Edit tour

Windows Analysis Report
O8ZHhytWhn.exe

Overview

General Information

Sample Name:	O8ZHhytWhn.exe
Analysis ID:	694558
MD5:	b39febf7440b58a6cd15ae9f01916f98
SHA1:	66984e561fc5feead5ef9790f79bffd7778ac1e2
SHA256:	9c689986ca8e0b4fd93657ad9ed5c37994ccf591c90d5fba85684f2d0f49e1b9
Tags:	exe
Infos:

Detection

Gandcrab, ReflectiveLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected ReflectiveLoader

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Snort IDS alert for network traffic

Found evasive API chain (may stop execution after checking mutex)

Contains functionality to determine the online IP of the system

Found Tor onion address

Uses nslookup.exe to query domains

Machine Learning detection for sample

May check the online IP address of the machine

Performs many domain queries via nslookup

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Queries information about the installed CPU (vendor, model number etc)

Drops PE files

Contains functionality to read the PEB

Found evaded block containing many API calls

Contains functionality to enumerate device drivers

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

O8ZHhytWhn.exe (PID: 5900 cmdline: "C:\Users\user\Desktop\O8ZHhytWhn.exe" MD5: B39FEBF7440B58A6CD15AE9F01916F98)

nslookup.exe (PID: 3600 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 3116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5496 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 3220 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4404 cmdline: nslookup nomoreransom.coin dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5224 cmdline: nslookup nomoreransom.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4508 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5732 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 2980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4540 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6132 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5896 cmdline: nslookup nomoreransom.coin dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 1840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 1548 cmdline: nslookup nomoreransom.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 1836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5864 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 3840 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4412 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4928 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5972 cmdline: nslookup nomoreransom.coin dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5164 cmdline: nslookup nomoreransom.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5644 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5860 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6052 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 4372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 540 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6072 cmdline: nslookup nomoreransom.coin dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 3144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4324 cmdline: nslookup nomoreransom.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 1252 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

wjaoab.exe (PID: 5444 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe" MD5: A1E6F4D9E1AF5740E07B86A42C6C430B)

wjaoab.exe (PID: 2888 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe" MD5: A1E6F4D9E1AF5740E07B86A42C6C430B)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
O8ZHhytWhn.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
O8ZHhytWhn.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
O8ZHhytWhn.exe	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
O8ZHhytWhn.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
O8ZHhytWhn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
O8ZHhytWhn.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000000.248593701.000000000F1E2000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000000.308682011.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000009.00000000.289875664.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000009.00000000.289867124.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000000.308674547.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000000.248569401.000000000F1DA000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: O8ZHhytWhn.exe PID: 5900	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: O8ZHhytWhn.exe PID: 5900	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wjaoab.exe PID: 5444	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: wjaoab.exe PID: 5444	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: wjaoab.exe PID: 2888	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: wjaoab.exe PID: 2888	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.0.wjaoab.exe.fbc0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
9.0.wjaoab.exe.fbc0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
9.0.wjaoab.exe.fbc0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
9.0.wjaoab.exe.fbc0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
9.0.wjaoab.exe.fbc0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
9.0.wjaoab.exe.fbc0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.2.wjaoab.exe.fbc0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
25.2.wjaoab.exe.fbc0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
25.2.wjaoab.exe.fbc0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
25.2.wjaoab.exe.fbc0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
25.2.wjaoab.exe.fbc0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
25.2.wjaoab.exe.fbc0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.0.wjaoab.exe.fbc0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
25.0.wjaoab.exe.fbc0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
25.0.wjaoab.exe.fbc0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
25.0.wjaoab.exe.fbc0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
25.0.wjaoab.exe.fbc0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
25.0.wjaoab.exe.fbc0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.O8ZHhytWhn.exe.f1d0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
0.0.O8ZHhytWhn.exe.f1d0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
0.2.O8ZHhytWhn.exe.f1d0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
0.2.O8ZHhytWhn.exe.f1d0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
0.2.O8ZHhytWhn.exe.f1d0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.2.O8ZHhytWhn.exe.f1d0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.2.O8ZHhytWhn.exe.f1d0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
0.2.O8ZHhytWhn.exe.f1d0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.O8ZHhytWhn.exe.f1d0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.0.O8ZHhytWhn.exe.f1d0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.O8ZHhytWhn.exe.f1d0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
0.0.O8ZHhytWhn.exe.f1d0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
9.2.wjaoab.exe.fbc0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
9.2.wjaoab.exe.fbc0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
9.2.wjaoab.exe.fbc0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
9.2.wjaoab.exe.fbc0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
9.2.wjaoab.exe.fbc0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
9.2.wjaoab.exe.fbc0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
Click to see the 31 entries

Snort Signatures

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859550532026737 08/31/22-23:50:37.016810
SID:	2026737
Source Port:	59550
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.852106532026737 08/31/22-23:49:25.641298
SID:	2026737
Source Port:	52106
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851142532829498 08/31/22-23:49:32.319799
SID:	2829498
Source Port:	51142
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.861174532829498 08/31/22-23:50:40.415440
SID:	2829498
Source Port:	61174
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.854194532829498 08/31/22-23:50:17.451854
SID:	2829498
Source Port:	54194
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862910532026737 08/31/22-23:50:41.844460
SID:	2026737
Source Port:	62910
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859114532829498 08/31/22-23:50:50.899719
SID:	2829498
Source Port:	59114
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.863192532829498 08/31/22-23:50:10.372925
SID:	2829498
Source Port:	63192
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858786532026737 08/31/22-23:49:35.365431
SID:	2026737
Source Port:	58786
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850026532026737 08/31/22-23:49:12.853058
SID:	2026737
Source Port:	50026
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.856776532829498 08/31/22-23:50:31.949356
SID:	2829498
Source Port:	56776
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851012532026737 08/31/22-23:49:06.034483
SID:	2026737
Source Port:	51012
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862438532026737 08/31/22-23:49:47.214941
SID:	2026737
Source Port:	62438
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.860840532829498 08/31/22-23:50:23.078640
SID:	2829498
Source Port:	60840
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.864080532829498 08/31/22-23:49:52.783908
SID:	2829498
Source Port:	64080
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.861175532829498 08/31/22-23:50:40.433841
SID:	2829498
Source Port:	61175
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858288532829498 08/31/22-23:49:10.646822
SID:	2829498
Source Port:	58288
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.852107532026737 08/31/22-23:49:25.661867
SID:	2026737
Source Port:	52107
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.856775532829498 08/31/22-23:50:31.927813
SID:	2829498
Source Port:	56775
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862020532026737 08/31/22-23:50:18.955251
SID:	2026737
Source Port:	62020
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858751532829498 08/31/22-23:49:44.095609
SID:	2829498
Source Port:	58751
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859548532026737 08/31/22-23:50:36.965761
SID:	2026737
Source Port:	59548
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.863191532829498 08/31/22-23:50:10.354216
SID:	2829498
Source Port:	63191
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858750532829498 08/31/22-23:49:44.071935
SID:	2829498
Source Port:	58750
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.853340532829498 08/31/22-23:49:03.740944
SID:	2829498
Source Port:	53340
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851141532829498 08/31/22-23:49:32.298424
SID:	2829498
Source Port:	51141
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.863296532026737 08/31/22-23:50:48.003146
SID:	2026737
Source Port:	63296
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850233532026737 08/31/22-23:49:59.196489
SID:	2026737
Source Port:	50233
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862684532829498 08/31/22-23:49:22.306534
SID:	2829498
Source Port:	62684
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.861183532026737 08/31/22-23:48:55.804714
SID:	2026737
Source Port:	61183
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.854195532829498 08/31/22-23:50:17.469831
SID:	2829498
Source Port:	54195
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.860841532829498 08/31/22-23:50:23.096845
SID:	2829498
Source Port:	60841
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862021532026737 08/31/22-23:50:18.975380
SID:	2026737
Source Port:	62021
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.855836532026737 08/31/22-23:50:24.524842
SID:	2026737
Source Port:	55836
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851143532829498 08/31/22-23:49:32.344159
SID:	2829498
Source Port:	51143
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.864083532829498 08/31/22-23:49:52.867185
SID:	2829498
Source Port:	64083
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858788532026737 08/31/22-23:49:35.533597
SID:	2026737
Source Port:	58788
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850509532829498 08/31/22-23:48:51.586247
SID:	2829498
Source Port:	50509
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862436532026737 08/31/22-23:49:47.175608
SID:	2026737
Source Port:	62436
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851440532829498 08/31/22-23:50:03.437869
SID:	2829498
Source Port:	51440
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.853640532026737 08/31/22-23:50:13.786207
SID:	2026737
Source Port:	53640
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862911532026737 08/31/22-23:50:41.864871
SID:	2026737
Source Port:	62911
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.853339532829498 08/31/22-23:49:03.720004
SID:	2829498
Source Port:	53339
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862023532026737 08/31/22-23:50:19.013875
SID:	2026737
Source Port:	62023
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.855834532026737 08/31/22-23:50:24.482691
SID:	2026737
Source Port:	55834
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858749532829498 08/31/22-23:49:44.051138
SID:	2829498
Source Port:	58749
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858286532829498 08/31/22-23:49:10.608212
SID:	2829498
Source Port:	58286
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851011532026737 08/31/22-23:49:06.014113
SID:	2026737
Source Port:	51011
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851439532829498 08/31/22-23:50:03.414505
SID:	2829498
Source Port:	51439
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859849532829498 08/31/22-23:50:46.658424
SID:	2829498
Source Port:	59849
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850027532026737 08/31/22-23:49:12.888248
SID:	2026737
Source Port:	50027
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859850532829498 08/31/22-23:50:46.682797
SID:	2829498
Source Port:	59850
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.863294532026737 08/31/22-23:50:47.961479
SID:	2026737
Source Port:	63294
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859115532829498 08/31/22-23:50:50.920149
SID:	2829498
Source Port:	59115
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862682532829498 08/31/22-23:49:22.268041
SID:	2829498
Source Port:	62682
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859551532026737 08/31/22-23:50:37.037427
SID:	2026737
Source Port:	59551
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850235532026737 08/31/22-23:49:59.234950
SID:	2026737
Source Port:	50235
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.861181532026737 08/31/22-23:48:55.077736
SID:	2026737
Source Port:	61181
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862022532026737 08/31/22-23:50:18.995399
SID:	2026737
Source Port:	62022
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.853642532026737 08/31/22-23:50:13.835822
SID:	2026737
Source Port:	53642
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850507532829498 08/31/22-23:48:51.544537
SID:	2829498
Source Port:	50507
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.856773532829498 08/31/22-23:50:31.838450
SID:	2829498
Source Port:	56773
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.854197532829498 08/31/22-23:50:17.513889
SID:	2829498
Source Port:	54197
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.860839532829498 08/31/22-23:50:23.058563
SID:	2829498
Source Port:	60839
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.855835532026737 08/31/22-23:50:24.503509
SID:	2026737
Source Port:	55835
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.853338532829498 08/31/22-23:49:03.694333
SID:	2829498
Source Port:	53338
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.861177532829498 08/31/22-23:50:40.475632
SID:	2829498
Source Port:	61177
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850510532829498 08/31/22-23:48:51.605938
SID:	2829498
Source Port:	50510
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.853639532026737 08/31/22-23:50:13.763933
SID:	2026737
Source Port:	53639
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858789532026737 08/31/22-23:49:35.553154
SID:	2026737
Source Port:	58789
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859057532026737 08/31/22-23:50:05.762357
SID:	2026737
Source Port:	59057
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862913532026737 08/31/22-23:50:41.903498
SID:	2026737
Source Port:	62913
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862435532026737 08/31/22-23:49:47.157448
SID:	2026737
Source Port:	62435
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.853341532829498 08/31/22-23:49:03.761474
SID:	2829498
Source Port:	53341
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862683532829498 08/31/22-23:49:22.288385
SID:	2829498
Source Port:	62683
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.852109532026737 08/31/22-23:49:25.724789
SID:	2026737
Source Port:	52109
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850029532026737 08/31/22-23:49:12.927716
SID:	2026737
Source Port:	50029
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.864082532829498 08/31/22-23:49:52.826347
SID:	2829498
Source Port:	64082
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859056532026737 08/31/22-23:50:05.744186
SID:	2026737
Source Port:	59056
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850508532829498 08/31/22-23:48:51.564977
SID:	2829498
Source Port:	50508
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.856774532829498 08/31/22-23:50:31.909568
SID:	2829498
Source Port:	56774
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859117532829498 08/31/22-23:50:50.958695
SID:	2829498
Source Port:	59117
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.864081532829498 08/31/22-23:49:52.807469
SID:	2829498
Source Port:	64081
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.852108532026737 08/31/22-23:49:25.704474
SID:	2026737
Source Port:	52108
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862437532026737 08/31/22-23:49:47.194217
SID:	2026737
Source Port:	62437
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859116532829498 08/31/22-23:50:50.938342
SID:	2829498
Source Port:	59116
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859058532026737 08/31/22-23:50:05.782380
SID:	2026737
Source Port:	59058
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859851532829498 08/31/22-23:50:46.705234
SID:	2829498
Source Port:	59851
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851010532026737 08/31/22-23:49:05.994077
SID:	2026737
Source Port:	51010
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862681532829498 08/31/22-23:49:22.247182
SID:	2829498
Source Port:	62681
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851438532829498 08/31/22-23:50:03.395466
SID:	2829498
Source Port:	51438
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.862912532026737 08/31/22-23:50:41.885084
SID:	2026737
Source Port:	62912
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850028532026737 08/31/22-23:49:12.908519
SID:	2026737
Source Port:	50028
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859055532026737 08/31/22-23:50:05.722794
SID:	2026737
Source Port:	59055
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.853641532026737 08/31/22-23:50:13.814014
SID:	2026737
Source Port:	53641
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.855833532026737 08/31/22-23:50:24.464562
SID:	2026737
Source Port:	55833
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.863293532026737 08/31/22-23:50:47.940116
SID:	2026737
Source Port:	63293
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850236532026737 08/31/22-23:49:59.285144
SID:	2026737
Source Port:	50236
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858287532829498 08/31/22-23:49:10.628422
SID:	2829498
Source Port:	58287
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851144532829498 08/31/22-23:49:32.366090
SID:	2829498
Source Port:	51144
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.861176532829498 08/31/22-23:50:40.454136
SID:	2829498
Source Port:	61176
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859848532829498 08/31/22-23:50:46.635471
SID:	2829498
Source Port:	59848
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.861180532026737 08/31/22-23:48:54.987434
SID:	2026737
Source Port:	61180
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851441532829498 08/31/22-23:50:03.458729
SID:	2829498
Source Port:	51441
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.851009532026737 08/31/22-23:49:05.970413
SID:	2026737
Source Port:	51009
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859549532026737 08/31/22-23:50:36.986127
SID:	2026737
Source Port:	59549
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.863295532026737 08/31/22-23:50:47.982626
SID:	2026737
Source Port:	63295
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.850234532026737 08/31/22-23:49:59.216727
SID:	2026737
Source Port:	50234
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.861182532026737 08/31/22-23:48:55.097916
SID:	2026737
Source Port:	61182
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858285532829498 08/31/22-23:49:10.587711
SID:	2829498
Source Port:	58285
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.863189532829498 08/31/22-23:50:10.316381
SID:	2829498
Source Port:	63189
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858748532829498 08/31/22-23:49:44.032896
SID:	2829498
Source Port:	58748
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.854196532829498 08/31/22-23:50:17.488065
SID:	2829498
Source Port:	54196
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.863190532829498 08/31/22-23:50:10.336236
SID:	2829498
Source Port:	63190
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.860842532829498 08/31/22-23:50:23.114941
SID:	2829498
Source Port:	60842
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.858787532026737 08/31/22-23:49:35.450533
SID:	2026737
Source Port:	58787
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: O8ZHhytWhn.exe	Virustotal: Detection: 87%	Perma Link
Source: O8ZHhytWhn.exe	Metadefender: Detection: 78%	Perma Link
Source: O8ZHhytWhn.exe	ReversingLabs: Detection: 92%

