Windows Analysis Report
O8ZHhytWhn.exe

Overview

General Information

Sample Name: O8ZHhytWhn.exe
Analysis ID: 694558
MD5: b39febf7440b58a6cd15ae9f01916f98
SHA1: 66984e561fc5feead5ef9790f79bffd7778ac1e2
SHA256: 9c689986ca8e0b4fd93657ad9ed5c37994ccf591c90d5fba85684f2d0f49e1b9
Tags: exe
Infos:

Detection

Gandcrab, ReflectiveLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Snort IDS alert for network traffic
Found evasive API chain (may stop execution after checking mutex)
Contains functionality to determine the online IP of the system
Found Tor onion address
Uses nslookup.exe to query domains
Machine Learning detection for sample
May check the online IP address of the machine
Performs many domain queries via nslookup
Machine Learning detection for dropped file
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Queries information about the installed CPU (vendor, model number etc)
Drops PE files
Contains functionality to read the PEB
Found evaded block containing many API calls
Contains functionality to enumerate device drivers
Checks for available system drives (often done to infect USB drives)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: O8ZHhytWhn.exe Virustotal: Detection: 87% Perma Link
Source: O8ZHhytWhn.exe Metadefender: Detection: 78% Perma Link
Source: O8ZHhytWhn.exe ReversingLabs: Detection: 92%
Source: O8ZHhytWhn.exe Avira: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: O8ZHhytWhn.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Joe Sandbox ML: detected
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 9.0.wjaoab.exe.fbc0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 25.2.wjaoab.exe.fbc0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 9.2.wjaoab.exe.fbc0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 25.0.wjaoab.exe.fbc0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D4950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread, 0_2_0F1D4950
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 0_2_0F1D8150
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D5880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, 0_2_0F1D5880
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D62B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, 0_2_0F1D62B0
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D82A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 0_2_0F1D82A0
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, 0_2_0F1D5210
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 0_2_0F1D6530
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D5670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, 0_2_0F1D5670
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC4950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread, 9_2_0FBC4950
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC62B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, 9_2_0FBC62B0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC82A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 9_2_0FBC82A0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC5880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, 9_2_0FBC5880
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 9_2_0FBC6530
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, 9_2_0FBC5210
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC5670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, 9_2_0FBC5670
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 9_2_0FBC8150
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC4950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread, 25_2_0FBC4950
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC62B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, 25_2_0FBC62B0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC82A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 25_2_0FBC82A0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC5880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, 25_2_0FBC5880
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 25_2_0FBC6530
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, 25_2_0FBC5210
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC5670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, 25_2_0FBC5670
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 25_2_0FBC8150
Source: O8ZHhytWhn.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: O8ZHhytWhn.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: z: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: x: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: v: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: t: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: r: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: p: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: n: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: l: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: j: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: h: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: f: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: b: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: y: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: w: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: u: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: s: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: q: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: o: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: m: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: k: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: i: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: g: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: e: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 0_2_0F1D6A40
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 0_2_0F1D6C90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 9_2_0FBC6C90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 9_2_0FBC6A40
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 25_2_0FBC6C90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 25_2_0FBC6A40

Networking

barindex
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:50507 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:50508 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:50509 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:50510 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:61180 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:61181 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:61182 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:61183 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:53338 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:53339 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:53340 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:53341 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:51009 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:51010 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:51011 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:51012 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58285 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58286 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58287 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58288 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50026 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50027 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50028 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50029 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:62681 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:62682 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:62683 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:62684 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:52106 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:52107 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:52108 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:52109 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51141 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51142 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51143 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51144 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:58786 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:58787 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:58788 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:58789 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58748 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58749 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58750 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58751 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62435 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62436 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62437 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62438 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:64080 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:64081 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:64082 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:64083 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50233 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50234 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50235 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50236 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51438 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51439 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51440 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51441 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59055 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59056 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59057 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59058 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:63189 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:63190 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:63191 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:63192 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:53639 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:53640 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:53641 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:53642 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:54194 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:54195 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:54196 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:54197 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62020 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62021 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62022 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62023 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:60839 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:60840 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:60841 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:60842 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:55833 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:55834 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:55835 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:55836 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:56773 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:56774 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:56775 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:56776 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59548 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59549 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59550 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59551 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:61174 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:61175 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:61176 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:61177 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62910 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62911 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62912 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62913 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59848 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59849 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59850 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59851 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:63293 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:63294 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:63295 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:63296 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59114 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59115 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59116 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59117 -> 8.8.8.8:53
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 0_2_0F1D6E90
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 0_2_0F1D6E90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 9_2_0FBC6E90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 9_2_0FBC6E90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 25_2_0FBC6E90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 25_2_0FBC6E90
Source: O8ZHhytWhn.exe, 00000000.00000000.248593701.000000000F1E2000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: O8ZHhytWhn.exe, 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: wjaoab.exe, 00000009.00000000.289875664.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: wjaoab.exe, 00000019.00000000.308682011.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: O8ZHhytWhn.exe String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: wjaoab.exe.0.dr String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: O8ZHhytWhn.exe, wjaoab.exe.0.dr String found in binary or memory: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: O8ZHhytWhn.exe, wjaoab.exe.0.dr String found in binary or memory: https://tox.chat/download.html
Source: O8ZHhytWhn.exe, wjaoab.exe.0.dr String found in binary or memory: https://www.torproject.org/
Source: unknown DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D7EF0 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree, 0_2_0F1D7EF0

