

nslookup.exe

62 B
123 B
1
1

DNS Request

dns1.soprodns.ru
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

nslookup.exe

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

gandcrab.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

gandcrab.bit
8.8.8.8:53

gandcrab.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

gandcrab.bit
8.8.8.8:53

gandcrab.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

gandcrab.bit
8.8.8.8:53

gandcrab.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

gandcrab.bit
8.8.8.8:53

212.20.149.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

212.20.149.52.in-addr.arpa
8.8.8.8:53

dns1.soprodns.ru

dns

nslookup.exe

62 B
123 B
1
1

DNS Request

dns1.soprodns.ru
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

nslookup.exe

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

75.117.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

75.117.19.2.in-addr.arpa
8.8.8.8:53

dns1.soprodns.ru

dns

nslookup.exe

62 B
123 B
1
1

DNS Request

dns1.soprodns.ru
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

nslookup.exe

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
1

DNS Request

emsisoft.bit
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

dns1.soprodns.ru

dns

nslookup.exe

62 B
123 B
1
1

DNS Request

dns1.soprodns.ru
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

nslookup.exe

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

gandcrab.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

gandcrab.bit
8.8.8.8:53

gandcrab.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

gandcrab.bit
8.8.8.8:53

gandcrab.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

gandcrab.bit
8.8.8.8:53

gandcrab.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

gandcrab.bit
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

dns1.soprodns.ru

dns

nslookup.exe

62 B
123 B
1
1

DNS Request

dns1.soprodns.ru
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

nslookup.exe

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

dns1.soprodns.ru

dns

nslookup.exe

124 B
123 B
2
1

DNS Request

dns1.soprodns.ru

DNS Request

dns1.soprodns.ru
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

nslookup.exe

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

dns1.soprodns.ru

dns

nslookup.exe

62 B
123 B
1
1

DNS Request

dns1.soprodns.ru
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

nslookup.exe

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

gandcrab.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

gandcrab.bit
8.8.8.8:53

gandcrab.bit

dns

nslookup.exe

58 B
1

DNS Request

gandcrab.bit
8.8.8.8:53

gandcrab.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

gandcrab.bit
8.8.8.8:53

gandcrab.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

gandcrab.bit
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

dns1.soprodns.ru

dns

nslookup.exe

62 B
123 B
1
1

DNS Request

dns1.soprodns.ru
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

nslookup.exe

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

dns1.soprodns.ru

dns

nslookup.exe

62 B
123 B
1
1

DNS Request

dns1.soprodns.ru
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

nslookup.exe

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

dns1.soprodns.ru

dns

nslookup.exe

124 B
246 B
2
2

DNS Request

dns1.soprodns.ru

DNS Request

dns1.soprodns.ru
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

nslookup.exe

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

gandcrab.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

gandcrab.bit
8.8.8.8:53

gandcrab.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

gandcrab.bit
8.8.8.8:53

gandcrab.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

gandcrab.bit
8.8.8.8:53

gandcrab.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

gandcrab.bit
8.8.8.8:53

dns1.soprodns.ru

dns

nslookup.exe

62 B
123 B
1
1

DNS Request

dns1.soprodns.ru
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

nslookup.exe

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

nomoreransom.bit

dns

nslookup.exe

62 B
137 B
1
1

DNS Request

nomoreransom.bit
8.8.8.8:53

dns1.soprodns.ru

dns

nslookup.exe

62 B
123 B
1
1

DNS Request

dns1.soprodns.ru
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

nslookup.exe

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

emsisoft.bit

dns

nslookup.exe

58 B
133 B
1
1

DNS Request

emsisoft.bit
8.8.8.8:53

10.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3700-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3700-4-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request