Antivirus / Scanner detection for submitted sample

Source: O8ZHhytWhn.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Machine Learning detection for sample

Source: O8ZHhytWhn.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe

Joe Sandbox ML: detected

Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 9.0.wjaoab.exe.fbc0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.2.wjaoab.exe.fbc0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 9.2.wjaoab.exe.fbc0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.0.wjaoab.exe.fbc0000.0.unpack	Avira: Label: TR/Dropper.Gen

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D4950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D5880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D62B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D82A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D5670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC4950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC62B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC82A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC5880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC5670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC4950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC62B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC82A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC5880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC5670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

Source: O8ZHhytWhn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: O8ZHhytWhn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: z:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: x:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: v:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: t:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: r:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: p:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: n:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: l:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: j:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: h:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: f:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: b:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: y:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: w:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: u:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: s:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: q:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: o:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: m:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: k:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: i:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: g:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: e:
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File opened: a:

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:50507 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:50508 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:50509 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:50510 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:61180 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:61181 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:61182 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:61183 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:53338 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:53339 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:53340 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:53341 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:51009 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:51010 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:51011 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:51012 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58285 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58286 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58287 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58288 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50026 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50027 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50028 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50029 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:62681 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:62682 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:62683 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:62684 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:52106 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:52107 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:52108 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:52109 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51141 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51142 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51143 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51144 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:58786 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:58787 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:58788 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:58789 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58748 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58749 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58750 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:58751 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62435 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62436 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62437 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62438 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:64080 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:64081 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:64082 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:64083 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50233 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50234 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50235 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:50236 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51438 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51439 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51440 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:51441 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59055 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59056 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59057 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59058 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:63189 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:63190 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:63191 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:63192 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:53639 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:53640 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:53641 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:53642 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:54194 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:54195 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:54196 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:54197 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62020 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62021 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62022 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62023 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:60839 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:60840 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:60841 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:60842 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:55833 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:55834 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:55835 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:55836 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:56773 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:56774 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:56775 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:56776 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59548 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59549 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59550 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:59551 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:61174 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:61175 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:61176 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:61177 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62910 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62911 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62912 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:62913 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59848 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59849 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59850 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59851 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:63293 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:63294 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:63295 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.7:63296 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59114 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59115 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59116 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.7:59117 -> 8.8.8.8:53

Contains functionality to determine the online IP of the system

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com

Found Tor onion address

Source: O8ZHhytWhn.exe, 00000000.00000000.248593701.000000000F1E2000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: O8ZHhytWhn.exe, 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: wjaoab.exe, 00000009.00000000.289875664.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: wjaoab.exe, 00000019.00000000.308682011.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: O8ZHhytWhn.exe	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: wjaoab.exe.0.dr	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b

Uses nslookup.exe to query domains

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru

May check the online IP address of the machine

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	DNS query: name: ipv4bot.whatismyipaddress.com

Performs many domain queries via nslookup

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru

Source: O8ZHhytWhn.exe, wjaoab.exe.0.dr	String found in binary or memory: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: O8ZHhytWhn.exe, wjaoab.exe.0.dr	String found in binary or memory: https://tox.chat/download.html
Source: O8ZHhytWhn.exe, wjaoab.exe.0.dr	String found in binary or memory: https://www.torproject.org/

Source: unknown

DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Code function: 0_2_0F1D7EF0 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree,

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: O8ZHhytWhn.exe, type: SAMPLE
Source: Yara match	File source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.248593701.000000000F1E2000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.308682011.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.289875664.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: O8ZHhytWhn.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wjaoab.exe PID: 5444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wjaoab.exe PID: 2888, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,

Source: nslookup.exe

Process created: 48

System Summary

Malicious sample detected (through community Yara rule)

Source: O8ZHhytWhn.exe, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: O8ZHhytWhn.exe, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED	Matched rule: Gandcrab Payload Author: kevoreilly

Source: O8ZHhytWhn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: O8ZHhytWhn.exe, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: O8ZHhytWhn.exe, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: O8ZHhytWhn.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: O8ZHhytWhn.exe, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D1C20
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D1020
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D83C0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC83C0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC1C20
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC1020
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC83C0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC1C20
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC1020

Source: O8ZHhytWhn.exe	Virustotal: Detection: 87%
Source: O8ZHhytWhn.exe	Metadefender: Detection: 78%
Source: O8ZHhytWhn.exe	ReversingLabs: Detection: 92%

Source: O8ZHhytWhn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\O8ZHhytWhn.exe "C:\Users\user\Desktop\O8ZHhytWhn.exe"
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe "C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe"
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe "C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe"
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@89/2@278/1

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Code function: 0_2_0F1D7330 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree,

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Code function: 0_2_0F1D7A10 wsprintfW,VirtualAlloc,VirtualAlloc,VirtualAlloc,VirtualAlloc,CreateToolhelp32Snapshot,VirtualFree,Process32FirstW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,Process32NextW,GetLastError,lstrlenW,VirtualFree,VirtualFree,FindCloseChangeNotification,VirtualFree,

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3116:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1840:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5588:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6012:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5184:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:160:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3144:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:588:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_01
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=4afbeea82d32d45
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2980:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4372:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1836:120:WilError_01

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: O8ZHhytWhn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: O8ZHhytWhn.exe, type: SAMPLE
Source: Yara match	File source: 9.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.O8ZHhytWhn.exe.f1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.wjaoab.exe.fbc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.289867124.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.308674547.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.248569401.000000000F1DA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: O8ZHhytWhn.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wjaoab.exe PID: 5444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wjaoab.exe PID: 2888, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, type: DROPPED

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Code function: 0_2_0F1D8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe

Jump to dropped file

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wzugsdsqebh	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wzugsdsqebh	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wzugsdsqebh	Jump to behavior
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wzugsdsqebh	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe TID: 4528	Thread sleep count: 40 > 30
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe TID: 4528	Thread sleep time: -40000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Evaded block: after key decision

