Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Code function: 1_2_0FC65880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, |
1_2_0FC65880 |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Code function: 1_2_0FC682A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, |
1_2_0FC682A0 |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Code function: 1_2_0FC662B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, |
1_2_0FC662B0 |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Code function: 1_2_0FC64950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread, |
1_2_0FC64950 |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Code function: 1_2_0FC68150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, |
1_2_0FC68150 |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Code function: 1_2_0FC65670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, |
1_2_0FC65670 |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Code function: 1_2_0FC65210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, |
1_2_0FC65210 |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Code function: 1_2_0FC66530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, |
1_2_0FC66530 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 14_2_0F9D4950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread, |
14_2_0F9D4950 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 14_2_0F9D5880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, |
14_2_0F9D5880 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 14_2_0F9D62B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, |
14_2_0F9D62B0 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 14_2_0F9D82A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, |
14_2_0F9D82A0 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 14_2_0F9D5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, |
14_2_0F9D5210 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 14_2_0F9D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, |
14_2_0F9D6530 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 14_2_0F9D8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, |
14_2_0F9D8150 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 14_2_0F9D5670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, |
14_2_0F9D5670 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 20_2_0F9D4950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread, |
20_2_0F9D4950 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 20_2_0F9D5880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, |
20_2_0F9D5880 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 20_2_0F9D62B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, |
20_2_0F9D62B0 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 20_2_0F9D82A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, |
20_2_0F9D82A0 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 20_2_0F9D5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, |
20_2_0F9D5210 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 20_2_0F9D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, |
20_2_0F9D6530 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 20_2_0F9D8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, |
20_2_0F9D8150 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 20_2_0F9D5670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, |
20_2_0F9D5670 |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Code function: 1_2_0FC66C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, |
1_2_0FC66C90 |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Code function: 1_2_0FC66A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, |
1_2_0FC66A40 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 14_2_0F9D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, |
14_2_0F9D6C90 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 14_2_0F9D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, |
14_2_0F9D6A40 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 20_2_0F9D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, |
20_2_0F9D6C90 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 20_2_0F9D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, |
20_2_0F9D6A40 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52957 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52958 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52959 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52960 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60584 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60585 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60586 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60587 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:62052 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:62053 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:62054 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:56043 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59638 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59639 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59640 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59641 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65109 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65110 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65111 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65112 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58693 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58694 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58695 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58696 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60751 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60752 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60753 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60754 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56951 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56952 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56953 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56954 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65019 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65020 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65021 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65022 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53468 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53469 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53470 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53471 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61418 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61419 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61420 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61421 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65198 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65199 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65200 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65201 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53051 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53052 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53053 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53054 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60090 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60091 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60092 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60093 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53430 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53431 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53432 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53433 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65513 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65514 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65515 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65516 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51994 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51995 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51996 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51997 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58121 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58122 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58123 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58124 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58303 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58304 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58305 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58306 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63448 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63449 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63450 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63451 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65387 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65388 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65389 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65390 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:54155 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:54156 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:54157 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:54158 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:50786 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:50787 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:50788 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:50789 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:64123 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:64124 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:64125 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:64126 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60827 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60828 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60829 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60830 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49203 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49204 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49205 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49206 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60475 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60476 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60477 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60478 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56618 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56619 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56620 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56621 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57389 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57390 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57391 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57392 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50230 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50231 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50232 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50233 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52457 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52458 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52459 -> 8.8.8.8:53 |
Source: Traffic |
Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52460 -> 8.8.8.8:53 |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
Jump to behavior |
Source: gI5xZdIxUs.exe, type: SAMPLE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: gI5xZdIxUs.exe, type: SAMPLE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: gI5xZdIxUs.exe, type: SAMPLE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: gI5xZdIxUs.exe, type: SAMPLE |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: gI5xZdIxUs.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: gI5xZdIxUs.exe, type: SAMPLE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: Process Memory Space: gI5xZdIxUs.exe PID: 5280, type: MEMORYSTR |
Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/ |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: unknown |
Process created: C:\Users\user\Desktop\gI5xZdIxUs.exe "C:\Users\user\Desktop\gI5xZdIxUs.exe" |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe "C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe" |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe "C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe" |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1920:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1552:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5636:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5984:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4560:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1000:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4624:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1960:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:792:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5556:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:496:120:WilError_01 |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=342245cbb89b1482 |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Code function: 1_2_0FC66C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, |
1_2_0FC66C90 |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Code function: 1_2_0FC66A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, |
1_2_0FC66A40 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 14_2_0F9D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, |
14_2_0F9D6C90 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 14_2_0F9D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, |
14_2_0F9D6A40 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 20_2_0F9D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, |
20_2_0F9D6C90 |
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe |
Code function: 20_2_0F9D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, |
20_2_0F9D6A40 |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe |
Process created: unknown unknown |
Jump to behavior |