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: Yara match File source: O8ZHhytWhn.exe, type: SAMPLE
Source: Yara match File source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.248593701.000000000F1E2000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.308682011.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.289875664.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: O8ZHhytWhn.exe PID: 5900, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wjaoab.exe PID: 5444, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wjaoab.exe PID: 2888, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 0_2_0F1D6530
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 9_2_0FBC6530
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 25_2_0FBC6530
Source: nslookup.exe Process created: 48

System Summary

barindex
Source: O8ZHhytWhn.exe, type: SAMPLE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: O8ZHhytWhn.exe, type: SAMPLE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED Matched rule: Gandcrab Payload Author: kevoreilly
Source: O8ZHhytWhn.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: O8ZHhytWhn.exe, type: SAMPLE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: O8ZHhytWhn.exe, type: SAMPLE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: O8ZHhytWhn.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: O8ZHhytWhn.exe, type: SAMPLE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D1C20 0_2_0F1D1C20
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D1020 0_2_0F1D1020
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D83C0 0_2_0F1D83C0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC83C0 9_2_0FBC83C0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC1C20 9_2_0FBC1C20
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC1020 9_2_0FBC1020
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC83C0 25_2_0FBC83C0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC1C20 25_2_0FBC1C20
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC1020 25_2_0FBC1020
Source: O8ZHhytWhn.exe Virustotal: Detection: 87%
Source: O8ZHhytWhn.exe Metadefender: Detection: 78%
Source: O8ZHhytWhn.exe ReversingLabs: Detection: 92%
Source: O8ZHhytWhn.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\O8ZHhytWhn.exe "C:\Users\user\Desktop\O8ZHhytWhn.exe"
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe "C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe"
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe "C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe"
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File created: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@89/2@278/1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D7330 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree, 0_2_0F1D7330
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D7A10 wsprintfW,VirtualAlloc,VirtualAlloc,VirtualAlloc,VirtualAlloc,CreateToolhelp32Snapshot,VirtualFree,Process32FirstW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,Process32NextW,GetLastError,lstrlenW,VirtualFree,VirtualFree,FindCloseChangeNotification,VirtualFree, 0_2_0F1D7A10
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3116:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1840:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5588:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6012:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5184:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:160:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3144:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:588:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_01
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=4afbeea82d32d45
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2980:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4372:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1836:120:WilError_01
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: O8ZHhytWhn.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

barindex
Source: Yara match File source: O8ZHhytWhn.exe, type: SAMPLE
Source: Yara match File source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.289867124.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.308674547.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.248569401.000000000F1DA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: O8ZHhytWhn.exe PID: 5900, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wjaoab.exe PID: 5444, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wjaoab.exe PID: 2888, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 0_2_0F1D8150
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe File created: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Jump to dropped file
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wzugsdsqebh Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wzugsdsqebh Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wzugsdsqebh Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wzugsdsqebh Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe TID: 4528 Thread sleep count: 40 > 30 Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe TID: 4528 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree, 0_2_0F1D2F50
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree, 9_2_0FBC2F50
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree, 25_2_0FBC2F50
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 0_2_0F1D6A40
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 0_2_0F1D6C90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 9_2_0FBC6C90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 9_2_0FBC6A40
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 25_2_0FBC6C90
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 25_2_0FBC6A40
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 0_2_0F1D8150
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, 0_2_0F1D5210
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D5EC0 mov eax, dword ptr fs:[00000030h] 0_2_0F1D5EC0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 9_2_0FBC5EC0 mov eax, dword ptr fs:[00000030h] 9_2_0FBC5EC0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Code function: 25_2_0FBC5EC0 mov eax, dword ptr fs:[00000030h] 25_2_0FBC5EC0
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D3AA0 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid, 0_2_0F1D3AA0
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D90A0 cpuid 0_2_0F1D90A0
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe Code function: 0_2_0F1D7330 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree, 0_2_0F1D7330