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

System information queried: ModuleInformation

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Code function: 0_2_0F1D8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Code function: 0_2_0F1D5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Code function: 0_2_0F1D5EC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 9_2_0FBC5EC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Code function: 25_2_0FBC5EC0 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Code function: 0_2_0F1D3AA0 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Code function: 0_2_0F1D90A0 cpuid

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Desktop\O8ZHhytWhn.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\O8ZHhytWhn.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	12 Native API	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	1 Replication Through Removable Media	11 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Software Packing	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	1 Proxy	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 System Network Configuration Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 File and Directory Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	44 System Information Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
O8ZHhytWhn.exe	87%	Virustotal		Browse
O8ZHhytWhn.exe	78%	Metadefender		Browse
O8ZHhytWhn.exe	92%	ReversingLabs	Win32.Ransomware.GandCrab
O8ZHhytWhn.exe	100%	Avira	TR/Dropper.Gen
O8ZHhytWhn.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.O8ZHhytWhn.exe.f1d0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
9.0.wjaoab.exe.fbc0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
25.2.wjaoab.exe.fbc0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
9.2.wjaoab.exe.fbc0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.2.O8ZHhytWhn.exe.f1d0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
25.0.wjaoab.exe.fbc0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
nomoreransom.coin	2%	Virustotal		Browse
nomoreransom.bit	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b	0%	URL Reputation	safe
https://tox.chat/download.html	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nomoreransom.coin	unknown	unknown	true	2%, Virustotal, Browse	unknown
ipv4bot.whatismyipaddress.com	unknown	unknown	false		high
nomoreransom.bit	unknown	unknown	true	1%, Virustotal, Browse	unknown
gandcrab.bit	unknown	unknown	true		unknown
dns1.soprodns.ru	unknown	unknown	true		unknown
dns2.soprodns.ru	unknown	unknown	true		unknown
8.8.8.8.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.torproject.org/	O8ZHhytWhn.exe, wjaoab.exe.0.dr	false		high
http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b	O8ZHhytWhn.exe, wjaoab.exe.0.dr	true	URL Reputation: safe	unknown
https://tox.chat/download.html	O8ZHhytWhn.exe, wjaoab.exe.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	694558
Start date and time:	2022-08-31 23:47:38 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 27s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	O8ZHhytWhn.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	63
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@89/2@278/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 96%) Quality average: 83.5% Quality standard deviation: 24.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:48:46	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce wzugsdsqebh "C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe"
23:48:58	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce wzugsdsqebh "C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe"

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Users\user\Desktop\O8ZHhytWhn.exe
File Type:	data
Category:	dropped
Size (bytes):	2222
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D450FF4604F32CB5D2F566F10B1FC222
SHA1:	51E30F18F2B90316F51899F09714CFC1B9676948
SHA-256:	1FE51B05C44F6C78BD31E501DF8A4D12D290CAB134663219CF3C713A604FCA35
SHA-512:	7B4BFAF3E1DAEFA0C140E904C67F4136951F3411BD6C8252CEAFF4F7A7B857817B03DEF803CAE00EDA7CD7DD8A1A0EC8415B9564C344FA1253ECCE1C4A5695AD
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe

Download File

Process:	C:\Users\user\Desktop\O8ZHhytWhn.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	71168
Entropy (8bit):	6.4214958624218355
Encrypted:	false
SSDEEP:	1536:KZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2Lkvd9:8BounVyFHpfMqqDL2/Lkvd
MD5:	A1E6F4D9E1AF5740E07B86A42C6C430B
SHA1:	0463905CBEC8B4BADCFBD2B05B8D6B8C5BE9A56C
SHA-256:	0F9F6928B16927DEB69C5128BF1C72F109C31B7478CE52A5A772FE4A62A7D9C8
SHA-512:	C4D84F7B77F99C02DC8EE82A01902F7B82A63D2E5F7AF33019D854066879FFEC91CBAB264EF04B24A23135721914D22EA863DA6C10D42A0D49BAD6F913F48769
Malicious:	true
Yara Hits:	Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: Florian Roth Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: kevoreilly
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This .y.1..m cannot be run in DOS mode....$........Tg..:4..:4..:4..4..:4..4..:4...4..:4..:4..:4...4..:4..;42.:4...4..:4...4..:4...4..:4...4..:4Rich..:4........PE..L....Z.Z.............................K.......................................`............@.............................U...8........@.......................P.......................................................................................text.............................. ..`.rdata...p.......r..................@..@.data........ ......................@....CRT.........0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.421564704960313
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	O8ZHhytWhn.exe
File size:	71168
MD5:	b39febf7440b58a6cd15ae9f01916f98
SHA1:	66984e561fc5feead5ef9790f79bffd7778ac1e2
SHA256:	9c689986ca8e0b4fd93657ad9ed5c37994ccf591c90d5fba85684f2d0f49e1b9
SHA512:	3080283a04ddf66d59cf8309fb2fb1720a094fdfd408b74d8483e1e6f8712b236f8b6f62335e8bdab060ef993e4cdf92822c6cd83483a1876450ba0447e90796
SSDEEP:	1536:7ZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2Lkvd9:7BounVyFHpfMqqDL2/Lkvd
TLSH:	1D636A0EA2E1A193E1F357B9FA757E65446E3D203B289BDB099359852D630F0793B303
File Content Preview:	MZ......................@...............................................!..L.!This .j0.#.m cannot be run in DOS mode....$.........Tg..:4..:4..:4...4..:4...4..:4...4..:4..:4..:4...4..:4..;42.:4...4..:4...4..:4...4..:4...4..:4Rich..:4........PE..L....Z.Z...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x10004bf0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH
Time Stamp:	0x5A8C5AD9 [Tue Feb 20 17:28:57 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	6b11af918234585a966ca8fab046dc6c

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0Ch
mov dword ptr [ebp-0Ch], 00000001h
mov eax, dword ptr [ebp+0Ch]
mov dword ptr [ebp-08h], eax
cmp dword ptr [ebp-08h], 01h
jmp 00007F732C73A7B6h
jmp 00007F732C73A7DCh
jmp 00007F732C73A7DAh
push 00000000h
push 00000000h
push 00000000h
push 10004950h
push 00000000h
push 00000000h
call dword ptr [1000A108h]
mov dword ptr [ebp-04h], eax
cmp dword ptr [ebp-04h], 00000000h
je 00007F732C73A7BCh
mov ecx, dword ptr [ebp-04h]
push ecx
call dword ptr [1000A10Ch]
mov eax, dword ptr [ebp-0Ch]
mov esp, ebp
pop ebp
retn 000Ch
int3
int3
push ebp
mov ebp, esp
sub esp, 5Ch
push esi
push 00000044h
lea eax, dword ptr [ebp-58h]
xorps xmm0, xmm0
push 00000000h
push eax
mov esi, ecx
movdqu dqword ptr [ebp-10h], xmm0
call 00007F732C73EB67h
mov eax, dword ptr [10012A6Ch]
add esp, 0Ch
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-1Ch], eax
mov eax, dword ptr [10012A68h]
or dword ptr [ebp-2Ch], 00000101h
mov dword ptr [ebp-20h], eax
xor eax, eax
mov word ptr [ebp-28h], ax
lea eax, dword ptr [ebp-10h]
push eax
lea eax, dword ptr [ebp-58h]
mov dword ptr [ebp-58h], 00000044h
push eax
push 00000000h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
push 00000000h
push esi
push 00000000h
call dword ptr [1000A164h]
test eax, eax
jne 00007F732C73A7BDh
call dword ptr [1000A064h]
pop esi
mov esp, ebp
pop ebp
ret
push dword ptr [ebp-10h]

Rich Headers

Programming Language:

[ C ] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[EXP] VS2013 build 21005
[RES] VS2013 build 21005
[LNK] VS2013 build 21005

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x104e0	0x55	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10538	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15000	0xac4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x1fc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x82e8	0x8400	False	0.4593690814393939	data	6.340223357377212	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x70a6	0x7200	False	0.4923245614035088	data	6.181274430024402	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x12000	0xa80	0xc00	False	0.3160807291666667	data	3.1174892908286225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x13000	0x4	0x200	False	0.033203125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x1e0	0x200	False	0.52734375	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x15000	0xac4	0xc00	False	0.7802734375	data	6.4568381269501165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x14060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	SetFilePointer, GetFileAttributesW, ReadFile, GetLastError, MoveFileW, lstrcpyW, SetFileAttributesW, CreateMutexW, GetDriveTypeW, VerSetConditionMask, WaitForSingleObject, GetTickCount, InitializeCriticalSection, OpenProcess, GetSystemDirectoryW, TerminateThread, Sleep, TerminateProcess, VerifyVersionInfoW, WaitForMultipleObjects, DeleteCriticalSection, ExpandEnvironmentStringsW, lstrlenW, SetHandleInformation, lstrcatA, MultiByteToWideChar, CreatePipe, lstrcmpiA, Process32NextW, CreateToolhelp32Snapshot, LeaveCriticalSection, EnterCriticalSection, FindFirstFileW, lstrcmpW, FindClose, FindNextFileW, GetNativeSystemInfo, GetComputerNameW, GetDiskFreeSpaceW, GetWindowsDirectoryW, GetVolumeInformationW, LoadLibraryA, lstrcmpiW, VirtualFree, CreateThread, CloseHandle, lstrcatW, CreateFileMappingW, ExitThread, CreateFileW, GetModuleFileNameW, WriteFile, GetModuleHandleW, UnmapViewOfFile, MapViewOfFile, GetFileSize, GetEnvironmentVariableW, lstrcpyA, GetModuleHandleA, VirtualAlloc, GetProcAddress, Process32FirstW, GetTempPathW, GetProcessHeap, HeapFree, HeapAlloc, lstrlenA, CreateProcessW, ExitProcess, IsProcessorFeaturePresent
USER32.dll	BeginPaint, wsprintfW, TranslateMessage, LoadCursorW, LoadIconW, MessageBoxA, GetMessageW, EndPaint, DestroyWindow, RegisterClassExW, ShowWindow, CreateWindowExW, SendMessageW, DispatchMessageW, DefWindowProcW, UpdateWindow, GetForegroundWindow, SetWindowLongW
GDI32.dll	TextOutW
ADVAPI32.dll	FreeSid, RegSetValueExW, RegCreateKeyExW, RegCloseKey, CryptExportKey, CryptAcquireContextW, CryptGetKeyParam, CryptReleaseContext, CryptImportKey, CryptEncrypt, CryptGenKey, CryptDestroyKey, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, AllocateAndInitializeSid
SHELL32.dll	ShellExecuteW, SHGetSpecialFolderPathW, ShellExecuteExW
CRYPT32.dll	CryptStringToBinaryA, CryptBinaryToStringA
WININET.dll	InternetCloseHandle, HttpAddRequestHeadersW, HttpSendRequestW, InternetConnectW, HttpOpenRequestW, InternetOpenW, InternetReadFile
PSAPI.DLL	EnumDeviceDrivers, GetDeviceDriverBaseNameW

