|
C:\Users\user\Desktop\2fiDcmkaZY.exe
|
"C:\Users\user\Desktop\2fiDcmkaZY.exe"
|
 |
|
| Is windows: |
false
|
| Is dropped: |
false
|
| PID: |
6752
|
| Target ID: |
0
|
| Parent PID: |
4696
|
| Name: |
2fiDcmkaZY.exe
|
| Path: |
C:\Users\user\Desktop\2fiDcmkaZY.exe
|
| Commandline: |
"C:\Users\user\Desktop\2fiDcmkaZY.exe"
|
| Size: |
75264
|
| MD5: |
A8AC57500DE5DADF8C4DB19959DDF2EC
|
| Time: |
00:01:51
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
low
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xa60000
|
| Modulesize: |
90112
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus / Scanner detection for submitted sample |
AV Detection |
|
| Multi AV Scanner detection for submitted file |
AV Detection |
|
| Yara detected Gandcrab |
Spam, unwanted Advertisements and Ransom Demands |
|
| Machine Learning detection for sample |
AV Detection |
|
| Uses 32bit PE files |
Compliance, System Summary |
|
| PE file has an executable .text section and no other executable section |
System Summary |
|
| Sample is known by Antivirus |
System Summary |
|
| Spawns processes |
System Summary |
|
| Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup nomoreransom.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6896
|
| Target ID: |
2
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup nomoreransom.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:01:59
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
moderate
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup emsisoft.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6972
|
| Target ID: |
4
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup emsisoft.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:00
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
moderate
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup gandcrab.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
7032
|
| Target ID: |
6
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup gandcrab.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:03
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
moderate
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup nomoreransom.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
7084
|
| Target ID: |
8
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup nomoreransom.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:04
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
moderate
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup emsisoft.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
7144
|
| Target ID: |
10
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup emsisoft.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:06
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
moderate
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe
|
"C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe"
|
|
|
| Is windows: |
false
|
| Is dropped: |
true
|
| PID: |
1476
|
| Target ID: |
13
|
| Parent PID: |
3324
|
| Name: |
tdicrr.exe
|
| Path: |
C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe
|
| Commandline: |
"C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe"
|
| Size: |
75264
|
| MD5: |
D2E112FDFFC314778285E837BC0BED47
|
| Time: |
00:02:09
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
false
|
| Is elevated: |
false
|
| Modulebase: |
0xc70000
|
| Modulesize: |
90112
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Yara detected Gandcrab |
Spam, unwanted Advertisements and Ransom Demands |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Creates files inside the user directory |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup gandcrab.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
5388
|
| Target ID: |
14
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup gandcrab.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:12
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup nomoreransom.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6392
|
| Target ID: |
16
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup nomoreransom.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:14
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup emsisoft.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
3096
|
| Target ID: |
18
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup emsisoft.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:16
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe
|
"C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe"
|
|
|
| Is windows: |
false
|
| Is dropped: |
true
|
| PID: |
5864
|
| Target ID: |
20
|
| Parent PID: |
3324
|
| Name: |
tdicrr.exe
|
| Path: |
C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe
|
| Commandline: |
"C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe"
|
| Size: |
75264
|
| MD5: |
D2E112FDFFC314778285E837BC0BED47
|
| Time: |
00:02:17
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
false
|
| Is elevated: |
false
|
| Modulebase: |
0xc70000
|
| Modulesize: |
90112
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Yara detected Gandcrab |
Spam, unwanted Advertisements and Ransom Demands |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Creates files inside the user directory |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup gandcrab.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
5940
|
| Target ID: |
21
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup gandcrab.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:18
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup nomoreransom.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6024
|
| Target ID: |
23
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup nomoreransom.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:19
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup emsisoft.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
5872
|
| Target ID: |
26
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup emsisoft.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:21
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup gandcrab.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6632
|
| Target ID: |
28
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup gandcrab.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:22
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup nomoreransom.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
5964
|
| Target ID: |
31
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup nomoreransom.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:25
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup emsisoft.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6308
|
| Target ID: |
33
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup emsisoft.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:30
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup gandcrab.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6952
|
| Target ID: |
35
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup gandcrab.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:32
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup nomoreransom.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6848
|
| Target ID: |
37
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup nomoreransom.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:34
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup emsisoft.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
7044
|
| Target ID: |
39
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup emsisoft.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:37
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup gandcrab.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
7040
|
| Target ID: |
41
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup gandcrab.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:39
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup nomoreransom.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
7104
|
| Target ID: |
43
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup nomoreransom.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:41
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup emsisoft.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
7148
|
| Target ID: |
49
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup emsisoft.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:45
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup gandcrab.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
4556
|
| Target ID: |
51
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup gandcrab.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:49
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup nomoreransom.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
5844
|
| Target ID: |
53
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup nomoreransom.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:52
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup emsisoft.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
5976
|
| Target ID: |
55
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup emsisoft.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:54
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup gandcrab.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6564
|
| Target ID: |
58
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup gandcrab.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:02:57
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup nomoreransom.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
5860
|
| Target ID: |
60
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup nomoreransom.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:03:02
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup emsisoft.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6608
|
| Target ID: |
62
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup emsisoft.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:03:05
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup gandcrab.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6032
|
| Target ID: |
64
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup gandcrab.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:03:10
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
|
| Modulesize: |
98304
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses nslookup.exe to query domains |
Networking |
System Network Configuration Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\nslookup.exe
|
nslookup nomoreransom.bit dns1.soprodns.ru
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6440
|
| Target ID: |
66
|
| Parent PID: |
6752
|
| Name: |
nslookup.exe
|
| Path: |
C:\Windows\SysWOW64\nslookup.exe
|
| Commandline: |
nslookup nomoreransom.bit dns1.soprodns.ru
|
| Size: |
78336
|
| MD5: |
8E82529D1475D67615ADCB4E1B8F4EEC
|
| Time: |
00:03:12
|
| Date: |
01/09/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xcd0000
| |
