Windows Analysis Report
gI5xZdIxUs.exe

Overview

General Information

Sample Name: gI5xZdIxUs.exe
Analysis ID: 694566
MD5: 98a12ec721c098842fbfd7384d5a72ae
SHA1: 9dfd7d1746c8ae943f3dced0f85f0e3c6f5084f3
SHA256: f83457d173841c7e944bc60b00c197ca93c864893c71902cf1b1a36decdd30a4
Tags: exe
Infos:

Detection

Gandcrab, ReflectiveLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Snort IDS alert for network traffic
Contains functionality to determine the online IP of the system
Found Tor onion address
Uses nslookup.exe to query domains
Machine Learning detection for sample
May check the online IP address of the machine
Performs many domain queries via nslookup
Machine Learning detection for dropped file
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
Drops PE files
Contains functionality to read the PEB
Found evaded block containing many API calls
Contains functionality to enumerate device drivers
Checks for available system drives (often done to infect USB drives)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: gI5xZdIxUs.exe Virustotal: Detection: 85% Perma Link
Source: gI5xZdIxUs.exe Metadefender: Detection: 74% Perma Link
Source: gI5xZdIxUs.exe ReversingLabs: Detection: 92%
Antivirus / Scanner detection for submitted sample
Source: gI5xZdIxUs.exe Avira: detected
Multi AV Scanner detection for domain / URL
Source: dns1.soprodns.ru Virustotal: Detection: 5% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Avira: detection malicious, Label: TR/Dropper.Gen
Machine Learning detection for sample
Source: gI5xZdIxUs.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 14.0.isqmkp.exe.f9d0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 20.2.isqmkp.exe.f9d0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 14.2.isqmkp.exe.f9d0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 20.0.isqmkp.exe.f9d0000.0.unpack Avira: Label: TR/Dropper.Gen
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC65880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, 1_2_0FC65880
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC682A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 1_2_0FC682A0
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC662B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, 1_2_0FC662B0
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC64950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread, 1_2_0FC64950
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC68150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 1_2_0FC68150
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC65670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, 1_2_0FC65670
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC65210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, 1_2_0FC65210
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC66530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 1_2_0FC66530
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D4950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread, 14_2_0F9D4950
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D5880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, 14_2_0F9D5880
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D62B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, 14_2_0F9D62B0
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D82A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 14_2_0F9D82A0
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, 14_2_0F9D5210
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 14_2_0F9D6530
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 14_2_0F9D8150
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D5670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, 14_2_0F9D5670
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D4950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread, 20_2_0F9D4950
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D5880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, 20_2_0F9D5880
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D62B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, 20_2_0F9D62B0
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D82A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 20_2_0F9D82A0
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, 20_2_0F9D5210
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 20_2_0F9D6530
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 20_2_0F9D8150
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D5670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, 20_2_0F9D5670
Uses 32bit PE files
Source: gI5xZdIxUs.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: gI5xZdIxUs.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH
Checks for available system drives (often done to infect USB drives)
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: z: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: x: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: v: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: t: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: r: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: p: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: n: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: l: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: j: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: h: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: f: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: b: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: y: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: w: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: u: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: s: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: q: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: o: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: m: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: k: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: i: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: g: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: e: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC66C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 1_2_0FC66C90
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC66A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 1_2_0FC66A40
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 14_2_0F9D6C90
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 14_2_0F9D6A40
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 20_2_0F9D6C90
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 20_2_0F9D6A40