Exports

Name	Ordinal	Address
_ReflectiveLoader@0	1	0x10005ec0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.78.8.8.859550532026737 08/31/22-23:50:37.016810	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59550	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.852106532026737 08/31/22-23:49:25.641298	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52106	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851142532829498 08/31/22-23:49:32.319799	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51142	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.861174532829498 08/31/22-23:50:40.415440	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61174	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.854194532829498 08/31/22-23:50:17.451854	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54194	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862910532026737 08/31/22-23:50:41.844460	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62910	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859114532829498 08/31/22-23:50:50.899719	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59114	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.863192532829498 08/31/22-23:50:10.372925	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	63192	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858786532026737 08/31/22-23:49:35.365431	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58786	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850026532026737 08/31/22-23:49:12.853058	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50026	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.856776532829498 08/31/22-23:50:31.949356	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56776	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851012532026737 08/31/22-23:49:06.034483	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51012	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862438532026737 08/31/22-23:49:47.214941	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62438	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.860840532829498 08/31/22-23:50:23.078640	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60840	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.864080532829498 08/31/22-23:49:52.783908	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64080	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.861175532829498 08/31/22-23:50:40.433841	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61175	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858288532829498 08/31/22-23:49:10.646822	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58288	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.852107532026737 08/31/22-23:49:25.661867	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52107	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.856775532829498 08/31/22-23:50:31.927813	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56775	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862020532026737 08/31/22-23:50:18.955251	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62020	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858751532829498 08/31/22-23:49:44.095609	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58751	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859548532026737 08/31/22-23:50:36.965761	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59548	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.863191532829498 08/31/22-23:50:10.354216	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	63191	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858750532829498 08/31/22-23:49:44.071935	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58750	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.853340532829498 08/31/22-23:49:03.740944	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53340	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851141532829498 08/31/22-23:49:32.298424	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51141	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.863296532026737 08/31/22-23:50:48.003146	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	63296	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850233532026737 08/31/22-23:49:59.196489	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50233	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862684532829498 08/31/22-23:49:22.306534	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62684	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.861183532026737 08/31/22-23:48:55.804714	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	61183	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.854195532829498 08/31/22-23:50:17.469831	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54195	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.860841532829498 08/31/22-23:50:23.096845	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60841	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862021532026737 08/31/22-23:50:18.975380	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62021	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.855836532026737 08/31/22-23:50:24.524842	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	55836	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851143532829498 08/31/22-23:49:32.344159	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51143	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.864083532829498 08/31/22-23:49:52.867185	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64083	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858788532026737 08/31/22-23:49:35.533597	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58788	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850509532829498 08/31/22-23:48:51.586247	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	50509	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862436532026737 08/31/22-23:49:47.175608	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62436	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851440532829498 08/31/22-23:50:03.437869	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51440	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.853640532026737 08/31/22-23:50:13.786207	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53640	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862911532026737 08/31/22-23:50:41.864871	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62911	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.853339532829498 08/31/22-23:49:03.720004	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53339	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862023532026737 08/31/22-23:50:19.013875	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62023	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.855834532026737 08/31/22-23:50:24.482691	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	55834	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858749532829498 08/31/22-23:49:44.051138	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58749	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858286532829498 08/31/22-23:49:10.608212	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58286	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851011532026737 08/31/22-23:49:06.014113	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51011	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851439532829498 08/31/22-23:50:03.414505	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51439	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859849532829498 08/31/22-23:50:46.658424	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59849	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850027532026737 08/31/22-23:49:12.888248	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50027	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859850532829498 08/31/22-23:50:46.682797	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59850	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.863294532026737 08/31/22-23:50:47.961479	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	63294	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859115532829498 08/31/22-23:50:50.920149	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59115	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862682532829498 08/31/22-23:49:22.268041	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62682	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859551532026737 08/31/22-23:50:37.037427	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59551	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850235532026737 08/31/22-23:49:59.234950	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50235	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.861181532026737 08/31/22-23:48:55.077736	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	61181	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862022532026737 08/31/22-23:50:18.995399	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62022	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.853642532026737 08/31/22-23:50:13.835822	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53642	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850507532829498 08/31/22-23:48:51.544537	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	50507	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.856773532829498 08/31/22-23:50:31.838450	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56773	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.854197532829498 08/31/22-23:50:17.513889	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54197	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.860839532829498 08/31/22-23:50:23.058563	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60839	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.855835532026737 08/31/22-23:50:24.503509	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	55835	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.853338532829498 08/31/22-23:49:03.694333	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53338	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.861177532829498 08/31/22-23:50:40.475632	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61177	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850510532829498 08/31/22-23:48:51.605938	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	50510	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.853639532026737 08/31/22-23:50:13.763933	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53639	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858789532026737 08/31/22-23:49:35.553154	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58789	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859057532026737 08/31/22-23:50:05.762357	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59057	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862913532026737 08/31/22-23:50:41.903498	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62913	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862435532026737 08/31/22-23:49:47.157448	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62435	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.853341532829498 08/31/22-23:49:03.761474	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53341	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862683532829498 08/31/22-23:49:22.288385	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62683	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.852109532026737 08/31/22-23:49:25.724789	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52109	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850029532026737 08/31/22-23:49:12.927716	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50029	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.864082532829498 08/31/22-23:49:52.826347	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64082	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859056532026737 08/31/22-23:50:05.744186	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59056	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850508532829498 08/31/22-23:48:51.564977	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	50508	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.856774532829498 08/31/22-23:50:31.909568	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56774	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859117532829498 08/31/22-23:50:50.958695	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59117	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.864081532829498 08/31/22-23:49:52.807469	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64081	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.852108532026737 08/31/22-23:49:25.704474	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52108	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862437532026737 08/31/22-23:49:47.194217	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62437	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859116532829498 08/31/22-23:50:50.938342	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59116	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859058532026737 08/31/22-23:50:05.782380	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59058	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859851532829498 08/31/22-23:50:46.705234	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59851	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851010532026737 08/31/22-23:49:05.994077	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51010	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862681532829498 08/31/22-23:49:22.247182	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62681	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851438532829498 08/31/22-23:50:03.395466	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51438	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.862912532026737 08/31/22-23:50:41.885084	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62912	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850028532026737 08/31/22-23:49:12.908519	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50028	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859055532026737 08/31/22-23:50:05.722794	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59055	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.853641532026737 08/31/22-23:50:13.814014	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53641	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.855833532026737 08/31/22-23:50:24.464562	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	55833	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.863293532026737 08/31/22-23:50:47.940116	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	63293	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850236532026737 08/31/22-23:49:59.285144	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50236	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858287532829498 08/31/22-23:49:10.628422	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58287	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851144532829498 08/31/22-23:49:32.366090	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51144	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.861176532829498 08/31/22-23:50:40.454136	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61176	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859848532829498 08/31/22-23:50:46.635471	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59848	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.861180532026737 08/31/22-23:48:54.987434	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	61180	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851441532829498 08/31/22-23:50:03.458729	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51441	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.851009532026737 08/31/22-23:49:05.970413	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51009	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.859549532026737 08/31/22-23:50:36.986127	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59549	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.863295532026737 08/31/22-23:50:47.982626	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	63295	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.850234532026737 08/31/22-23:49:59.216727	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50234	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.861182532026737 08/31/22-23:48:55.097916	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	61182	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858285532829498 08/31/22-23:49:10.587711	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58285	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.863189532829498 08/31/22-23:50:10.316381	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	63189	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858748532829498 08/31/22-23:49:44.032896	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58748	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.854196532829498 08/31/22-23:50:17.488065	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54196	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.863190532829498 08/31/22-23:50:10.336236	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	63190	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.860842532829498 08/31/22-23:50:23.114941	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60842	53	192.168.2.7	8.8.8.8
192.168.2.78.8.8.858787532026737 08/31/22-23:49:35.450533	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58787	53	192.168.2.7	8.8.8.8

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 31, 2022 23:48:48.162317038 CEST	56588	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:48.180012941 CEST	53	56588	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:49.311268091 CEST	50835	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:49.340321064 CEST	53	50835	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:49.449572086 CEST	50836	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:49.466823101 CEST	53	50836	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:49.516789913 CEST	50837	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:49.536530972 CEST	53	50837	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:49.537214041 CEST	50838	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:49.556749105 CEST	53	50838	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:49.557590008 CEST	50839	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:49.575861931 CEST	53	50839	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:49.576618910 CEST	50840	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:49.594223022 CEST	53	50840	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:51.461322069 CEST	50505	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:51.490272999 CEST	53	50505	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:51.524420977 CEST	50506	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:51.543720007 CEST	53	50506	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:51.544537067 CEST	50507	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:51.564177990 CEST	53	50507	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:51.564976931 CEST	50508	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:51.584604979 CEST	53	50508	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:51.586246967 CEST	50509	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:51.604727030 CEST	53	50509	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:51.605937958 CEST	50510	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:51.625611067 CEST	53	50510	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:53.572961092 CEST	61178	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:54.615896940 CEST	61178	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:54.773407936 CEST	53	61178	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:54.869833946 CEST	61179	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:54.889055014 CEST	53	61179	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:54.987433910 CEST	61180	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:55.006886005 CEST	53	61180	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:55.077735901 CEST	61181	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:55.097297907 CEST	53	61181	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:55.097915888 CEST	61182	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:55.117695093 CEST	53	61182	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:55.747175932 CEST	53	61178	8.8.8.8	192.168.2.7
Aug 31, 2022 23:48:55.804713964 CEST	61183	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:48:55.824616909 CEST	53	61183	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:00.319737911 CEST	63926	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:01.169933081 CEST	53	63926	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:01.353461027 CEST	63927	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:01.372771025 CEST	53	63927	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:01.374028921 CEST	63928	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:01.391752958 CEST	53	63928	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:01.392597914 CEST	63929	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:01.412412882 CEST	53	63929	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:01.422482967 CEST	63930	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:01.442105055 CEST	53	63930	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:01.442715883 CEST	63931	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:01.462238073 CEST	53	63931	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:03.618457079 CEST	53336	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:03.646867990 CEST	53	53336	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:03.674020052 CEST	53337	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:03.693329096 CEST	53	53337	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:03.694333076 CEST	53338	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:03.714029074 CEST	53	53338	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:03.720004082 CEST	53339	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:03.739958048 CEST	53	53339	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:03.740943909 CEST	53340	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:03.760740042 CEST	53	53340	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:03.761473894 CEST	53341	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:03.780883074 CEST	53	53341	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:05.851566076 CEST	51007	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:05.927884102 CEST	53	51007	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:05.950356960 CEST	51008	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:05.969724894 CEST	53	51008	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:05.970412970 CEST	51009	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:05.988084078 CEST	53	51009	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:05.994076967 CEST	51010	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:06.013634920 CEST	53	51010	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:06.014112949 CEST	51011	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:06.033843040 CEST	53	51011	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:06.034482956 CEST	51012	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:06.052124023 CEST	53	51012	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:08.298588037 CEST	60765	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:08.332787037 CEST	53	60765	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:08.379491091 CEST	60766	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:08.396629095 CEST	53	60766	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:08.401062012 CEST	60767	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:08.420532942 CEST	53	60767	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:08.421091080 CEST	60768	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:08.438788891 CEST	53	60768	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:08.439529896 CEST	60769	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:08.459163904 CEST	53	60769	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:08.460036039 CEST	60770	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:08.479747057 CEST	53	60770	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:10.506968975 CEST	58283	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:10.541820049 CEST	53	58283	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:10.567323923 CEST	58284	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:10.586430073 CEST	53	58284	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:10.587711096 CEST	58285	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:10.607192039 CEST	53	58285	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:10.608211994 CEST	58286	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:10.627860069 CEST	53	58286	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:10.628422022 CEST	58287	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:10.646167040 CEST	53	58287	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:10.646821976 CEST	58288	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:10.664554119 CEST	53	58288	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:12.772886038 CEST	50024	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:12.801616907 CEST	53	50024	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:12.835031033 CEST	50025	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:12.852170944 CEST	53	50025	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:12.853058100 CEST	50026	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:12.872845888 CEST	53	50026	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:12.888247967 CEST	50027	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:12.907861948 CEST	53	50027	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:12.908519030 CEST	50028	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:12.926351070 CEST	53	50028	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:12.927716017 CEST	50029	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:12.945725918 CEST	53	50029	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:19.245435953 CEST	49516	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:19.313703060 CEST	53	49516	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:19.400525093 CEST	49517	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:19.419850111 CEST	53	49517	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:19.420770884 CEST	49518	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:19.440718889 CEST	53	49518	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:19.441392899 CEST	49519	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:19.460870028 CEST	53	49519	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:19.466649055 CEST	49520	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:19.487466097 CEST	53	49520	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:19.488183022 CEST	49521	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:19.506371021 CEST	53	49521	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:21.671026945 CEST	62679	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:22.201103926 CEST	53	62679	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:22.227818012 CEST	62680	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:22.246304989 CEST	53	62680	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:22.247181892 CEST	62681	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:22.266834021 CEST	53	62681	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:22.268040895 CEST	62682	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:22.287790060 CEST	53	62682	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:22.288384914 CEST	62683	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:22.305758953 CEST	53	62683	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:22.306534052 CEST	62684	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:22.324302912 CEST	53	62684	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:24.462853909 CEST	61392	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:25.454030037 CEST	61392	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:25.577943087 CEST	53	61392	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:25.622845888 CEST	52105	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:25.640170097 CEST	53	52105	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:25.641298056 CEST	52106	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:25.661083937 CEST	53	52106	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:25.661866903 CEST	52107	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:25.681529045 CEST	53	52107	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:25.704473972 CEST	52108	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:25.724030018 CEST	53	52108	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:25.724788904 CEST	52109	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:25.744210958 CEST	53	52109	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:25.991184950 CEST	53	61392	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:28.680964947 CEST	59006	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:28.717668056 CEST	53	59006	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:28.837111950 CEST	59007	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:28.856168985 CEST	53	59007	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:28.857135057 CEST	59008	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:28.877022028 CEST	53	59008	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:28.877621889 CEST	59009	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:28.895523071 CEST	53	59009	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:28.896074057 CEST	59010	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:28.913804054 CEST	53	59010	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:28.914361000 CEST	59011	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:28.934406996 CEST	53	59011	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:31.635144949 CEST	51139	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:32.217390060 CEST	53	51139	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:32.279234886 CEST	51140	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:32.296617031 CEST	53	51140	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:32.298424006 CEST	51141	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:32.318643093 CEST	53	51141	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:32.319798946 CEST	51142	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:32.339747906 CEST	53	51142	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:32.344158888 CEST	51143	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:32.364142895 CEST	53	51143	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:32.366090059 CEST	51144	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:32.385826111 CEST	53	51144	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:35.170795918 CEST	58784	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:35.200468063 CEST	53	58784	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:35.292376995 CEST	58785	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:35.311513901 CEST	53	58785	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:35.365431070 CEST	58786	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:35.384989977 CEST	53	58786	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:35.450532913 CEST	58787	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:35.468177080 CEST	53	58787	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:35.533596992 CEST	58788	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:35.551315069 CEST	53	58788	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:35.553153992 CEST	58789	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:35.570811987 CEST	53	58789	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:40.191965103 CEST	64608	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:41.208512068 CEST	64608	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:41.316941023 CEST	53	64608	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:41.362494946 CEST	64609	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:41.379674911 CEST	53	64609	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:41.382796049 CEST	64610	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:41.400392056 CEST	53	64610	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:41.401937962 CEST	64611	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:41.419595003 CEST	53	64611	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:41.420692921 CEST	64612	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:41.440679073 CEST	53	64612	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:41.441375971 CEST	64613	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:41.461257935 CEST	53	64613	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:42.919545889 CEST	53	64608	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:43.427385092 CEST	58746	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:43.962893009 CEST	53	58746	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:44.012053967 CEST	58747	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:44.031344891 CEST	53	58747	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:44.032896042 CEST	58748	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:44.050631046 CEST	53	58748	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:44.051137924 CEST	58749	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:44.070837975 CEST	53	58749	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:44.071934938 CEST	58750	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:44.091598988 CEST	53	58750	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:44.095608950 CEST	58751	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:44.115334988 CEST	53	58751	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:45.971837044 CEST	62433	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:47.004626036 CEST	62433	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:47.099487066 CEST	53	62433	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:47.139636993 CEST	62434	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:47.156781912 CEST	53	62434	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:47.157448053 CEST	62435	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:47.175007105 CEST	53	62435	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:47.175607920 CEST	62436	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:47.193625927 CEST	53	62436	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:47.194216967 CEST	62437	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:47.214102030 CEST	53	62437	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:47.214941025 CEST	62438	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:47.232800007 CEST	53	62438	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:47.542625904 CEST	53	62433	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:49.229926109 CEST	61248	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:49.484189034 CEST	53	61248	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:49.510601044 CEST	61249	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:49.529911995 CEST	53	61249	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:49.533186913 CEST	61250	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:49.551467896 CEST	53	61250	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:49.552383900 CEST	61251	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:49.572386980 CEST	53	61251	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:49.573700905 CEST	61252	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:49.593506098 CEST	53	61252	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:49.595768929 CEST	61253	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:49.613496065 CEST	53	61253	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:51.551908016 CEST	52750	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:52.563982010 CEST	52750	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:52.714204073 CEST	53	52750	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:52.762547016 CEST	64079	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:52.781574011 CEST	53	64079	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:52.783907890 CEST	64080	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:52.804019928 CEST	53	64080	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:52.807468891 CEST	64081	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:52.825433969 CEST	53	64081	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:52.826347113 CEST	64082	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:52.846256018 CEST	53	64082	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:52.867185116 CEST	64083	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:52.887599945 CEST	53	64083	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:53.688219070 CEST	53	52750	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:56.650087118 CEST	50231	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:58.274665117 CEST	53	50231	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:59.062505960 CEST	50231	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:59.107537985 CEST	50232	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:59.124644041 CEST	53	50232	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:59.147748947 CEST	53	50231	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:59.196489096 CEST	50233	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:59.216067076 CEST	53	50233	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:59.216727018 CEST	50234	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:59.234318972 CEST	53	50234	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:59.234950066 CEST	50235	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:59.252429962 CEST	53	50235	8.8.8.8	192.168.2.7