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52957 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52958 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52959 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52960 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60584 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60585 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60586 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60587 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:62052 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:62053 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:62054 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:56043 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59638 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59639 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59640 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59641 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65109 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65110 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65111 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65112 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58693 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58694 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58695 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58696 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60751 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60752 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60753 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60754 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56951 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56952 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56953 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56954 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65019 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65020 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65021 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65022 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53468 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53469 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53470 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53471 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61418 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61419 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61420 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61421 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65198 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65199 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65200 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65201 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53051 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53052 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53053 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53054 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60090 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60091 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60092 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60093 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53430 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53431 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53432 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53433 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65513 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65514 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65515 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65516 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51994 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51995 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51996 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51997 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58121 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58122 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58123 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58124 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58303 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58304 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58305 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58306 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63448 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63449 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63450 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63451 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65387 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65388 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65389 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65390 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:54155 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:54156 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:54157 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:54158 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:50786 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:50787 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:50788 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:50789 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:64123 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:64124 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:64125 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:64126 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60827 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60828 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60829 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60830 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49203 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49204 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49205 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49206 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60475 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60476 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60477 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60478 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56618 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56619 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56620 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56621 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57389 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57390 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57391 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57392 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50230 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50231 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50232 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50233 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52457 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52458 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52459 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52460 -> 8.8.8.8:53
Contains functionality to determine the online IP of the system
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC66E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 1_2_0FC66E90
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC66E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 1_2_0FC66E90
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 14_2_0F9D6E90
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 14_2_0F9D6E90
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 20_2_0F9D6E90
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 20_2_0F9D6E90
Found Tor onion address
Source: gI5xZdIxUs.exe, 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: gI5xZdIxUs.exe, 00000001.00000000.272303387.000000000FC72000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: isqmkp.exe, 0000000E.00000000.307654244.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: isqmkp.exe, 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: gI5xZdIxUs.exe String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: isqmkp.exe.1.dr String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Uses nslookup.exe to query domains
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
May check the online IP address of the machine
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe DNS query: name: ipv4bot.whatismyipaddress.com
Performs many domain queries via nslookup
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: gI5xZdIxUs.exe, isqmkp.exe.1.dr String found in binary or memory: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ipv4bot.whatismyipaddress.com/
Source: gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ipv4bot.whatismyipaddress.com/4
Source: gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ipv4bot.whatismyipaddress.com/a
Source: gI5xZdIxUs.exe, isqmkp.exe.1.dr String found in binary or memory: https://tox.chat/download.html
Source: gI5xZdIxUs.exe, isqmkp.exe.1.dr String found in binary or memory: https://www.torproject.org/
Source: unknown DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC67EF0 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree, 1_2_0FC67EF0
Creates a DirectInput object (often for capturing keystrokes)
Source: gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Gandcrab
Source: Yara match File source: gI5xZdIxUs.exe, type: SAMPLE
Source: Yara match File source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000000.307654244.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.322638424.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.272303387.000000000FC72000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gI5xZdIxUs.exe PID: 5280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: isqmkp.exe PID: 5464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: isqmkp.exe PID: 1572, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC66530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 1_2_0FC66530
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 14_2_0F9D6530
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 20_2_0F9D6530
Too many similar processes found
Source: nslookup.exe Process created: 42