Aug 31, 2022 23:49:59.285144091 CEST	50236	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:49:59.305018902 CEST	53	50236	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:01.274703979 CEST	58514	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:01.393326044 CEST	53	58514	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:01.419277906 CEST	58515	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:01.436784029 CEST	53	58515	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:01.437741041 CEST	58516	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:01.455447912 CEST	53	58516	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:01.457930088 CEST	58517	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:01.476432085 CEST	53	58517	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:01.476938963 CEST	58518	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:01.494363070 CEST	53	58518	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:01.495297909 CEST	58519	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:01.515038967 CEST	53	58519	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:03.328814983 CEST	51436	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:03.356900930 CEST	53	51436	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:03.377331972 CEST	51437	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:03.394578934 CEST	53	51437	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:03.395466089 CEST	51438	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:03.413331032 CEST	53	51438	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:03.414505005 CEST	51439	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:03.434359074 CEST	53	51439	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:03.437869072 CEST	51440	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:03.457411051 CEST	53	51440	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:03.458729029 CEST	51441	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:03.476334095 CEST	53	51441	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:05.108340025 CEST	59053	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:05.684484959 CEST	53	59053	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:05.702292919 CEST	59054	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:05.721307993 CEST	53	59054	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:05.722794056 CEST	59055	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:05.742141962 CEST	53	59055	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:05.744185925 CEST	59056	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:05.761802912 CEST	53	59056	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:05.762356997 CEST	59057	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:05.781910896 CEST	53	59057	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:05.782380104 CEST	59058	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:05.799871922 CEST	53	59058	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:07.031923056 CEST	51945	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:08.021806955 CEST	51945	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:08.151724100 CEST	53	51945	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:08.167407990 CEST	51946	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:08.186973095 CEST	53	51946	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:08.189280033 CEST	51947	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:08.220877886 CEST	53	51947	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:08.221313000 CEST	51948	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:08.249907017 CEST	53	51948	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:08.251476049 CEST	51949	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:08.271193981 CEST	53	51949	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:08.274797916 CEST	51950	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:08.294326067 CEST	53	51950	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:09.698939085 CEST	53	51945	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:09.751842022 CEST	63187	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:10.289400101 CEST	53	63187	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:10.296859980 CEST	63188	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:10.315807104 CEST	53	63188	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:10.316380978 CEST	63189	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:10.335757971 CEST	53	63189	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:10.336236000 CEST	63190	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:10.353692055 CEST	53	63190	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:10.354216099 CEST	63191	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:10.371742964 CEST	53	63191	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:10.372925043 CEST	63192	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:10.390542984 CEST	53	63192	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:11.642780066 CEST	64760	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:12.630454063 CEST	64760	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:13.644061089 CEST	64760	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:13.730717897 CEST	53	64760	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:13.744646072 CEST	53638	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:13.763123989 CEST	53	53638	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:13.763932943 CEST	53639	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:13.783987999 CEST	53	53639	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:13.786206961 CEST	53640	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:13.806222916 CEST	53	53640	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:13.814013958 CEST	53641	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:13.831871986 CEST	53	53641	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:13.835822105 CEST	53642	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:13.855473995 CEST	53	53642	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:14.389233112 CEST	53	64760	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:14.867403984 CEST	53	64760	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:15.356404066 CEST	58343	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:15.432742119 CEST	53	58343	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:15.441741943 CEST	58344	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:15.458967924 CEST	53	58344	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:15.459965944 CEST	58345	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:15.479576111 CEST	53	58345	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:15.480093002 CEST	58346	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:15.500281096 CEST	53	58346	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:15.500714064 CEST	58347	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:15.520478964 CEST	53	58347	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:15.520885944 CEST	58348	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:15.540834904 CEST	53	58348	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:16.850531101 CEST	54192	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:17.425961018 CEST	53	54192	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:17.434011936 CEST	54193	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:17.451142073 CEST	53	54193	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:17.451853991 CEST	54194	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:17.469491005 CEST	53	54194	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:17.469830990 CEST	54195	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:17.487525940 CEST	53	54195	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:17.488065004 CEST	54196	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:17.507570982 CEST	53	54196	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:17.513889074 CEST	54197	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:17.533308029 CEST	53	54197	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:18.887698889 CEST	62018	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:18.916414976 CEST	53	62018	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:18.937438965 CEST	62019	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:18.954654932 CEST	53	62019	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:18.955250978 CEST	62020	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:18.974977016 CEST	53	62020	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:18.975379944 CEST	62021	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:18.994760036 CEST	53	62021	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:18.995398998 CEST	62022	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:19.012873888 CEST	53	62022	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:19.013875008 CEST	62023	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:19.031758070 CEST	53	62023	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:20.492069006 CEST	50155	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:20.563419104 CEST	53	50155	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:20.578113079 CEST	50156	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:20.595380068 CEST	53	50156	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:20.595863104 CEST	50157	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:20.615622997 CEST	53	50157	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:20.616091013 CEST	50158	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:20.633987904 CEST	53	50158	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:20.634430885 CEST	64323	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:20.654202938 CEST	53	64323	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:20.654583931 CEST	64324	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:20.672302961 CEST	53	64324	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:22.412148952 CEST	59695	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:23.034744024 CEST	53	59695	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:23.040985107 CEST	60838	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:23.058167934 CEST	53	60838	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:23.058562994 CEST	60839	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:23.078299999 CEST	53	60839	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:23.078639984 CEST	60840	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:23.096414089 CEST	53	60840	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:23.096844912 CEST	60841	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:23.114574909 CEST	53	60841	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:23.114940882 CEST	60842	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:23.134742975 CEST	53	60842	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:24.405147076 CEST	65478	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:24.436777115 CEST	53	65478	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:24.446861982 CEST	55832	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:24.464018106 CEST	53	55832	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:24.464561939 CEST	55833	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:24.482281923 CEST	53	55833	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:24.482691050 CEST	55834	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:24.502979040 CEST	53	55834	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:24.503509045 CEST	55835	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:24.521646976 CEST	53	55835	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:24.524842024 CEST	55836	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:24.544363976 CEST	53	55836	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:25.783303976 CEST	60079	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:26.785877943 CEST	60079	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:26.947271109 CEST	53	60079	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:26.957772017 CEST	60080	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:26.987024069 CEST	53	60080	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:26.987798929 CEST	60081	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:27.015486002 CEST	53	60081	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:27.025521994 CEST	60082	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:29.035577059 CEST	60083	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:29.053275108 CEST	53	60083	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:29.053632975 CEST	60084	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:29.071413040 CEST	53	60084	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:30.635474920 CEST	56771	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:31.172678947 CEST	53	56771	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:31.817447901 CEST	56772	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:31.836168051 CEST	53	56772	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:31.838449955 CEST	56773	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:31.860229969 CEST	53	56773	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:31.909568071 CEST	56774	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:31.927282095 CEST	53	56774	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:31.927813053 CEST	56775	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:31.948879957 CEST	53	56775	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:31.949356079 CEST	56776	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:31.968821049 CEST	53	56776	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:34.855798960 CEST	59546	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:35.849972963 CEST	59546	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:36.850053072 CEST	59546	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:36.938282013 CEST	53	59546	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:36.947161913 CEST	59547	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:36.964608908 CEST	53	59547	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:36.965760946 CEST	59548	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:36.973332882 CEST	53	59546	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:36.985584021 CEST	53	59548	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:36.986126900 CEST	59549	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:37.003935099 CEST	53	59549	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:37.016809940 CEST	59550	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:37.036745071 CEST	53	59550	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:37.037426949 CEST	59551	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:37.055305004 CEST	53	59551	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:38.372488022 CEST	57555	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:38.477780104 CEST	53	59546	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:38.951469898 CEST	53	57555	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:38.961877108 CEST	57556	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:38.980972052 CEST	53	57556	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:38.982656956 CEST	57557	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:39.002156019 CEST	53	57557	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:39.002620935 CEST	57558	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:39.022454023 CEST	53	57558	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:39.022998095 CEST	57559	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:39.042603016 CEST	53	57559	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:39.043083906 CEST	57560	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:39.062616110 CEST	53	57560	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:40.316248894 CEST	61172	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:40.345277071 CEST	53	61172	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:40.395659924 CEST	61173	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:40.414843082 CEST	53	61173	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:40.415440083 CEST	61174	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:40.433434963 CEST	53	61174	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:40.433840990 CEST	61175	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:40.453635931 CEST	53	61175	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:40.454135895 CEST	61176	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:40.473654032 CEST	53	61176	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:40.475631952 CEST	61177	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:40.493432045 CEST	53	61177	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:41.741760969 CEST	62908	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:41.813671112 CEST	53	62908	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:41.824610949 CEST	62909	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:41.843774080 CEST	53	62909	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:41.844460011 CEST	62910	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:41.863992929 CEST	53	62910	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:41.864871025 CEST	62911	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:41.884527922 CEST	53	62911	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:41.885083914 CEST	62912	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:41.903028011 CEST	53	62912	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:41.903497934 CEST	62913	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:41.922991037 CEST	53	62913	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:43.153091908 CEST	52838	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:43.720691919 CEST	53	52838	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:43.728780031 CEST	52839	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:43.746124983 CEST	53	52839	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:43.746818066 CEST	52840	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:43.766308069 CEST	53	52840	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:43.766763926 CEST	52841	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:43.786328077 CEST	53	52841	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:43.786806107 CEST	52842	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:43.804389954 CEST	53	52842	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:43.804909945 CEST	52843	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:43.824862003 CEST	53	52843	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:44.889817953 CEST	59846	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:45.880757093 CEST	59846	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:46.606601000 CEST	53	59846	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:46.613910913 CEST	59847	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:46.633125067 CEST	53	59847	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:46.635471106 CEST	59848	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:46.655035973 CEST	53	59848	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:46.658423901 CEST	59849	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:46.676173925 CEST	53	59849	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:46.682796955 CEST	59850	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:46.702325106 CEST	53	59850	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:46.705234051 CEST	59851	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:46.724997044 CEST	53	59851	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:47.795392036 CEST	63291	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:47.913981915 CEST	53	63291	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:47.921678066 CEST	63292	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:47.938807011 CEST	53	63292	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:47.940115929 CEST	63293	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:47.961014032 CEST	53	63293	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:47.961478949 CEST	63294	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:47.982100964 CEST	53	63294	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:47.982625961 CEST	63295	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:48.002609015 CEST	53	63295	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:48.003145933 CEST	63296	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:48.020875931 CEST	53	63296	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:48.598846912 CEST	53	59846	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:49.092647076 CEST	56345	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:49.658869028 CEST	53	56345	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:49.665900946 CEST	56346	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:49.685262918 CEST	53	56346	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:49.685766935 CEST	56347	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:49.703661919 CEST	53	56347	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:49.704097033 CEST	56348	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:49.723515987 CEST	53	56348	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:49.724236012 CEST	56349	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:49.746051073 CEST	53	56349	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:49.746964931 CEST	56350	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:49.766846895 CEST	53	56350	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:50.837404013 CEST	59112	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:50.874103069 CEST	53	59112	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:50.881997108 CEST	59113	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:50.899250031 CEST	53	59113	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:50.899719000 CEST	59114	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:50.919481993 CEST	53	59114	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:50.920149088 CEST	59115	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:50.937942982 CEST	53	59115	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:50.938342094 CEST	59116	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:50.958199978 CEST	53	59116	8.8.8.8	192.168.2.7
Aug 31, 2022 23:50:50.958694935 CEST	59117	53	192.168.2.7	8.8.8.8
Aug 31, 2022 23:50:50.978470087 CEST	53	59117	8.8.8.8	192.168.2.7

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 31, 2022 23:48:55.747387886 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:25.991276979 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:42.919677973 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:47.542829037 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:53.688399076 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:59.147907972 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:09.702483892 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:14.389380932 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:36.973524094 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:38.478975058 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:48.599447966 CEST	192.168.2.7	8.8.8.8	d034	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 31, 2022 23:48:48.162317038 CEST	192.168.2.7	8.8.8.8	0xa44c	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:49.311268091 CEST	192.168.2.7	8.8.8.8	0xe9db	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:49.449572086 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:49.516789913 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:49.537214041 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:48:49.557590008 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:49.576618910 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:48:51.461322069 CEST	192.168.2.7	8.8.8.8	0xc607	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:51.524420977 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:51.544537067 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:51.564976931 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:48:51.586246967 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:51.605937958 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:48:53.572961092 CEST	192.168.2.7	8.8.8.8	0x9c52	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:54.615896940 CEST	192.168.2.7	8.8.8.8	0x9c52	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:54.869833946 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:54.987433910 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:55.077735901 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:48:55.097915888 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:55.804713964 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:00.319737911 CEST	192.168.2.7	8.8.8.8	0x58a8	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:01.353461027 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:01.374028921 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:01.392597914 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:01.422482967 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:01.442715883 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:03.618457079 CEST	192.168.2.7	8.8.8.8	0xda7c	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:03.674020052 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:03.694333076 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:03.720004082 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:03.740943909 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:03.761473894 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:05.851566076 CEST	192.168.2.7	8.8.8.8	0x4d2c	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:05.950356960 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:05.970412970 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:05.994076967 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:06.014112949 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:06.034482956 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:08.298588037 CEST	192.168.2.7	8.8.8.8	0xece3	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.379491091 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:08.401062012 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.421091080 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:08.439529896 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.460036039 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:10.506968975 CEST	192.168.2.7	8.8.8.8	0xeb6b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:10.567323923 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:10.587711096 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:10.608211994 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:10.628422022 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:10.646821976 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:12.772886038 CEST	192.168.2.7	8.8.8.8	0xaf5b	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:12.835031033 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:12.853058100 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:12.888247967 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:12.908519030 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:12.927716017 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:19.245435953 CEST	192.168.2.7	8.8.8.8	0x67b9	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.400525093 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:19.420770884 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.441392899 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:19.466649055 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.488183022 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:21.671026945 CEST	192.168.2.7	8.8.8.8	0xcf65	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:22.227818012 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:22.247181892 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:22.268040895 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:22.288384914 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:22.306534052 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:24.462853909 CEST	192.168.2.7	8.8.8.8	0x5f58	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:25.454030037 CEST	192.168.2.7	8.8.8.8	0x5f58	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:25.622845888 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:25.641298056 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:25.661866903 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:25.704473972 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:25.724788904 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:28.680964947 CEST	192.168.2.7	8.8.8.8	0xfd78	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:28.837111950 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:28.857135057 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:28.877621889 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:28.896074057 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:28.914361000 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:31.635144949 CEST	192.168.2.7	8.8.8.8	0x7b4f	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:32.279234886 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:32.298424006 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:32.319798946 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:32.344158888 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:32.366090059 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:35.170795918 CEST	192.168.2.7	8.8.8.8	0xff42	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:35.292376995 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:35.365431070 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:35.450532913 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:35.533596992 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:35.553153992 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:40.191965103 CEST	192.168.2.7	8.8.8.8	0x6fa1	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:41.208512068 CEST	192.168.2.7	8.8.8.8	0x6fa1	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:41.362494946 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:41.382796049 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:41.401937962 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:41.420692921 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:41.441375971 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:43.427385092 CEST	192.168.2.7	8.8.8.8	0x174	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:44.012053967 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:44.032896042 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:44.051137924 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:44.071934938 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:44.095608950 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:45.971837044 CEST	192.168.2.7	8.8.8.8	0xa5fe	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:47.004626036 CEST	192.168.2.7	8.8.8.8	0xa5fe	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:47.139636993 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:47.157448053 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:47.175607920 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:47.194216967 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:47.214941025 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:49.229926109 CEST	192.168.2.7	8.8.8.8	0xb1d1	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:49.510601044 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:49.533186913 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:49.552383900 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:49.573700905 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:49.595768929 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:49:51.551908016 CEST	192.168.2.7	8.8.8.8	0x8ef7	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:52.563982010 CEST	192.168.2.7	8.8.8.8	0x8ef7	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:52.762547016 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:52.783907890 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:52.807468891 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:52.826347113 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:52.867185116 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:56.650087118 CEST	192.168.2.7	8.8.8.8	0x960e	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.062505960 CEST	192.168.2.7	8.8.8.8	0x960e	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.107537985 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:59.196489096 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.216727018 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:59.234950066 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.285144091 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:01.274703979 CEST	192.168.2.7	8.8.8.8	0x6e5a	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.419277906 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:01.437741041 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.457930088 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:01.476938963 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.495297909 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:03.328814983 CEST	192.168.2.7	8.8.8.8	0xabf0	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.377331972 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:03.395466089 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.414505005 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:03.437869072 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.458729029 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:05.108340025 CEST	192.168.2.7	8.8.8.8	0x5057	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:05.702292919 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:05.722794056 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:05.744185925 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:05.762356997 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:05.782380104 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:07.031923056 CEST	192.168.2.7	8.8.8.8	0x7000	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:08.021806955 CEST	192.168.2.7	8.8.8.8	0x7000	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:08.167407990 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:08.189280033 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:08.221313000 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:08.251476049 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:08.274797916 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:09.751842022 CEST	192.168.2.7	8.8.8.8	0x5e4a	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:10.296859980 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:10.316380978 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:10.336236000 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:10.354216099 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:10.372925043 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:11.642780066 CEST	192.168.2.7	8.8.8.8	0xdda6	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:12.630454063 CEST	192.168.2.7	8.8.8.8	0xdda6	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.644061089 CEST	192.168.2.7	8.8.8.8	0xdda6	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.744646072 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:13.763932943 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.786206961 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:13.814013958 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.835822105 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:15.356404066 CEST	192.168.2.7	8.8.8.8	0x4a85	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.441741943 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:15.459965944 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.480093002 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:15.500714064 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.520885944 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:16.850531101 CEST	192.168.2.7	8.8.8.8	0xc285	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:17.434011936 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:17.451853991 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:17.469830990 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:17.488065004 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:17.513889074 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:18.887698889 CEST	192.168.2.7	8.8.8.8	0x5a96	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:18.937438965 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:18.955250978 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:18.975379944 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:18.995398998 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:19.013875008 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:20.492069006 CEST	192.168.2.7	8.8.8.8	0x654d	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:20.578113079 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:20.595863104 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:20.616091013 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:20.634430885 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:20.654583931 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:22.412148952 CEST	192.168.2.7	8.8.8.8	0xb093	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.040985107 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:23.058562994 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.078639984 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:23.096844912 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.114940882 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:24.405147076 CEST	192.168.2.7	8.8.8.8	0x3993	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.446861982 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:24.464561939 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.482691050 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:24.503509045 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.524842024 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:25.783303976 CEST	192.168.2.7	8.8.8.8	0x6f26	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:26.785877943 CEST	192.168.2.7	8.8.8.8	0x6f26	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:26.957772017 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:26.987798929 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:27.025521994 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:29.035577059 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:29.053632975 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:30.635474920 CEST	192.168.2.7	8.8.8.8	0xc2cb	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:31.817447901 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:31.838449955 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:31.909568071 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:31.927813053 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:31.949356079 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:34.855798960 CEST	192.168.2.7	8.8.8.8	0x4ac2	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:35.849972963 CEST	192.168.2.7	8.8.8.8	0x4ac2	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:36.850053072 CEST	192.168.2.7	8.8.8.8	0x4ac2	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:36.947161913 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:36.965760946 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:36.986126900 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:37.016809940 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:37.037426949 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:38.372488022 CEST	192.168.2.7	8.8.8.8	0x386b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:38.961877108 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:38.982656956 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:39.002620935 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:39.022998095 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:39.043083906 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:40.316248894 CEST	192.168.2.7	8.8.8.8	0x325b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:40.395659924 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:40.415440083 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:40.433840990 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:40.454135895 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:40.475631952 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:41.741760969 CEST	192.168.2.7	8.8.8.8	0xb5	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.824610949 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:41.844460011 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.864871025 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:41.885083914 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.903497934 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:43.153091908 CEST	192.168.2.7	8.8.8.8	0xaf65	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:43.728780031 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:43.746818066 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:43.766763926 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:43.786806107 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:43.804909945 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:44.889817953 CEST	192.168.2.7	8.8.8.8	0x79c7	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:45.880757093 CEST	192.168.2.7	8.8.8.8	0x79c7	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:46.613910913 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:46.635471106 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:46.658423901 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:46.682796955 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:46.705234051 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:47.795392036 CEST	192.168.2.7	8.8.8.8	0xfa2	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:47.921678066 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:47.940115929 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:47.961478949 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:47.982625961 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:48.003145933 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:49.092647076 CEST	192.168.2.7	8.8.8.8	0xe83	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:49.665900946 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:49.685766935 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:49.704097033 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:49.724236012 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:49.746964931 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:50:50.837404013 CEST	192.168.2.7	8.8.8.8	0x3be0	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:50.881997108 CEST	192.168.2.7	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:50.899719000 CEST	192.168.2.7	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:50.920149088 CEST	192.168.2.7	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:50.938342094 CEST	192.168.2.7	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:50.958694935 CEST	192.168.2.7	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 31, 2022 23:48:49.340321064 CEST	8.8.8.8	192.168.2.7	0xe9db	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:49.466823101 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:49.536530972 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:49.556749105 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:48:49.575861931 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:49.594223022 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:48:51.490272999 CEST	8.8.8.8	192.168.2.7	0xc607	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:51.543720007 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:51.564177990 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:51.584604979 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:48:51.604727030 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:51.625611067 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:48:54.773407936 CEST	8.8.8.8	192.168.2.7	0x9c52	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:54.889055014 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:55.006886005 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:55.097297907 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:48:55.117695093 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:55.747175932 CEST	8.8.8.8	192.168.2.7	0x9c52	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:55.824616909 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:01.169933081 CEST	8.8.8.8	192.168.2.7	0x58a8	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:01.372771025 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:01.391752958 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:01.412412882 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:01.442105055 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:01.462238073 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:03.646867990 CEST	8.8.8.8	192.168.2.7	0xda7c	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:03.693329096 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:03.714029074 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:03.739958048 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:03.760740042 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:03.780883074 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:05.927884102 CEST	8.8.8.8	192.168.2.7	0x4d2c	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:05.969724894 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:05.988084078 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:06.013634920 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:06.033843040 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:06.052124023 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:08.332787037 CEST	8.8.8.8	192.168.2.7	0xece3	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.396629095 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:08.420532942 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.438788891 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:08.459163904 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.479747057 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:10.541820049 CEST	8.8.8.8	192.168.2.7	0xeb6b	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:10.586430073 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:10.607192039 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:10.627860069 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:10.646167040 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:10.664554119 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:12.801616907 CEST	8.8.8.8	192.168.2.7	0xaf5b	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:12.852170944 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:12.872845888 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:12.907861948 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:12.926351070 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:12.945725918 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:19.313703060 CEST	8.8.8.8	192.168.2.7	0x67b9	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.419850111 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:19.440718889 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.460870028 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:19.487466097 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.506371021 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:22.201103926 CEST	8.8.8.8	192.168.2.7	0xcf65	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:22.246304989 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:22.266834021 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:22.287790060 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:22.305758953 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:22.324302912 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:25.577943087 CEST	8.8.8.8	192.168.2.7	0x5f58	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:25.640170097 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:25.661083937 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:25.681529045 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:25.724030018 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:25.744210958 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:25.991184950 CEST	8.8.8.8	192.168.2.7	0x5f58	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:28.717668056 CEST	8.8.8.8	192.168.2.7	0xfd78	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:28.856168985 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:28.877022028 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:28.895523071 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:28.913804054 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:28.934406996 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:32.217390060 CEST	8.8.8.8	192.168.2.7	0x7b4f	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:32.296617031 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:32.318643093 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:32.339747906 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:32.364142895 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:32.385826111 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:35.200468063 CEST	8.8.8.8	192.168.2.7	0xff42	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:35.311513901 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:35.384989977 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:35.468177080 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:35.551315069 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:35.570811987 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:41.316941023 CEST	8.8.8.8	192.168.2.7	0x6fa1	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:41.379674911 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:41.400392056 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:41.419595003 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:41.440679073 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:41.461257935 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:42.919545889 CEST	8.8.8.8	192.168.2.7	0x6fa1	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:43.962893009 CEST	8.8.8.8	192.168.2.7	0x174	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:44.031344891 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:44.050631046 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:44.070837975 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:44.091598988 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:44.115334988 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:47.099487066 CEST	8.8.8.8	192.168.2.7	0xa5fe	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:47.156781912 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:47.175007105 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:47.193625927 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:47.214102030 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:47.232800007 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:47.542625904 CEST	8.8.8.8	192.168.2.7	0xa5fe	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:49.484189034 CEST	8.8.8.8	192.168.2.7	0xb1d1	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:49.529911995 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:49.551467896 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:49.572386980 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:49.593506098 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:49.613496065 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:52.714204073 CEST	8.8.8.8	192.168.2.7	0x8ef7	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:52.781574011 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:52.804019928 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:52.825433969 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:52.846256018 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:52.887599945 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:53.688219070 CEST	8.8.8.8	192.168.2.7	0x8ef7	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:58.274665117 CEST	8.8.8.8	192.168.2.7	0x960e	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.124644041 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:59.147748947 CEST	8.8.8.8	192.168.2.7	0x960e	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.216067076 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.234318972 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:59.252429962 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.305018902 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:01.393326044 CEST	8.8.8.8	192.168.2.7	0x6e5a	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.436784029 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:01.455447912 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.476432085 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:01.494363070 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.515038967 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:03.356900930 CEST	8.8.8.8	192.168.2.7	0xabf0	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.394578934 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:03.413331032 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.434359074 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:03.457411051 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.476334095 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:05.684484959 CEST	8.8.8.8	192.168.2.7	0x5057	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:05.721307993 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:05.742141962 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:05.761802912 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:05.781910896 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:05.799871922 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:08.151724100 CEST	8.8.8.8	192.168.2.7	0x7000	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:08.186973095 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:08.220877886 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:08.249907017 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:08.271193981 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:08.294326067 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:09.698939085 CEST	8.8.8.8	192.168.2.7	0x7000	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:10.289400101 CEST	8.8.8.8	192.168.2.7	0x5e4a	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:10.315807104 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:10.335757971 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:10.353692055 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:10.371742964 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:10.390542984 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:13.730717897 CEST	8.8.8.8	192.168.2.7	0xdda6	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.763123989 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:13.783987999 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.806222916 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:13.831871986 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.855473995 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:14.389233112 CEST	8.8.8.8	192.168.2.7	0xdda6	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:14.867403984 CEST	8.8.8.8	192.168.2.7	0xdda6	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.432742119 CEST	8.8.8.8	192.168.2.7	0x4a85	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.458967924 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:15.479576111 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.500281096 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:15.520478964 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.540834904 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:17.425961018 CEST	8.8.8.8	192.168.2.7	0xc285	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:17.451142073 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:17.469491005 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:17.487525940 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:17.507570982 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:17.533308029 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:18.916414976 CEST	8.8.8.8	192.168.2.7	0x5a96	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:18.954654932 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:18.974977016 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:18.994760036 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:19.012873888 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:19.031758070 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:20.563419104 CEST	8.8.8.8	192.168.2.7	0x654d	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:20.595380068 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:20.615622997 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:20.633987904 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:20.654202938 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:20.672302961 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:23.034744024 CEST	8.8.8.8	192.168.2.7	0xb093	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.058167934 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:23.078299999 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.096414089 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:23.114574909 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.134742975 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:24.436777115 CEST	8.8.8.8	192.168.2.7	0x3993	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.464018106 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:24.482281923 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.502979040 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:24.521646976 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.544363976 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:26.947271109 CEST	8.8.8.8	192.168.2.7	0x6f26	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:26.987024069 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:27.015486002 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:29.053275108 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:29.071413040 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:31.172678947 CEST	8.8.8.8	192.168.2.7	0xc2cb	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:31.836168051 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:31.860229969 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:31.927282095 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:31.948879957 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:31.968821049 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:36.938282013 CEST	8.8.8.8	192.168.2.7	0x4ac2	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:36.964608908 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:36.973332882 CEST	8.8.8.8	192.168.2.7	0x4ac2	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:36.985584021 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:37.003935099 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:37.036745071 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:37.055305004 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:38.477780104 CEST	8.8.8.8	192.168.2.7	0x4ac2	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:38.951469898 CEST	8.8.8.8	192.168.2.7	0x386b	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:38.980972052 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:39.002156019 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:39.022454023 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:39.042603016 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:39.062616110 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:40.345277071 CEST	8.8.8.8	192.168.2.7	0x325b	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:40.414843082 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:40.433434963 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:40.453635931 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:40.473654032 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:40.493432045 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:41.813671112 CEST	8.8.8.8	192.168.2.7	0xb5	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.843774080 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:41.863992929 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.884527922 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:41.903028011 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.922991037 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:43.720691919 CEST	8.8.8.8	192.168.2.7	0xaf65	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:43.746124983 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:43.766308069 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:43.786328077 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:43.804389954 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:43.824862003 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:46.606601000 CEST	8.8.8.8	192.168.2.7	0x79c7	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:46.633125067 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:46.655035973 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:46.676173925 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:46.702325106 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:46.724997044 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:47.913981915 CEST	8.8.8.8	192.168.2.7	0xfa2	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:47.938807011 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:47.961014032 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:47.982100964 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:48.002609015 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:48.020875931 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:48.598846912 CEST	8.8.8.8	192.168.2.7	0x79c7	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:49.658869028 CEST	8.8.8.8	192.168.2.7	0xe83	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:49.685262918 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:49.703661919 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:49.723515987 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:49.746051073 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:49.766846895 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:50.874103069 CEST	8.8.8.8	192.168.2.7	0x3be0	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:50.899250031 CEST	8.8.8.8	192.168.2.7	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:50.919481993 CEST	8.8.8.8	192.168.2.7	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:50.937942982 CEST	8.8.8.8	192.168.2.7	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:50.958199978 CEST	8.8.8.8	192.168.2.7	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:50.978470087 CEST	8.8.8.8	192.168.2.7	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)