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: gI5xZdIxUs.exe, type: SAMPLE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: gI5xZdIxUs.exe, type: SAMPLE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED Matched rule: Gandcrab Payload Author: kevoreilly
Uses 32bit PE files
Source: gI5xZdIxUs.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: gI5xZdIxUs.exe, type: SAMPLE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: gI5xZdIxUs.exe, type: SAMPLE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: gI5xZdIxUs.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: gI5xZdIxUs.exe, type: SAMPLE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: Process Memory Space: gI5xZdIxUs.exe PID: 5280, type: MEMORYSTR Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Detected potential crypto function
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC683C0 1_2_0FC683C0
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC61C20 1_2_0FC61C20
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC61020 1_2_0FC61020
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D83C0 14_2_0F9D83C0
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D1C20 14_2_0F9D1C20
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D1020 14_2_0F9D1020
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D83C0 20_2_0F9D83C0
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D1C20 20_2_0F9D1C20
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D1020 20_2_0F9D1020
Source: gI5xZdIxUs.exe Virustotal: Detection: 85%
Source: gI5xZdIxUs.exe Metadefender: Detection: 74%
Source: gI5xZdIxUs.exe ReversingLabs: Detection: 92%
Source: gI5xZdIxUs.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\gI5xZdIxUs.exe "C:\Users\user\Desktop\gI5xZdIxUs.exe"
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe "C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe"
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe "C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe"
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File created: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@85/2@305/0
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC67330 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree, 1_2_0FC67330
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC646F0 CreateToolhelp32Snapshot,VirtualAlloc,Process32FirstW,CloseHandle,lstrcmpiW,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,Process32NextW,VirtualFree,FindCloseChangeNotification, 1_2_0FC646F0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1920:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1552:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5636:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5984:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4560:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1000:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4624:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1960:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:792:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5556:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:496:120:WilError_01
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=342245cbb89b1482
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: gI5xZdIxUs.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation
barindex
Yara detected ReflectiveLoader
Source: Yara match File source: gI5xZdIxUs.exe, type: SAMPLE
Source: Yara match File source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000000.322631215.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.272296797.000000000FC6A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.307645700.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gI5xZdIxUs.exe PID: 5280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: isqmkp.exe PID: 5464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: isqmkp.exe PID: 1572, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED
PE file contains sections with non-standard names
Source: gI5xZdIxUs.exe Static PE information: section name: .l2
Source: isqmkp.exe.1.dr Static PE information: section name: .l2
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC682A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 1_2_0FC682A0
Drops PE files
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe File created: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Jump to dropped file
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bwduumgtptl Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bwduumgtptl Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bwduumgtptl Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bwduumgtptl Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe TID: 5052 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe TID: 5052 Thread sleep time: -39000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evaded block containing many API calls
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Evaded block: after key decision
Contains functionality to enumerate device drivers
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree, 1_2_0FC62F50
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree, 14_2_0F9D2F50
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree, 20_2_0F9D2F50
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC66C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 1_2_0FC66C90
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC66A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 1_2_0FC66A40
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 14_2_0F9D6C90
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 14_2_0F9D6A40
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 20_2_0F9D6C90
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 20_2_0F9D6A40
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe API call chain: ExitProcess graph end node
Source: gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC682A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 1_2_0FC682A0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC633E0 lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrcpyA,ExitProcess, 1_2_0FC633E0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC65EC0 mov eax, dword ptr fs:[00000030h] 1_2_0FC65EC0
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 14_2_0F9D5EC0 mov eax, dword ptr fs:[00000030h] 14_2_0F9D5EC0
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Code function: 20_2_0F9D5EC0 mov eax, dword ptr fs:[00000030h] 20_2_0F9D5EC0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC63AA0 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid, 1_2_0FC63AA0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC690A0 cpuid 1_2_0FC690A0
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe Code function: 1_2_0FC67330 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree, 1_2_0FC67330
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 694566 Sample: gI5xZdIxUs.exe Startdate: 31/08/2022 Architecture: WINDOWS Score: 100 57 nomoreransom.coin 2->57 59 nomoreransom.bit 2->59 61 4 other IPs or domains 2->61 65 Snort IDS alert for network traffic 2->65 67 Multi AV Scanner detection for domain / URL 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 6 other signatures 2->71 8 gI5xZdIxUs.exe 1 28 2->8         started        13 isqmkp.exe 2->13         started        15 isqmkp.exe 2->15         started        signatures3 process4 dnsIp5 63 ipv4bot.whatismyipaddress.com 8->63 40 C:\Users\user\AppData\Roaming\...\isqmkp.exe, PE32 8->40 dropped 73 Contains functionality to determine the online IP of the system 8->73 75 May check the online IP address of the machine 8->75 77 Uses nslookup.exe to query domains 8->77 79 Performs many domain queries via nslookup 8->79 17 nslookup.exe 1 8->17         started        20 nslookup.exe 1 8->20         started        22 nslookup.exe 1 8->22         started        24 18 other processes 8->24 81 Antivirus detection for dropped file 13->81 83 Machine Learning detection for dropped file 13->83 file6 signatures7 process8 dnsIp9 42 dns1.soprodns.ru 17->42 45 nomoreransom.coin 17->45 47 8.8.8.8.in-addr.arpa 17->47 26 conhost.exe 17->26         started        51 3 other IPs or domains 20->51 28 conhost.exe 20->28         started        53 3 other IPs or domains 22->53 30 conhost.exe 22->30         started        49 nomoreransom.coin 24->49 55 53 other IPs or domains 24->55 32 conhost.exe 24->32         started        34 conhost.exe 24->34         started        36 conhost.exe 24->36         started        38 15 other processes 24->38 signatures10 85 May check the online IP address of the machine 42->85 process11
No contacted IP infos

Contacted Domains

Name IP Active
nomoreransom.coin unknown unknown
ipv4bot.whatismyipaddress.com unknown unknown
nomoreransom.bit unknown unknown
gandcrab.bit unknown unknown
dns1.soprodns.ru unknown unknown
dns2.soprodns.ru unknown unknown
8.8.8.8.in-addr.arpa unknown unknown