Target ID:	0
Start time:	23:48:39
Start date:	31/08/2022
Path:	C:\Users\user\Desktop\O8ZHhytWhn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\O8ZHhytWhn.exe"
Imagebase:	0xf1d0000
File size:	71168 bytes
MD5 hash:	B39FEBF7440B58A6CD15AE9F01916F98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.248593701.000000000F1E2000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000002.517623653.000000000F1DA000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000002.517637468.000000000F1E2000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.248569401.000000000F1DA000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: nslookup.exePID: 3600, Parent PID: 5900

General

Target ID:	3
Start time:	23:48:48
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exePID: 3116, Parent PID: 3600

General

Target ID:	4
Start time:	23:48:48
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: nslookup.exePID: 5496, Parent PID: 5900

General

Target ID:	5
Start time:	23:48:50
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exePID: 5928, Parent PID: 5496

General

Target ID:	6
Start time:	23:48:50
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: nslookup.exePID: 3220, Parent PID: 5900

General

Target ID:	7
Start time:	23:48:52
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exePID: 5184, Parent PID: 3220

General

Target ID:	8
Start time:	23:48:52
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: wjaoab.exePID: 5444, Parent PID: 3320

General

Target ID:	9
Start time:	23:48:56
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe"
Imagebase:	0xfbc0000
File size:	71168 bytes
MD5 hash:	A1E6F4D9E1AF5740E07B86A42C6C430B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000009.00000000.289875664.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000009.00000000.289867124.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000009.00000002.293155621.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000009.00000002.293144665.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: Florian Roth Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe, Author: kevoreilly
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: nslookup.exePID: 4404, Parent PID: 5900

General

Target ID:	10
Start time:	23:48:58
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exePID: 5708, Parent PID: 4404

General

Target ID:	13
Start time:	23:48:59
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: nslookup.exePID: 5224, Parent PID: 5900

General

Target ID:	16
Start time:	23:49:02
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5756, Parent PID: 5224

General

Target ID:	18
Start time:	23:49:02
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 4508, Parent PID: 5900

General

Target ID:	21
Start time:	23:49:04
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 1352, Parent PID: 4508

General

Target ID:	22
Start time:	23:49:05
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 5732, Parent PID: 5900

General

Target ID:	23
Start time:	23:49:06
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 2980, Parent PID: 5732

General

Target ID:	24
Start time:	23:49:07
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: wjaoab.exePID: 2888, Parent PID: 3320

General

Target ID:	25
Start time:	23:49:07
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe"
Imagebase:	0xfbc0000
File size:	71168 bytes
MD5 hash:	A1E6F4D9E1AF5740E07B86A42C6C430B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000019.00000002.311529128.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000019.00000000.308682011.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000019.00000000.308674547.000000000FBCA000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000019.00000002.311539070.000000000FBD2000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security

Analysis Process: nslookup.exePID: 4540, Parent PID: 5900

General

Target ID:	26
Start time:	23:49:09
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5756, Parent PID: 4540

General

Target ID:	27
Start time:	23:49:09
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 6132, Parent PID: 5900

General

Target ID:	28
Start time:	23:49:11
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns2.soprodns.ru
Imagebase:	0x7ff6ef7a0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5376, Parent PID: 6132

General

Target ID:	30
Start time:	23:49:12
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 5896, Parent PID: 5900

General

Target ID:	31
Start time:	23:49:14
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 1840, Parent PID: 5896

General

Target ID:	32
Start time:	23:49:16
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 1548, Parent PID: 5900

General

Target ID:	33
Start time:	23:49:20
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 1836, Parent PID: 1548

General

Target ID:	34
Start time:	23:49:20
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 5864, Parent PID: 5900

General

Target ID:	36
Start time:	23:49:23
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5588, Parent PID: 5864

General

Target ID:	37
Start time:	23:49:23
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 3840, Parent PID: 5900

General

Target ID:	38
Start time:	23:49:26
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 588, Parent PID: 3840

General

Target ID:	39
Start time:	23:49:27
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 4412, Parent PID: 5900

General

Target ID:	40
Start time:	23:49:29
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 160, Parent PID: 4412

General

Target ID:	41
Start time:	23:49:30
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 4928, Parent PID: 5900

General

Target ID:	42
Start time:	23:49:33
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 4908, Parent PID: 4928

General

Target ID:	43
Start time:	23:49:33
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 5972, Parent PID: 5900

General

Target ID:	44
Start time:	23:49:36
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 6012, Parent PID: 5972

General

Target ID:	45
Start time:	23:49:39
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 5164, Parent PID: 5900

General

Target ID:	47
Start time:	23:49:42
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 4824, Parent PID: 5164

General

Target ID:	48
Start time:	23:49:42
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 5644, Parent PID: 5900

General

Target ID:	50
Start time:	23:49:45
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 2300, Parent PID: 5644

General

Target ID:	51
Start time:	23:49:45
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 5860, Parent PID: 5900

General

Target ID:	52
Start time:	23:49:48
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5944, Parent PID: 5860

General

Target ID:	53
Start time:	23:49:48
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 6052, Parent PID: 5900

General

Target ID:	54
Start time:	23:49:50
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 4372, Parent PID: 6052

General

Target ID:	55
Start time:	23:49:50
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 540, Parent PID: 5900

General

Target ID:	56
Start time:	23:49:53
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 2800, Parent PID: 540

General

Target ID:	57
Start time:	23:49:54
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 6072, Parent PID: 5900

General

Target ID:	58
Start time:	23:50:00
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns2.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 3144, Parent PID: 6072

General

Target ID:	59
Start time:	23:50:00
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 4324, Parent PID: 5900

General

Target ID:	60
Start time:	23:50:02
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns2.soprodns.ru
Imagebase:	0x2f0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 4824, Parent PID: 4324

General

Target ID:	61
Start time:	23:50:02
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 1252, Parent PID: 5900

General

Target ID:	62
Start time:	23:50:04
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0x10000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

⊘No disassembly

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report O8ZHhytWhn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a

C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
O8ZHhytWhn.exe

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre