Edit tour

Windows Analysis Report
gI5xZdIxUs.exe

Overview

General Information

Sample Name:	gI5xZdIxUs.exe
Analysis ID:	694566
MD5:	98a12ec721c098842fbfd7384d5a72ae
SHA1:	9dfd7d1746c8ae943f3dced0f85f0e3c6f5084f3
SHA256:	f83457d173841c7e944bc60b00c197ca93c864893c71902cf1b1a36decdd30a4
Tags:	exe
Infos:

Detection

Gandcrab, ReflectiveLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected ReflectiveLoader

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Snort IDS alert for network traffic

Contains functionality to determine the online IP of the system

Found Tor onion address

Uses nslookup.exe to query domains

Machine Learning detection for sample

May check the online IP address of the machine

Performs many domain queries via nslookup

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Queries information about the installed CPU (vendor, model number etc)

Drops PE files

Contains functionality to read the PEB

Found evaded block containing many API calls

Contains functionality to enumerate device drivers

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

gI5xZdIxUs.exe (PID: 5280 cmdline: "C:\Users\user\Desktop\gI5xZdIxUs.exe" MD5: 98A12EC721C098842FBFD7384D5A72AE)

nslookup.exe (PID: 5960 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4684 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4596 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 1920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6112 cmdline: nslookup nomoreransom.coin dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 4624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 1916 cmdline: nslookup nomoreransom.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5244 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6028 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 1012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5116 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 680 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5124 cmdline: nslookup nomoreransom.coin dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4972 cmdline: nslookup nomoreransom.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5604 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 736 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4460 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 4560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6052 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5424 cmdline: nslookup nomoreransom.coin dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 1000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4364 cmdline: nslookup nomoreransom.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 1552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5188 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 1960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 1164 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 1092 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 968 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

isqmkp.exe (PID: 5464 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe" MD5: F4758788F11A0DE8D11EB4B8C515FFBD)

isqmkp.exe (PID: 1572 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe" MD5: F4758788F11A0DE8D11EB4B8C515FFBD)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
gI5xZdIxUs.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
gI5xZdIxUs.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
gI5xZdIxUs.exe	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
gI5xZdIxUs.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
gI5xZdIxUs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
gI5xZdIxUs.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000014.00000000.322631215.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000E.00000000.307654244.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000001.00000000.272296797.000000000FC6A000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000E.00000000.307645700.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000014.00000000.322638424.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000001.00000000.272303387.000000000FC72000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: gI5xZdIxUs.exe PID: 5280	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x1a48b:$xs1: WS2_32.dll 0x950d:$xs2: ReflectiveLoader 0x952f:$xs2: ReflectiveLoader 0xeddd:$xs2: ReflectiveLoader 0xedff:$xs2: ReflectiveLoader
Process Memory Space: gI5xZdIxUs.exe PID: 5280	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: gI5xZdIxUs.exe PID: 5280	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: isqmkp.exe PID: 5464	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: isqmkp.exe PID: 5464	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: isqmkp.exe PID: 1572	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: isqmkp.exe PID: 1572	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.2.isqmkp.exe.f9d0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
14.2.isqmkp.exe.f9d0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
14.2.isqmkp.exe.f9d0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
14.2.isqmkp.exe.f9d0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
14.2.isqmkp.exe.f9d0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
14.2.isqmkp.exe.f9d0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
14.0.isqmkp.exe.f9d0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
14.0.isqmkp.exe.f9d0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
14.0.isqmkp.exe.f9d0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
14.0.isqmkp.exe.f9d0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
14.0.isqmkp.exe.f9d0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
14.0.isqmkp.exe.f9d0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
20.2.isqmkp.exe.f9d0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
20.2.isqmkp.exe.f9d0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
20.2.isqmkp.exe.f9d0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
20.2.isqmkp.exe.f9d0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
20.2.isqmkp.exe.f9d0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
20.2.isqmkp.exe.f9d0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
1.0.gI5xZdIxUs.exe.fc60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
1.0.gI5xZdIxUs.exe.fc60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
1.0.gI5xZdIxUs.exe.fc60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
1.0.gI5xZdIxUs.exe.fc60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.0.gI5xZdIxUs.exe.fc60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
1.0.gI5xZdIxUs.exe.fc60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
20.0.isqmkp.exe.f9d0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
20.0.isqmkp.exe.f9d0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
20.0.isqmkp.exe.f9d0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
20.0.isqmkp.exe.f9d0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
20.0.isqmkp.exe.f9d0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
20.0.isqmkp.exe.f9d0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
1.2.gI5xZdIxUs.exe.fc60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xed22:$x1: ReflectiveLoader
1.2.gI5xZdIxUs.exe.fc60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe67e:$: DECRYPT.txt 0xe6e4:$: DECRYPT.txt
1.2.gI5xZdIxUs.exe.fc60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
1.2.gI5xZdIxUs.exe.fc60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.2.gI5xZdIxUs.exe.fc60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xed21:$s1: _ReflectiveLoader@ 0xed22:$s2: ReflectiveLoader@
1.2.gI5xZdIxUs.exe.fc60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe674:$string1: GDCB-DECRYPT.txt 0xe6da:$string1: GDCB-DECRYPT.txt 0xecb0:$string2: GandCrabGandCrabnomoreransom.coinomoreransom.bit 0xe3b0:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
Click to see the 31 entries

Snort Signatures

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860754532829498 08/31/22-23:58:43.044195
SID:	2829498
Source Port:	60754
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850789532829498 08/31/22-23:59:48.239260
SID:	2829498
Source Port:	50789
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858305532829498 08/31/22-23:59:32.365598
SID:	2829498
Source Port:	58305
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865389532829498 08/31/22-23:59:40.892307
SID:	2829498
Source Port:	65389
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849203532026737 08/31/22-23:59:56.322889
SID:	2026737
Source Port:	49203
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856952532026737 08/31/22-23:58:46.555077
SID:	2026737
Source Port:	56952
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853051532829498 08/31/22-23:59:12.297576
SID:	2829498
Source Port:	53051
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853431532829498 08/31/22-23:59:18.287185
SID:	2829498
Source Port:	53431
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865022532829498 08/31/22-23:58:54.690068
SID:	2829498
Source Port:	65022
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861420532829498 08/31/22-23:59:01.493233
SID:	2829498
Source Port:	61420
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851994532829498 08/31/22-23:59:24.206869
SID:	2829498
Source Port:	51994
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860478532829498 08/31/22-23:59:59.939438
SID:	2829498
Source Port:	60478
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865019532829498 08/31/22-23:58:54.630989
SID:	2829498
Source Port:	65019
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850230532026737 09/01/22-00:00:07.433896
SID:	2026737
Source Port:	50230
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860093532026737 08/31/22-23:59:14.413883
SID:	2026737
Source Port:	60093
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858122532026737 08/31/22-23:59:27.247839
SID:	2026737
Source Port:	58122
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865515532026737 08/31/22-23:59:20.761806
SID:	2026737
Source Port:	65515
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852958532829498 08/31/22-23:58:07.331283
SID:	2829498
Source Port:	52958
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.854156532026737 08/31/22-23:59:42.281210
SID:	2026737
Source Port:	54156
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865110532829498 08/31/22-23:58:33.358759
SID:	2829498
Source Port:	65110
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853430532829498 08/31/22-23:59:18.269254
SID:	2829498
Source Port:	53430
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858121532026737 08/31/22-23:59:27.189978
SID:	2026737
Source Port:	58121
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865021532829498 08/31/22-23:58:54.669703
SID:	2829498
Source Port:	65021
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858306532829498 08/31/22-23:59:32.396919
SID:	2829498
Source Port:	58306
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864126532026737 08/31/22-23:59:50.649034
SID:	2026737
Source Port:	64126
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858695532026737 08/31/22-23:58:36.600606
SID:	2026737
Source Port:	58695
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861418532829498 08/31/22-23:59:01.454658
SID:	2829498
Source Port:	61418
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865516532026737 08/31/22-23:59:20.780161
SID:	2026737
Source Port:	65516
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865111532829498 08/31/22-23:58:33.379307
SID:	2829498
Source Port:	65111
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865388532829498 08/31/22-23:59:40.874321
SID:	2829498
Source Port:	65388
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858694532026737 08/31/22-23:58:36.580328
SID:	2026737
Source Port:	58694
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.854155532026737 08/31/22-23:59:42.262891
SID:	2026737
Source Port:	54155
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852957532829498 08/31/22-23:58:07.312591
SID:	2829498
Source Port:	52957
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849204532026737 08/31/22-23:59:56.342973
SID:	2026737
Source Port:	49204
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860586532026737 08/31/22-23:58:15.043750
SID:	2026737
Source Port:	60586
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850231532026737 09/01/22-00:00:07.455721
SID:	2026737
Source Port:	50231
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852959532829498 08/31/22-23:58:07.365561
SID:	2829498
Source Port:	52959
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.862054532829498 08/31/22-23:58:21.744663
SID:	2829498
Source Port:	62054
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859641532026737 08/31/22-23:58:24.944174
SID:	2026737
Source Port:	59641
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859638532026737 08/31/22-23:58:24.884406
SID:	2026737
Source Port:	59638
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865198532026737 08/31/22-23:59:03.441447
SID:	2026737
Source Port:	65198
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865109532829498 08/31/22-23:58:33.338202
SID:	2829498
Source Port:	65109
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852457532829498 09/01/22-00:00:11.310934
SID:	2829498
Source Port:	52457
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860587532026737 08/31/22-23:58:15.064663
SID:	2026737
Source Port:	60587
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853470532026737 08/31/22-23:58:56.772805
SID:	2026737
Source Port:	53470
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856620532026737 09/01/22-00:00:02.142088
SID:	2026737
Source Port:	56620
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858693532026737 08/31/22-23:58:36.550637
SID:	2026737
Source Port:	58693
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858696532026737 08/31/22-23:58:36.619047
SID:	2026737
Source Port:	58696
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856954532026737 08/31/22-23:58:46.594398
SID:	2026737
Source Port:	56954
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849205532026737 08/31/22-23:59:56.360951
SID:	2026737
Source Port:	49205
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856619532026737 09/01/22-00:00:02.120945
SID:	2026737
Source Port:	56619
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851995532829498 08/31/22-23:59:24.227191
SID:	2829498
Source Port:	51995
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861421532829498 08/31/22-23:59:01.511754
SID:	2829498
Source Port:	61421
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852960532829498 08/31/22-23:58:07.384051
SID:	2829498
Source Port:	52960
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865390532829498 08/31/22-23:59:40.910653
SID:	2829498
Source Port:	65390
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853053532829498 08/31/22-23:59:12.348894
SID:	2829498
Source Port:	53053
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.854158532026737 08/31/22-23:59:42.322126
SID:	2026737
Source Port:	54158
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860753532829498 08/31/22-23:58:43.024087
SID:	2829498
Source Port:	60753
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857391532829498 09/01/22-00:00:05.158775
SID:	2829498
Source Port:	57391
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858303532829498 08/31/22-23:59:32.323930
SID:	2829498
Source Port:	58303
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860584532026737 08/31/22-23:58:15.004694
SID:	2026737
Source Port:	60584
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858123532026737 08/31/22-23:59:27.268863
SID:	2026737
Source Port:	58123
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860091532026737 08/31/22-23:59:14.371988
SID:	2026737
Source Port:	60091
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865200532026737 08/31/22-23:59:03.482704
SID:	2026737
Source Port:	65200
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853433532829498 08/31/22-23:59:18.325585
SID:	2829498
Source Port:	53433
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850787532829498 08/31/22-23:59:48.189200
SID:	2829498
Source Port:	50787
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860751532829498 08/31/22-23:58:42.984219
SID:	2829498
Source Port:	60751
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850786532829498 08/31/22-23:59:48.168544
SID:	2829498
Source Port:	50786
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853468532026737 08/31/22-23:58:56.731128
SID:	2026737
Source Port:	53468
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849206532026737 08/31/22-23:59:56.381031
SID:	2026737
Source Port:	49206
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860475532829498 08/31/22-23:59:59.877731
SID:	2829498
Source Port:	60475
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863448532026737 08/31/22-23:59:36.563649
SID:	2026737
Source Port:	63448
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851997532829498 08/31/22-23:59:24.265731
SID:	2829498
Source Port:	51997
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856618532026737 09/01/22-00:00:02.100951
SID:	2026737
Source Port:	56618
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853471532026737 08/31/22-23:58:56.793274
SID:	2026737
Source Port:	53471
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853054532829498 08/31/22-23:59:12.369224
SID:	2829498
Source Port:	53054
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852458532829498 09/01/22-00:00:11.330853
SID:	2829498
Source Port:	52458
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865513532026737 08/31/22-23:59:20.720500
SID:	2026737
Source Port:	65513
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860828532829498 08/31/22-23:59:53.952246
SID:	2829498
Source Port:	60828
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864124532026737 08/31/22-23:59:50.605079
SID:	2026737
Source Port:	64124
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.862052532829498 08/31/22-23:58:21.699516
SID:	2829498
Source Port:	62052
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857390532829498 09/01/22-00:00:05.138814
SID:	2829498
Source Port:	57390
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850233532026737 09/01/22-00:00:07.502496
SID:	2026737
Source Port:	50233
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860090532026737 08/31/22-23:59:14.353291
SID:	2026737
Source Port:	60090
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852459532829498 09/01/22-00:00:11.350932
SID:	2829498
Source Port:	52459
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860827532829498 08/31/22-23:59:53.930680
SID:	2829498
Source Port:	60827
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853469532026737 08/31/22-23:58:56.749513
SID:	2026737
Source Port:	53469
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850232532026737 09/01/22-00:00:07.481526
SID:	2026737
Source Port:	50232
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865387532829498 08/31/22-23:59:40.854236
SID:	2829498
Source Port:	65387
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863451532026737 08/31/22-23:59:36.620733
SID:	2026737
Source Port:	63451
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864125532026737 08/31/22-23:59:50.625202
SID:	2026737
Source Port:	64125
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860476532829498 08/31/22-23:59:59.898864
SID:	2829498
Source Port:	60476
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.854157532026737 08/31/22-23:59:42.301537
SID:	2026737
Source Port:	54157
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857392532829498 09/01/22-00:00:05.176878
SID:	2829498
Source Port:	57392
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852460532829498 09/01/22-00:00:11.371195
SID:	2829498
Source Port:	52460
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857389532829498 09/01/22-00:00:05.118977
SID:	2829498
Source Port:	57389
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856043532829498 08/31/22-23:58:21.768917
SID:	2829498
Source Port:	56043
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853052532829498 08/31/22-23:59:12.328339
SID:	2829498
Source Port:	53052
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861419532829498 08/31/22-23:59:01.474961
SID:	2829498
Source Port:	61419
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851996532829498 08/31/22-23:59:24.245596
SID:	2829498
Source Port:	51996
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853432532829498 08/31/22-23:59:18.305428
SID:	2829498
Source Port:	53432
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860585532026737 08/31/22-23:58:15.025136
SID:	2026737
Source Port:	60585
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863450532026737 08/31/22-23:59:36.602428
SID:	2026737
Source Port:	63450
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860477532829498 08/31/22-23:59:59.919053
SID:	2829498
Source Port:	60477
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856951532026737 08/31/22-23:58:46.526858
SID:	2026737
Source Port:	56951
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865112532829498 08/31/22-23:58:33.402809
SID:	2829498
Source Port:	65112
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865020532829498 08/31/22-23:58:54.651252
SID:	2829498
Source Port:	65020
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863449532026737 08/31/22-23:59:36.584182
SID:	2026737
Source Port:	63449
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865201532026737 08/31/22-23:59:03.503720
SID:	2026737
Source Port:	65201
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860830532829498 08/31/22-23:59:53.997132
SID:	2829498
Source Port:	60830
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859640532026737 08/31/22-23:58:24.925442
SID:	2026737
Source Port:	59640
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864123532026737 08/31/22-23:59:50.576561
SID:	2026737
Source Port:	64123
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850788532829498 08/31/22-23:59:48.220006
SID:	2829498
Source Port:	50788
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860092532026737 08/31/22-23:59:14.392903
SID:	2026737
Source Port:	60092
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858124532026737 08/31/22-23:59:27.287358
SID:	2026737
Source Port:	58124
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865199532026737 08/31/22-23:59:03.462712
SID:	2026737
Source Port:	65199
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859639532026737 08/31/22-23:58:24.905091
SID:	2026737
Source Port:	59639
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856953532026737 08/31/22-23:58:46.573613
SID:	2026737
Source Port:	56953
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858304532829498 08/31/22-23:59:32.344904
SID:	2829498
Source Port:	58304
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860752532829498 08/31/22-23:58:43.003278
SID:	2829498
Source Port:	60752
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865514532026737 08/31/22-23:59:20.740564
SID:	2026737
Source Port:	65514
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860829532829498 08/31/22-23:59:53.975918
SID:	2829498
Source Port:	60829
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.862053532829498 08/31/22-23:58:21.721380
SID:	2829498
Source Port:	62053
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856621532026737 09/01/22-00:00:02.160962
SID:	2026737
Source Port:	56621
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: gI5xZdIxUs.exe	Virustotal: Detection: 85%	Perma Link
Source: gI5xZdIxUs.exe	Metadefender: Detection: 74%	Perma Link
Source: gI5xZdIxUs.exe	ReversingLabs: Detection: 92%

Antivirus / Scanner detection for submitted sample

Source: gI5xZdIxUs.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: dns1.soprodns.ru

Virustotal: Detection: 5%

Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Machine Learning detection for sample

Source: gI5xZdIxUs.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe

Joe Sandbox ML: detected

Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.0.isqmkp.exe.f9d0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 20.2.isqmkp.exe.f9d0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.2.isqmkp.exe.f9d0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 20.0.isqmkp.exe.f9d0000.0.unpack	Avira: Label: TR/Dropper.Gen

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC65880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC682A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC662B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC64950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC68150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC65670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC65210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC66530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D4950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D5880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D62B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D82A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D5670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D4950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D5880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D62B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D82A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D5670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,

Source: gI5xZdIxUs.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: gI5xZdIxUs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: z:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: x:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: v:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: t:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: r:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: p:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: n:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: l:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: j:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: h:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: f:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: b:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: y:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: w:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: u:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: s:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: q:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: o:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: m:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: k:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: i:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: g:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: e:
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File opened: a:

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC66C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC66A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52957 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52958 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52959 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52960 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60584 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60585 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60586 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60587 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:62052 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:62053 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:62054 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:56043 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59638 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59639 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59640 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59641 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65109 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65110 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65111 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65112 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58693 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58694 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58695 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58696 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60751 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60752 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60753 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60754 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56951 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56952 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56953 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56954 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65019 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65020 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65021 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65022 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53468 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53469 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53470 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53471 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61418 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61419 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61420 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61421 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65198 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65199 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65200 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65201 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53051 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53052 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53053 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53054 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60090 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60091 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60092 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60093 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53430 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53431 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53432 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53433 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65513 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65514 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65515 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65516 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51994 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51995 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51996 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51997 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58121 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58122 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58123 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58124 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58303 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58304 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58305 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58306 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63448 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63449 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63450 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63451 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65387 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65388 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65389 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65390 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:54155 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:54156 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:54157 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:54158 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:50786 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:50787 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:50788 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:50789 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:64123 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:64124 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:64125 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:64126 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60827 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60828 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60829 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60830 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49203 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49204 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49205 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49206 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60475 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60476 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60477 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60478 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56618 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56619 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56620 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56621 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57389 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57390 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57391 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57392 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50230 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50231 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50232 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50233 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52457 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52458 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52459 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52460 -> 8.8.8.8:53

Contains functionality to determine the online IP of the system

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC66E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC66E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com

Found Tor onion address

Source: gI5xZdIxUs.exe, 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: gI5xZdIxUs.exe, 00000001.00000000.272303387.000000000FC72000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: isqmkp.exe, 0000000E.00000000.307654244.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: isqmkp.exe, 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: gI5xZdIxUs.exe	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: isqmkp.exe.1.dr	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b

Uses nslookup.exe to query domains

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru

May check the online IP address of the machine

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	DNS query: name: ipv4bot.whatismyipaddress.com

Performs many domain queries via nslookup

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru

Source: gI5xZdIxUs.exe, isqmkp.exe.1.dr	String found in binary or memory: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/
Source: gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/4
Source: gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/a
Source: gI5xZdIxUs.exe, isqmkp.exe.1.dr	String found in binary or memory: https://tox.chat/download.html
Source: gI5xZdIxUs.exe, isqmkp.exe.1.dr	String found in binary or memory: https://www.torproject.org/

Source: unknown

DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe

Code function: 1_2_0FC67EF0 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree,

Source: gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: gI5xZdIxUs.exe, type: SAMPLE
Source: Yara match	File source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.307654244.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.322638424.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.272303387.000000000FC72000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gI5xZdIxUs.exe PID: 5280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: isqmkp.exe PID: 5464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: isqmkp.exe PID: 1572, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC66530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,

Source: nslookup.exe

Process created: 42

System Summary

Malicious sample detected (through community Yara rule)

Source: gI5xZdIxUs.exe, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: gI5xZdIxUs.exe, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED	Matched rule: Gandcrab Payload Author: kevoreilly

Source: gI5xZdIxUs.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: gI5xZdIxUs.exe, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: gI5xZdIxUs.exe, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: gI5xZdIxUs.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: gI5xZdIxUs.exe, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: Process Memory Space: gI5xZdIxUs.exe PID: 5280, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC683C0
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC61C20
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC61020
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D83C0
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D1C20
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D1020
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D83C0
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D1C20
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D1020

Source: gI5xZdIxUs.exe	Virustotal: Detection: 85%
Source: gI5xZdIxUs.exe	Metadefender: Detection: 74%
Source: gI5xZdIxUs.exe	ReversingLabs: Detection: 92%

Source: gI5xZdIxUs.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\gI5xZdIxUs.exe "C:\Users\user\Desktop\gI5xZdIxUs.exe"
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe "C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe"
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe "C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe"
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@85/2@305/0

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe

Code function: 1_2_0FC67330 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree,

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe

Code function: 1_2_0FC646F0 CreateToolhelp32Snapshot,VirtualAlloc,Process32FirstW,CloseHandle,lstrcmpiW,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,Process32NextW,VirtualFree,FindCloseChangeNotification,

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1920:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1552:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5636:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5984:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4560:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1000:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4624:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1960:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:792:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5556:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:496:120:WilError_01
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=342245cbb89b1482

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: gI5xZdIxUs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: gI5xZdIxUs.exe, type: SAMPLE
Source: Yara match	File source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000000.322631215.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.272296797.000000000FC6A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.307645700.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gI5xZdIxUs.exe PID: 5280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: isqmkp.exe PID: 5464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: isqmkp.exe PID: 1572, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED

Source: gI5xZdIxUs.exe	Static PE information: section name: .l2
Source: isqmkp.exe.1.dr	Static PE information: section name: .l2

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe

Code function: 1_2_0FC682A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe

Jump to dropped file

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bwduumgtptl	Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bwduumgtptl	Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bwduumgtptl	Jump to behavior
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bwduumgtptl	Jump to behavior

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe TID: 5052	Thread sleep count: 39 > 30
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe TID: 5052	Thread sleep time: -39000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Evaded block: after key decision

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC66C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC66A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe

System information queried: ModuleInformation

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	API call chain: ExitProcess graph end node

Source: gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe

Code function: 1_2_0FC682A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe

Code function: 1_2_0FC633E0 lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrcpyA,ExitProcess,

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Code function: 1_2_0FC65EC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 14_2_0F9D5EC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Code function: 20_2_0F9D5EC0 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe

Code function: 1_2_0FC63AA0 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe

Code function: 1_2_0FC690A0 cpuid

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Desktop\gI5xZdIxUs.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\gI5xZdIxUs.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	2 Native API	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Software Packing	1 Input Capture	11 Peripheral Device Discovery	1 Replication Through Removable Media	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Masquerading	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	1 System Network Connections Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	44 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	1 Proxy	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	11 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Process Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 Remote System Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	2 System Network Configuration Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
gI5xZdIxUs.exe	86%	Virustotal		Browse
gI5xZdIxUs.exe	74%	Metadefender		Browse
gI5xZdIxUs.exe	93%	ReversingLabs	Win32.Ransomware.GandCrab
gI5xZdIxUs.exe	100%	Avira	TR/Dropper.Gen
gI5xZdIxUs.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.gI5xZdIxUs.exe.fc60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
14.0.isqmkp.exe.f9d0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
20.2.isqmkp.exe.f9d0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
14.2.isqmkp.exe.f9d0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
1.0.gI5xZdIxUs.exe.fc60000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
20.0.isqmkp.exe.f9d0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

Source	Detection	Scanner	Link
nomoreransom.coin	2%	Virustotal	Browse
nomoreransom.bit	1%	Virustotal	Browse
gandcrab.bit	2%	Virustotal	Browse
dns1.soprodns.ru	5%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b	0%	URL Reputation	safe
https://tox.chat/download.html	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nomoreransom.coin	unknown	unknown	true	2%, Virustotal, Browse	unknown
ipv4bot.whatismyipaddress.com	unknown	unknown	false		high
nomoreransom.bit	unknown	unknown	true	1%, Virustotal, Browse	unknown
gandcrab.bit	unknown	unknown	true	2%, Virustotal, Browse	unknown
dns1.soprodns.ru	unknown	unknown	true	5%, Virustotal, Browse	unknown
dns2.soprodns.ru	unknown	unknown	true		unknown
8.8.8.8.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ipv4bot.whatismyipaddress.com/a	gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.torproject.org/	gI5xZdIxUs.exe, isqmkp.exe.1.dr	false		high
http://ipv4bot.whatismyipaddress.com/4	gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b	gI5xZdIxUs.exe, isqmkp.exe.1.dr	true	URL Reputation: safe	unknown
http://ipv4bot.whatismyipaddress.com/	gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tox.chat/download.html	gI5xZdIxUs.exe, isqmkp.exe.1.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	694566
Start date and time:	2022-08-31 23:56:48 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 5s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	gI5xZdIxUs.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	62
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@85/2@305/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 96%) Quality average: 83.6% Quality standard deviation: 24.5%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 20.82.228.9
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, store-images.s-microsoft.com, neus2c-displaycatalog.frontdoor.bigcatalog.commerce.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:57:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce bwduumgtptl "C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe"
23:58:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce bwduumgtptl "C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe"

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Users\user\Desktop\gI5xZdIxUs.exe
File Type:	data
Category:	dropped
Size (bytes):	2218
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	F97F9E17EAFDD0105A4E11BAFDE04B40
SHA1:	BA06A7ABE986A61B71889B80A6F9B02B22D40667
SHA-256:	4783424121E6C2F870DC931B374D20C62C764EDDC5769D2F536609ADC1226ABB
SHA-512:	778C4AAB55F6F0FE44DBC9A97F53B59EC8ED2E35901F77AFEBAEA57C738AD301412760709AB909B51335DDD7676CD8F8C1410C5751F2EF5CC74282BCD6C5F50E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe

Download File

Process:	C:\Users\user\Desktop\gI5xZdIxUs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	101710
Entropy (8bit):	5.97549755837271
Encrypted:	false
SSDEEP:	1536:dZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2LkvdQ:BBounVyFHpfMqqDL2/LkvdmYvQd2a
MD5:	F4758788F11A0DE8D11EB4B8C515FFBD
SHA1:	04C1326C595D62977F53037F91B3FB863D4039BA
SHA-256:	DFCE3F5E421DEAF40DAB26ABDF67D5873968DB47B6DDE38787B90FF2CEAB3C96
SHA-512:	49C27F1DFA7C78C99C9055772D04BC89CEA41DF2DF027A400C915195FC82E8904FD89974F30CC7FD484A998DB0AE4B6F5440B5BA02FC56D2BB1ECE98117FBC38
Malicious:	true
Yara Hits:	Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: Florian Roth Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: kevoreilly
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This .R.Y6.m cannot be run in DOS mode....$........Tg..:4..:4..:4..4..:4..4..:4...4..:4..:4..:4...4..:4..;42.:4...4..:4...4..:4...4..:4...4..:4Rich..:4........PE..L....Z.Z.............................K.......................................p............@.............................U...8........`.......................P.......................................................................................text.............................. ..`.rdata...p.......r..................@..@.data........ ......................@....CRT.........0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B.l2..........`......................@..@........................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.9754370991350365
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	gI5xZdIxUs.exe
File size:	101710
MD5:	98a12ec721c098842fbfd7384d5a72ae
SHA1:	9dfd7d1746c8ae943f3dced0f85f0e3c6f5084f3
SHA256:	f83457d173841c7e944bc60b00c197ca93c864893c71902cf1b1a36decdd30a4
SHA512:	a0b74851a36115822bf619a1a767cd76f57539a87dbbd4d452f309839f903ad7d94937a46acdcbc1e41bb50e381fe0fd2394122ec1260f05722a578030973ed8
SSDEEP:	1536:YZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2LkvdQ:WBounVyFHpfMqqDL2/LkvdmYvQd2a
TLSH:	F8A3490972E1A0A3E1E20679E5756EE5456E3C103F2496EB3993378D69728F0AD3B703
File Content Preview:	MZ......................@...............................................!..L.!This .<].e.m cannot be run in DOS mode....$.........Tg..:4..:4..:4...4..:4...4..:4...4..:4..:4..:4...4..:4..;42.:4...4..:4...4..:4...4..:4...4..:4Rich..:4........PE..L....Z.Z...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x10004bf0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH
Time Stamp:	0x5A8C5AD9 [Tue Feb 20 17:28:57 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	6b11af918234585a966ca8fab046dc6c

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0Ch
mov dword ptr [ebp-0Ch], 00000001h
mov eax, dword ptr [ebp+0Ch]
mov dword ptr [ebp-08h], eax
cmp dword ptr [ebp-08h], 01h
jmp 00007F0364768A56h
jmp 00007F0364768A7Ch
jmp 00007F0364768A7Ah
push 00000000h
push 00000000h
push 00000000h
push 10004950h
push 00000000h
push 00000000h
call dword ptr [1000A108h]
mov dword ptr [ebp-04h], eax
cmp dword ptr [ebp-04h], 00000000h
je 00007F0364768A5Ch
mov ecx, dword ptr [ebp-04h]
push ecx
call dword ptr [1000A10Ch]
mov eax, dword ptr [ebp-0Ch]
mov esp, ebp
pop ebp
retn 000Ch
int3
int3
push ebp
mov ebp, esp
sub esp, 5Ch
push esi
push 00000044h
lea eax, dword ptr [ebp-58h]
xorps xmm0, xmm0
push 00000000h
push eax
mov esi, ecx
movdqu dqword ptr [ebp-10h], xmm0
call 00007F036476CE07h
mov eax, dword ptr [10012A6Ch]
add esp, 0Ch
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-1Ch], eax
mov eax, dword ptr [10012A68h]
or dword ptr [ebp-2Ch], 00000101h
mov dword ptr [ebp-20h], eax
xor eax, eax
mov word ptr [ebp-28h], ax
lea eax, dword ptr [ebp-10h]
push eax
lea eax, dword ptr [ebp-58h]
mov dword ptr [ebp-58h], 00000044h
push eax
push 00000000h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
push 00000000h
push esi
push 00000000h
call dword ptr [1000A164h]
test eax, eax
jne 00007F0364768A5Dh
call dword ptr [1000A064h]
pop esi
mov esp, ebp
pop ebp
ret
push dword ptr [ebp-10h]

Rich Headers

Programming Language:

[ C ] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[EXP] VS2013 build 21005
[RES] VS2013 build 21005
[LNK] VS2013 build 21005

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x104e0	0x55	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10538	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x200	.l2
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15000	0xac4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x1fc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x82e8	0x8400	False	0.4593690814393939	data	6.340223357377212	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x70a6	0x7200	False	0.4923245614035088	data	6.181274430024402	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x12000	0xa80	0xc00	False	0.3160807291666667	data	3.1174892908286225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x13000	0x4	0x200	False	0.033203125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x1e0	0x200	False	0.52734375	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x15000	0xac4	0xc00	False	0.7802734375	data	6.4568381269501165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.l2	0x16000	0x200	0x200	False	0.52734375	data	4.7137725829467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x16060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	SetFilePointer, GetFileAttributesW, ReadFile, GetLastError, MoveFileW, lstrcpyW, SetFileAttributesW, CreateMutexW, GetDriveTypeW, VerSetConditionMask, WaitForSingleObject, GetTickCount, InitializeCriticalSection, OpenProcess, GetSystemDirectoryW, TerminateThread, Sleep, TerminateProcess, VerifyVersionInfoW, WaitForMultipleObjects, DeleteCriticalSection, ExpandEnvironmentStringsW, lstrlenW, SetHandleInformation, lstrcatA, MultiByteToWideChar, CreatePipe, lstrcmpiA, Process32NextW, CreateToolhelp32Snapshot, LeaveCriticalSection, EnterCriticalSection, FindFirstFileW, lstrcmpW, FindClose, FindNextFileW, GetNativeSystemInfo, GetComputerNameW, GetDiskFreeSpaceW, GetWindowsDirectoryW, GetVolumeInformationW, LoadLibraryA, lstrcmpiW, VirtualFree, CreateThread, CloseHandle, lstrcatW, CreateFileMappingW, ExitThread, CreateFileW, GetModuleFileNameW, WriteFile, GetModuleHandleW, UnmapViewOfFile, MapViewOfFile, GetFileSize, GetEnvironmentVariableW, lstrcpyA, GetModuleHandleA, VirtualAlloc, GetProcAddress, Process32FirstW, GetTempPathW, GetProcessHeap, HeapFree, HeapAlloc, lstrlenA, CreateProcessW, ExitProcess, IsProcessorFeaturePresent
USER32.dll	BeginPaint, wsprintfW, TranslateMessage, LoadCursorW, LoadIconW, MessageBoxA, GetMessageW, EndPaint, DestroyWindow, RegisterClassExW, ShowWindow, CreateWindowExW, SendMessageW, DispatchMessageW, DefWindowProcW, UpdateWindow, GetForegroundWindow, SetWindowLongW
GDI32.dll	TextOutW
ADVAPI32.dll	FreeSid, RegSetValueExW, RegCreateKeyExW, RegCloseKey, CryptExportKey, CryptAcquireContextW, CryptGetKeyParam, CryptReleaseContext, CryptImportKey, CryptEncrypt, CryptGenKey, CryptDestroyKey, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, AllocateAndInitializeSid
SHELL32.dll	ShellExecuteW, SHGetSpecialFolderPathW, ShellExecuteExW
CRYPT32.dll	CryptStringToBinaryA, CryptBinaryToStringA
WININET.dll	InternetCloseHandle, HttpAddRequestHeadersW, HttpSendRequestW, InternetConnectW, HttpOpenRequestW, InternetOpenW, InternetReadFile
PSAPI.DLL	EnumDeviceDrivers, GetDeviceDriverBaseNameW

Exports

Name	Ordinal	Address
_ReflectiveLoader@0	1	0x10005ec0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.38.8.8.860754532829498 08/31/22-23:58:43.044195	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60754	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850789532829498 08/31/22-23:59:48.239260	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	50789	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858305532829498 08/31/22-23:59:32.365598	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58305	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865389532829498 08/31/22-23:59:40.892307	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	65389	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849203532026737 08/31/22-23:59:56.322889	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	49203	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856952532026737 08/31/22-23:58:46.555077	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	56952	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853051532829498 08/31/22-23:59:12.297576	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53051	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853431532829498 08/31/22-23:59:18.287185	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53431	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865022532829498 08/31/22-23:58:54.690068	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	65022	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861420532829498 08/31/22-23:59:01.493233	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61420	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851994532829498 08/31/22-23:59:24.206869	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51994	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860478532829498 08/31/22-23:59:59.939438	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60478	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865019532829498 08/31/22-23:58:54.630989	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	65019	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850230532026737 09/01/22-00:00:07.433896	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50230	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860093532026737 08/31/22-23:59:14.413883	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60093	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858122532026737 08/31/22-23:59:27.247839	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58122	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865515532026737 08/31/22-23:59:20.761806	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	65515	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852958532829498 08/31/22-23:58:07.331283	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	52958	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.854156532026737 08/31/22-23:59:42.281210	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	54156	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865110532829498 08/31/22-23:58:33.358759	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	65110	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853430532829498 08/31/22-23:59:18.269254	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53430	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858121532026737 08/31/22-23:59:27.189978	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58121	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865021532829498 08/31/22-23:58:54.669703	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	65021	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858306532829498 08/31/22-23:59:32.396919	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58306	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864126532026737 08/31/22-23:59:50.649034	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	64126	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858695532026737 08/31/22-23:58:36.600606	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58695	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861418532829498 08/31/22-23:59:01.454658	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61418	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865516532026737 08/31/22-23:59:20.780161	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	65516	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865111532829498 08/31/22-23:58:33.379307	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	65111	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865388532829498 08/31/22-23:59:40.874321	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	65388	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858694532026737 08/31/22-23:58:36.580328	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58694	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.854155532026737 08/31/22-23:59:42.262891	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	54155	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852957532829498 08/31/22-23:58:07.312591	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	52957	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849204532026737 08/31/22-23:59:56.342973	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	49204	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860586532026737 08/31/22-23:58:15.043750	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60586	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850231532026737 09/01/22-00:00:07.455721	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50231	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852959532829498 08/31/22-23:58:07.365561	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	52959	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.862054532829498 08/31/22-23:58:21.744663	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62054	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859641532026737 08/31/22-23:58:24.944174	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59641	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859638532026737 08/31/22-23:58:24.884406	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59638	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865198532026737 08/31/22-23:59:03.441447	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	65198	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865109532829498 08/31/22-23:58:33.338202	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	65109	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852457532829498 09/01/22-00:00:11.310934	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	52457	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860587532026737 08/31/22-23:58:15.064663	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60587	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853470532026737 08/31/22-23:58:56.772805	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53470	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856620532026737 09/01/22-00:00:02.142088	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	56620	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858693532026737 08/31/22-23:58:36.550637	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58693	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858696532026737 08/31/22-23:58:36.619047	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58696	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856954532026737 08/31/22-23:58:46.594398	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	56954	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849205532026737 08/31/22-23:59:56.360951	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	49205	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856619532026737 09/01/22-00:00:02.120945	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	56619	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851995532829498 08/31/22-23:59:24.227191	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51995	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861421532829498 08/31/22-23:59:01.511754	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61421	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852960532829498 08/31/22-23:58:07.384051	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	52960	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865390532829498 08/31/22-23:59:40.910653	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	65390	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853053532829498 08/31/22-23:59:12.348894	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53053	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.854158532026737 08/31/22-23:59:42.322126	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	54158	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860753532829498 08/31/22-23:58:43.024087	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60753	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857391532829498 09/01/22-00:00:05.158775	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	57391	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858303532829498 08/31/22-23:59:32.323930	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58303	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860584532026737 08/31/22-23:58:15.004694	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60584	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858123532026737 08/31/22-23:59:27.268863	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58123	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860091532026737 08/31/22-23:59:14.371988	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60091	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865200532026737 08/31/22-23:59:03.482704	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	65200	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853433532829498 08/31/22-23:59:18.325585	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53433	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850787532829498 08/31/22-23:59:48.189200	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	50787	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860751532829498 08/31/22-23:58:42.984219	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60751	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850786532829498 08/31/22-23:59:48.168544	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	50786	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853468532026737 08/31/22-23:58:56.731128	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53468	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849206532026737 08/31/22-23:59:56.381031	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	49206	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860475532829498 08/31/22-23:59:59.877731	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60475	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863448532026737 08/31/22-23:59:36.563649	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	63448	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851997532829498 08/31/22-23:59:24.265731	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51997	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856618532026737 09/01/22-00:00:02.100951	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	56618	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853471532026737 08/31/22-23:58:56.793274	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53471	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853054532829498 08/31/22-23:59:12.369224	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53054	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852458532829498 09/01/22-00:00:11.330853	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	52458	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865513532026737 08/31/22-23:59:20.720500	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	65513	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860828532829498 08/31/22-23:59:53.952246	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60828	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864124532026737 08/31/22-23:59:50.605079	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	64124	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.862052532829498 08/31/22-23:58:21.699516	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62052	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857390532829498 09/01/22-00:00:05.138814	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	57390	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850233532026737 09/01/22-00:00:07.502496	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50233	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860090532026737 08/31/22-23:59:14.353291	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60090	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852459532829498 09/01/22-00:00:11.350932	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	52459	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860827532829498 08/31/22-23:59:53.930680	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60827	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853469532026737 08/31/22-23:58:56.749513	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53469	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850232532026737 09/01/22-00:00:07.481526	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50232	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865387532829498 08/31/22-23:59:40.854236	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	65387	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863451532026737 08/31/22-23:59:36.620733	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	63451	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864125532026737 08/31/22-23:59:50.625202	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	64125	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860476532829498 08/31/22-23:59:59.898864	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60476	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.854157532026737 08/31/22-23:59:42.301537	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	54157	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857392532829498 09/01/22-00:00:05.176878	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	57392	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852460532829498 09/01/22-00:00:11.371195	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	52460	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857389532829498 09/01/22-00:00:05.118977	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	57389	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856043532829498 08/31/22-23:58:21.768917	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56043	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853052532829498 08/31/22-23:59:12.328339	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53052	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861419532829498 08/31/22-23:59:01.474961	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61419	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851996532829498 08/31/22-23:59:24.245596	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51996	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853432532829498 08/31/22-23:59:18.305428	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53432	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860585532026737 08/31/22-23:58:15.025136	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60585	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863450532026737 08/31/22-23:59:36.602428	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	63450	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860477532829498 08/31/22-23:59:59.919053	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60477	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856951532026737 08/31/22-23:58:46.526858	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	56951	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865112532829498 08/31/22-23:58:33.402809	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	65112	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865020532829498 08/31/22-23:58:54.651252	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	65020	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863449532026737 08/31/22-23:59:36.584182	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	63449	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865201532026737 08/31/22-23:59:03.503720	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	65201	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860830532829498 08/31/22-23:59:53.997132	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60830	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859640532026737 08/31/22-23:58:24.925442	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59640	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864123532026737 08/31/22-23:59:50.576561	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	64123	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850788532829498 08/31/22-23:59:48.220006	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	50788	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860092532026737 08/31/22-23:59:14.392903	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60092	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858124532026737 08/31/22-23:59:27.287358	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58124	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865199532026737 08/31/22-23:59:03.462712	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	65199	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859639532026737 08/31/22-23:58:24.905091	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59639	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856953532026737 08/31/22-23:58:46.573613	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	56953	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858304532829498 08/31/22-23:59:32.344904	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58304	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860752532829498 08/31/22-23:58:43.003278	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60752	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865514532026737 08/31/22-23:59:20.740564	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	65514	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860829532829498 08/31/22-23:59:53.975918	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60829	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.862053532829498 08/31/22-23:58:21.721380	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62053	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856621532026737 09/01/22-00:00:02.160962	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	56621	53	192.168.2.3	8.8.8.8

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 31, 2022 23:58:02.760505915 CEST	49302	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:02.778575897 CEST	53	49302	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:04.036793947 CEST	53975	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:04.649065018 CEST	53	53975	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:04.671662092 CEST	53976	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:04.690844059 CEST	53	53976	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:04.692158937 CEST	53977	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:04.712151051 CEST	53	53977	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:04.718662977 CEST	53978	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:04.738368988 CEST	53	53978	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:04.739443064 CEST	53979	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:04.757306099 CEST	53	53979	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:04.757896900 CEST	53980	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:04.775638103 CEST	53	53980	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:07.165702105 CEST	52955	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:07.250682116 CEST	53	52955	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:07.294450998 CEST	52956	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:07.311570883 CEST	53	52956	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:07.312591076 CEST	52957	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:07.330202103 CEST	53	52957	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:07.331283092 CEST	52958	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:07.351011992 CEST	53	52958	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:07.365561008 CEST	52959	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:07.383272886 CEST	53	52959	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:07.384051085 CEST	52960	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:07.404005051 CEST	53	52960	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:13.881591082 CEST	60582	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:14.902959108 CEST	60582	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:14.937246084 CEST	53	60582	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:14.982489109 CEST	60583	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:15.000052929 CEST	53	60583	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:15.004693985 CEST	60584	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:15.024588108 CEST	53	60584	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:15.025135994 CEST	60585	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:15.043148041 CEST	53	60585	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:15.043750048 CEST	60586	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:15.064032078 CEST	53	60586	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:15.064662933 CEST	60587	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:15.082518101 CEST	53	60587	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:17.123805046 CEST	57134	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:18.161257982 CEST	57134	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:18.234639883 CEST	53	57134	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:18.235239029 CEST	53	57134	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:18.284126997 CEST	57135	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:18.303237915 CEST	53	57135	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:18.304316998 CEST	57136	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:18.324134111 CEST	53	57136	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:18.324816942 CEST	57137	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:18.344474077 CEST	53	57137	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:18.345424891 CEST	57138	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:18.363096952 CEST	53	57138	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:18.371185064 CEST	57139	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:18.391031981 CEST	53	57139	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:18.899728060 CEST	53	60582	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:20.518393040 CEST	62050	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:21.514583111 CEST	62050	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:21.646465063 CEST	53	62050	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:21.674954891 CEST	62051	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:21.675831079 CEST	53	62050	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:21.698769093 CEST	53	62051	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:21.699516058 CEST	62052	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:21.720890999 CEST	53	62052	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:21.721379995 CEST	62053	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:21.744118929 CEST	53	62053	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:21.744663000 CEST	62054	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:21.768213034 CEST	53	62054	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:21.768917084 CEST	56043	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:21.789768934 CEST	53	56043	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:23.738740921 CEST	59636	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:24.732259989 CEST	59636	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:24.804043055 CEST	53	59636	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:24.850137949 CEST	59637	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:24.869385004 CEST	53	59637	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:24.884406090 CEST	59638	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:24.904200077 CEST	53	59638	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:24.905091047 CEST	59639	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:24.924804926 CEST	53	59639	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:24.925441980 CEST	59640	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:24.943135023 CEST	53	59640	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:24.944174051 CEST	59641	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:24.964257956 CEST	53	59641	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:27.219465017 CEST	55638	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:27.255918026 CEST	53	55638	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:27.292717934 CEST	55639	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:27.311678886 CEST	53	55639	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:27.316054106 CEST	55640	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:27.336108923 CEST	53	55640	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:27.336745024 CEST	55641	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:27.355282068 CEST	53	55641	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:27.361900091 CEST	55642	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:27.381726027 CEST	53	55642	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:27.382469893 CEST	55643	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:27.402415991 CEST	53	55643	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:28.756191015 CEST	53	59636	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:32.660929918 CEST	60767	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:33.272780895 CEST	53	60767	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:33.320008993 CEST	65108	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:33.337179899 CEST	53	65108	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:33.338202000 CEST	65109	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:33.357716084 CEST	53	65109	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:33.358758926 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:33.378457069 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:33.379307032 CEST	65111	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:33.398911953 CEST	53	65111	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:33.402808905 CEST	65112	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:33.424699068 CEST	53	65112	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:35.661753893 CEST	58691	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:36.474462986 CEST	53	58691	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:36.532491922 CEST	58692	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:36.549562931 CEST	53	58692	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:36.550637007 CEST	58693	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:36.570236921 CEST	53	58693	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:36.580327988 CEST	58694	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:36.600003004 CEST	53	58694	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:36.600605965 CEST	58695	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:36.618398905 CEST	53	58695	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:36.619046926 CEST	58696	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:36.638629913 CEST	53	58696	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:38.594002962 CEST	53305	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:39.608630896 CEST	53305	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:39.644859076 CEST	53	53305	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:39.711462975 CEST	59434	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:39.735524893 CEST	53	59434	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:39.736547947 CEST	59435	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:39.759757996 CEST	53	59435	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:39.762542009 CEST	59436	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:39.798645973 CEST	53	59436	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:39.799617052 CEST	59437	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:39.823673964 CEST	53	59437	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:39.827074051 CEST	59438	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:39.854238987 CEST	53	59438	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:40.380073071 CEST	53	53305	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:41.899421930 CEST	60749	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:42.906723976 CEST	60749	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:42.943233967 CEST	53	60749	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:42.963799000 CEST	60750	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:42.983344078 CEST	53	60750	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:42.984219074 CEST	60751	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:43.002011061 CEST	53	60751	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:43.003278017 CEST	60752	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:43.023278952 CEST	53	60752	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:43.024086952 CEST	60753	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:43.043633938 CEST	53	60753	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:43.044194937 CEST	60754	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:43.062766075 CEST	53	60754	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:43.196578026 CEST	53	60749	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:45.860322952 CEST	56949	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:46.470341921 CEST	53	56949	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:46.506845951 CEST	56950	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:46.525938988 CEST	53	56950	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:46.526858091 CEST	56951	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:46.544490099 CEST	53	56951	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:46.555077076 CEST	56952	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:46.573009968 CEST	53	56952	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:46.573612928 CEST	56953	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:46.593744993 CEST	53	56953	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:46.594398022 CEST	56954	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:46.614161015 CEST	53	56954	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:52.439661980 CEST	53844	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:52.489172935 CEST	53	53844	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:52.509126902 CEST	53845	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:52.528167963 CEST	53	53845	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:52.529035091 CEST	53846	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:52.548969030 CEST	53	53846	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:52.552397013 CEST	53847	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:52.570151091 CEST	53	53847	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:52.570688963 CEST	53848	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:52.590229988 CEST	53	53848	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:52.590786934 CEST	53849	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:52.608671904 CEST	53	53849	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:54.559582949 CEST	65017	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:54.588342905 CEST	53	65017	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:54.611123085 CEST	65018	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:54.628262997 CEST	53	65018	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:54.630989075 CEST	65019	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:54.650563002 CEST	53	65019	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:54.651252031 CEST	65020	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:54.668998957 CEST	53	65020	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:54.669703007 CEST	65021	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:54.689425945 CEST	53	65021	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:54.690068007 CEST	65022	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:54.709500074 CEST	53	65022	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:56.637871027 CEST	53466	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:56.674391985 CEST	53	53466	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:56.711035013 CEST	53467	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:56.730349064 CEST	53	53467	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:56.731127977 CEST	53468	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:56.748970032 CEST	53	53468	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:56.749512911 CEST	53469	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:56.769344091 CEST	53	53469	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:56.772804976 CEST	53470	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:56.792510033 CEST	53	53470	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:56.793273926 CEST	53471	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:56.812910080 CEST	53	53471	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:59.232460976 CEST	53623	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:59.266350985 CEST	53	53623	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:59.292783976 CEST	53624	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:59.311882973 CEST	53	53624	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:59.312763929 CEST	53625	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:59.332475901 CEST	53	53625	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:59.338818073 CEST	53626	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:59.356389046 CEST	53	53626	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:59.357353926 CEST	53627	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:59.374880075 CEST	53	53627	8.8.8.8	192.168.2.3
Aug 31, 2022 23:58:59.376303911 CEST	53628	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:58:59.394289017 CEST	53	53628	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:01.363595963 CEST	61416	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:01.399610996 CEST	53	61416	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:01.436424971 CEST	61417	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:01.453686953 CEST	53	61417	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:01.454658031 CEST	61418	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:01.474419117 CEST	53	61418	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:01.474961042 CEST	61419	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:01.492651939 CEST	53	61419	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:01.493232965 CEST	61420	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:01.511037111 CEST	53	61420	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:01.511754036 CEST	61421	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:01.529551029 CEST	53	61421	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:03.366775036 CEST	65196	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:03.405114889 CEST	53	65196	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:03.423759937 CEST	65197	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:03.440768003 CEST	53	65197	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:03.441447020 CEST	65198	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:03.461023092 CEST	53	65198	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:03.462712049 CEST	65199	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:03.482172012 CEST	53	65199	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:03.482703924 CEST	65200	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:03.502460003 CEST	53	65200	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:03.503720045 CEST	65201	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:03.521188974 CEST	53	65201	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:05.917948008 CEST	58708	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:06.501457930 CEST	53	58708	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:06.518330097 CEST	58709	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:06.537347078 CEST	53	58709	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:06.541033030 CEST	58710	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:06.560595989 CEST	53	58710	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:06.561108112 CEST	58711	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:06.581572056 CEST	53	58711	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:06.582118988 CEST	58712	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:06.599746943 CEST	53	58712	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:06.600199938 CEST	58713	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:06.617580891 CEST	53	58713	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:11.520944118 CEST	53049	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:12.252245903 CEST	53	53049	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:12.277647972 CEST	53050	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:12.296758890 CEST	53	53050	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:12.297575951 CEST	53051	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:12.317811966 CEST	53	53051	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:12.328339100 CEST	53052	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:12.348246098 CEST	53	53052	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:12.348893881 CEST	53053	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:12.368700981 CEST	53	53053	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:12.369224072 CEST	53054	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:12.389571905 CEST	53	53054	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:14.234563112 CEST	60088	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:14.311661005 CEST	53	60088	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:14.331684113 CEST	60089	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:14.352329969 CEST	53	60089	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:14.353291035 CEST	60090	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:14.371464014 CEST	53	60090	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:14.371988058 CEST	60091	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:14.392226934 CEST	53	60091	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:14.392903090 CEST	60092	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:14.412553072 CEST	53	60092	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:14.413882971 CEST	60093	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:14.435400963 CEST	53	60093	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:15.707844973 CEST	63562	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:15.756638050 CEST	53	63562	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:15.767276049 CEST	63563	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:15.786377907 CEST	53	63563	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:15.789041996 CEST	63564	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:15.808978081 CEST	53	63564	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:15.809427023 CEST	63565	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:15.827245951 CEST	53	63565	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:15.838541031 CEST	63566	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:15.856257915 CEST	53	63566	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:15.856786013 CEST	63567	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:15.874497890 CEST	53	63567	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:17.091232061 CEST	53428	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:18.080478907 CEST	53428	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:18.240111113 CEST	53	53428	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:18.249520063 CEST	53429	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:18.268676043 CEST	53	53429	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:18.269253969 CEST	53430	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:18.286752939 CEST	53	53430	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:18.287184954 CEST	53431	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:18.304971933 CEST	53	53431	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:18.305428028 CEST	53432	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:18.325037003 CEST	53	53432	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:18.325584888 CEST	53433	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:18.345073938 CEST	53	53433	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:18.697067022 CEST	53	53428	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:19.656590939 CEST	65511	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:20.653614998 CEST	65511	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:20.690124035 CEST	53	65511	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:20.699863911 CEST	65512	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:20.719475031 CEST	53	65512	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:20.720499992 CEST	65513	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:20.740108013 CEST	53	65513	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:20.740564108 CEST	65514	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:20.757486105 CEST	53	65511	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:20.760489941 CEST	53	65514	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:20.761806011 CEST	65515	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:20.779664040 CEST	53	65515	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:20.780160904 CEST	65516	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:20.799532890 CEST	53	65516	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:22.015532970 CEST	59820	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:22.145498037 CEST	53	59820	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:22.154289007 CEST	59821	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:22.173274994 CEST	53	59821	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:22.173866034 CEST	59822	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:22.191287994 CEST	53	59822	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:22.195880890 CEST	59823	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:22.215575933 CEST	53	59823	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:22.215950966 CEST	59824	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:22.235313892 CEST	53	59824	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:22.235685110 CEST	59825	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:22.255491972 CEST	53	59825	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:23.593552113 CEST	64823	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:24.179404020 CEST	53	64823	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:24.188785076 CEST	51993	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:24.206090927 CEST	53	51993	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:24.206868887 CEST	51994	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:24.226692915 CEST	53	51994	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:24.227190971 CEST	51995	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:24.245124102 CEST	53	51995	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:24.245595932 CEST	51996	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:24.265338898 CEST	53	51996	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:24.265731096 CEST	51997	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:24.285284042 CEST	53	51997	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:25.542416096 CEST	58119	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:26.630718946 CEST	58119	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:27.165951967 CEST	53	58119	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:27.172085047 CEST	58120	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:27.189124107 CEST	53	58120	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:27.189977884 CEST	58121	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:27.209870100 CEST	53	58121	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:27.247838974 CEST	58122	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:27.267399073 CEST	53	58122	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:27.268862963 CEST	58123	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:27.286777020 CEST	53	58123	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:27.287358046 CEST	58124	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:27.307277918 CEST	53	58124	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:27.705112934 CEST	53	58119	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:28.925348043 CEST	49166	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:30.260584116 CEST	49166	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:30.836324930 CEST	53	49166	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:30.844980955 CEST	49167	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:30.862699986 CEST	53	49167	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:30.866137028 CEST	49168	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:30.884212971 CEST	53	49168	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:30.884764910 CEST	49169	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:30.904670000 CEST	53	49169	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:30.905071974 CEST	49170	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:30.922668934 CEST	53	49170	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:30.923072100 CEST	49171	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:30.942532063 CEST	53	49171	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:32.146146059 CEST	53	49166	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:32.225573063 CEST	58301	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:32.299428940 CEST	53	58301	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:32.305984020 CEST	58302	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:32.323093891 CEST	53	58302	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:32.323930025 CEST	58303	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:32.343451023 CEST	53	58303	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:32.344903946 CEST	58304	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:32.364872932 CEST	53	58304	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:32.365597963 CEST	58305	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:32.385454893 CEST	53	58305	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:32.396919012 CEST	58306	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:32.415087938 CEST	53	58306	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:33.635987043 CEST	63446	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:34.632500887 CEST	63446	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:35.644903898 CEST	63446	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:36.530746937 CEST	53	63446	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:36.543714046 CEST	63447	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:36.563038111 CEST	53	63447	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:36.563648939 CEST	63448	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:36.583677053 CEST	53	63448	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:36.584182024 CEST	63449	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:36.602057934 CEST	53	63449	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:36.602427959 CEST	63450	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:36.620131016 CEST	53	63450	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:36.620733023 CEST	63451	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:36.640644073 CEST	53	63451	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:36.792453051 CEST	53	63446	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:37.851984024 CEST	49874	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:38.863599062 CEST	49874	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:39.088445902 CEST	53	63446	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:39.439719915 CEST	53	49874	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:39.448174953 CEST	49875	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:39.465456009 CEST	53	49875	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:39.465929985 CEST	49876	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:39.483722925 CEST	53	49876	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:39.484544992 CEST	49877	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:39.503002882 CEST	53	49877	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:39.503390074 CEST	49878	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:39.521054029 CEST	53	49878	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:39.521467924 CEST	49879	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:39.540900946 CEST	53	49879	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:39.567404985 CEST	53	49874	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:40.790900946 CEST	65385	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:40.827275038 CEST	53	65385	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:40.836529016 CEST	65386	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:40.853662968 CEST	53	65386	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:40.854235888 CEST	65387	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:40.873889923 CEST	53	65387	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:40.874320984 CEST	65388	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:40.891818047 CEST	53	65388	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:40.892307043 CEST	65389	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:40.909749031 CEST	53	65389	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:40.910653114 CEST	65390	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:40.930310965 CEST	53	65390	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:42.179858923 CEST	54153	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:42.224383116 CEST	53	54153	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:42.235496044 CEST	54154	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:42.254621983 CEST	53	54154	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:42.262891054 CEST	54155	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:42.280628920 CEST	53	54155	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:42.281209946 CEST	54156	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:42.301055908 CEST	53	54156	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:42.301537037 CEST	54157	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:42.321456909 CEST	53	54157	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:42.322125912 CEST	54158	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:42.341794014 CEST	53	54158	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:43.590250015 CEST	64602	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:44.583146095 CEST	64602	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:45.599035978 CEST	64602	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:45.634243011 CEST	53	64602	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:45.651026011 CEST	64603	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:45.670564890 CEST	53	64603	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:45.671057940 CEST	64604	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:45.691019058 CEST	53	64604	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:45.691448927 CEST	64605	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:45.711270094 CEST	53	64605	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:45.711695910 CEST	64606	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:45.729429960 CEST	53	64606	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:45.737027884 CEST	64607	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:45.756819010 CEST	53	64607	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:45.793020010 CEST	53	64602	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:46.698057890 CEST	53	64602	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:47.058562040 CEST	50784	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:48.075234890 CEST	50784	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:48.139800072 CEST	53	50784	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:48.150029898 CEST	50785	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:48.167660952 CEST	53	50785	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:48.168544054 CEST	50786	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:48.188586950 CEST	53	50786	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:48.189199924 CEST	50787	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:48.209095001 CEST	53	50787	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:48.220005989 CEST	50788	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:48.238341093 CEST	53	50788	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:48.239259958 CEST	50789	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:48.259392023 CEST	53	50789	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:48.697335958 CEST	53	50784	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:49.506455898 CEST	64121	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:50.521322966 CEST	64121	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:50.544496059 CEST	53	64121	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:50.556144953 CEST	64122	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:50.575448990 CEST	53	64122	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:50.576560974 CEST	64123	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:50.592947006 CEST	53	64121	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:50.596391916 CEST	53	64123	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:50.605078936 CEST	64124	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:50.624696016 CEST	53	64124	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:50.625201941 CEST	64125	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:50.648333073 CEST	53	64125	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:50.649034023 CEST	64126	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:50.668668032 CEST	53	64126	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:51.926340103 CEST	64967	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:51.954930067 CEST	53	64967	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:51.969147921 CEST	64968	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:51.988468885 CEST	53	64968	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:51.989362001 CEST	64969	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:52.008342981 CEST	53	64969	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:52.023263931 CEST	64970	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:52.042766094 CEST	53	64970	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:52.043279886 CEST	64971	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:52.062791109 CEST	53	64971	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:52.063211918 CEST	64972	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:52.083273888 CEST	53	64972	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:53.315284014 CEST	60825	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:53.888886929 CEST	53	60825	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:53.910933018 CEST	60826	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:53.930005074 CEST	53	60826	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:53.930680037 CEST	60827	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:53.951704979 CEST	53	60827	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:53.952245951 CEST	60828	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:53.972112894 CEST	53	60828	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:53.975918055 CEST	60829	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:53.996426105 CEST	53	60829	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:53.997132063 CEST	60830	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:54.017124891 CEST	53	60830	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:55.249011993 CEST	49201	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:56.259572983 CEST	49201	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:56.294773102 CEST	53	49201	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:56.303123951 CEST	49202	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:56.322354078 CEST	53	49202	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:56.322889090 CEST	49203	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:56.342601061 CEST	53	49203	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:56.342972994 CEST	49204	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:56.360450983 CEST	53	49204	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:56.360950947 CEST	49205	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:56.380527020 CEST	53	49205	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:56.381031036 CEST	49206	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:56.400538921 CEST	53	49206	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:56.951119900 CEST	53	49201	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:57.561789036 CEST	64936	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:57.635045052 CEST	53	64936	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:57.647419930 CEST	64937	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:57.666646004 CEST	53	64937	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:57.667177916 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:57.687072039 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:57.687539101 CEST	64939	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:57.705380917 CEST	53	64939	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:57.705862045 CEST	64940	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:57.725605011 CEST	53	64940	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:57.726016045 CEST	64941	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:57.745647907 CEST	53	64941	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:58.812098026 CEST	60473	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:59.818274021 CEST	60473	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:59.852207899 CEST	53	60473	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:59.859764099 CEST	60474	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:59.877156019 CEST	53	60474	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:59.877731085 CEST	60475	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:59.898338079 CEST	53	60475	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:59.898864031 CEST	60476	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:59.918551922 CEST	53	60476	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:59.919053078 CEST	60477	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:59.938997030 CEST	53	60477	8.8.8.8	192.168.2.3
Aug 31, 2022 23:59:59.939438105 CEST	60478	53	192.168.2.3	8.8.8.8
Aug 31, 2022 23:59:59.959988117 CEST	53	60478	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:01.037652969 CEST	59374	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:02.037312031 CEST	59374	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:02.071805954 CEST	53	59374	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:02.080656052 CEST	56617	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:02.100327969 CEST	53	56617	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:02.100950956 CEST	56618	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:02.120507956 CEST	53	56618	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:02.120944977 CEST	56619	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:02.141537905 CEST	53	56619	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:02.142087936 CEST	56620	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:02.160455942 CEST	53	56620	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:02.160962105 CEST	56621	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:02.179536104 CEST	53	56621	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:02.700483084 CEST	53	59374	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:03.267693043 CEST	61184	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:03.343596935 CEST	53	61184	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:03.353477001 CEST	61185	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:03.370637894 CEST	53	61185	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:03.371157885 CEST	61186	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:03.390731096 CEST	53	61186	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:03.391253948 CEST	61187	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:03.410953045 CEST	53	61187	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:03.411292076 CEST	61188	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:03.430705070 CEST	53	61188	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:03.431119919 CEST	61189	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:03.450587988 CEST	53	61189	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:03.829907894 CEST	53	60473	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:04.517784119 CEST	57387	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:05.091319084 CEST	53	57387	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:05.099412918 CEST	57388	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:05.118396044 CEST	53	57388	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:05.118977070 CEST	57389	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:05.138398886 CEST	53	57389	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:05.138813972 CEST	57390	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:05.158288956 CEST	53	57390	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:05.158775091 CEST	57391	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:05.176443100 CEST	53	57391	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:05.176877975 CEST	57392	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:05.194662094 CEST	53	57392	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:06.266103029 CEST	50228	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:07.256401062 CEST	50228	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:07.399528980 CEST	53	50228	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:07.412708044 CEST	50229	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:07.432984114 CEST	53	50229	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:07.433896065 CEST	50230	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:07.454828024 CEST	53	50230	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:07.455720901 CEST	50231	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:07.479063988 CEST	53	50231	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:07.481525898 CEST	50232	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:07.501718998 CEST	53	50232	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:07.502496004 CEST	50233	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:07.524806976 CEST	53	50233	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:07.918035030 CEST	53	50228	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:08.675157070 CEST	53269	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:09.687948942 CEST	53269	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:09.840522051 CEST	53	53269	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:09.849908113 CEST	53270	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:09.867008924 CEST	53	53270	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:09.867791891 CEST	53271	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:09.887459040 CEST	53	53271	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:09.889720917 CEST	59828	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:09.910227060 CEST	53	59828	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:09.911396027 CEST	59829	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:09.933176994 CEST	53	59829	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:09.936009884 CEST	59830	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:09.956068039 CEST	53	59830	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:11.257081985 CEST	51105	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:11.285418034 CEST	53	51105	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:11.291388988 CEST	52456	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:11.304387093 CEST	53	53269	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:11.310426950 CEST	53	52456	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:11.310934067 CEST	52457	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:11.330421925 CEST	53	52457	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:11.330852985 CEST	52458	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:11.350558043 CEST	53	52458	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:11.350931883 CEST	52459	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:11.370852947 CEST	53	52459	8.8.8.8	192.168.2.3
Sep 1, 2022 00:00:11.371195078 CEST	52460	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:00:11.388839006 CEST	53	52460	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 31, 2022 23:58:18.899866104 CEST	192.168.2.3	8.8.8.8	cff3	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:58:21.675904036 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:58:28.756336927 CEST	192.168.2.3	8.8.8.8	cff3	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:58:40.380204916 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:58:43.196728945 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:59:18.697181940 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:59:20.757663965 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:59:27.705205917 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:59:32.146743059 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:59:36.792562962 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:59:39.088548899 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:59:45.793106079 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:59:46.698131084 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:59:48.699120045 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:59:50.593031883 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:59:56.952230930 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:00:02.702019930 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:00:03.830478907 CEST	192.168.2.3	8.8.8.8	cff3	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:00:07.922203064 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:00:11.304521084 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 31, 2022 23:58:02.760505915 CEST	192.168.2.3	8.8.8.8	0xfb1f	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:04.036793947 CEST	192.168.2.3	8.8.8.8	0x837d	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:04.671662092 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:04.692158937 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:04.718662977 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:58:04.739443064 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:04.757896900 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:58:07.165702105 CEST	192.168.2.3	8.8.8.8	0xc956	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:07.294450998 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:07.312591076 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:07.331283092 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:58:07.365561008 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:07.384051085 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:58:13.881591082 CEST	192.168.2.3	8.8.8.8	0x17	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:14.902959108 CEST	192.168.2.3	8.8.8.8	0x17	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:14.982489109 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:15.004693985 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:15.025135994 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:58:15.043750048 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:15.064662933 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:58:17.123805046 CEST	192.168.2.3	8.8.8.8	0xbb4f	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:18.161257982 CEST	192.168.2.3	8.8.8.8	0xbb4f	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:18.284126997 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:18.304316998 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:18.324816942 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:58:18.345424891 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:18.371185064 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:58:20.518393040 CEST	192.168.2.3	8.8.8.8	0xccdb	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:21.514583111 CEST	192.168.2.3	8.8.8.8	0xccdb	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:21.674954891 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:21.699516058 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:21.721379995 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:58:21.744663000 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:21.768917084 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:58:23.738740921 CEST	192.168.2.3	8.8.8.8	0xea6e	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:24.732259989 CEST	192.168.2.3	8.8.8.8	0xea6e	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:24.850137949 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:24.884406090 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:24.905091047 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:58:24.925441980 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:24.944174051 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:58:27.219465017 CEST	192.168.2.3	8.8.8.8	0xa774	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:27.292717934 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:27.316054106 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:27.336745024 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:58:27.361900091 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:27.382469893 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:58:32.660929918 CEST	192.168.2.3	8.8.8.8	0xaf62	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:33.320008993 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:33.338202000 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:33.358758926 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:58:33.379307032 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:33.402808905 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:58:35.661753893 CEST	192.168.2.3	8.8.8.8	0xd7cb	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:36.532491922 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:36.550637007 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:36.580327988 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:58:36.600605965 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:36.619046926 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:58:38.594002962 CEST	192.168.2.3	8.8.8.8	0x3115	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:39.608630896 CEST	192.168.2.3	8.8.8.8	0x3115	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:39.711462975 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:39.736547947 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:39.762542009 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:58:39.799617052 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:39.827074051 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:58:41.899421930 CEST	192.168.2.3	8.8.8.8	0x4b60	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:42.906723976 CEST	192.168.2.3	8.8.8.8	0x4b60	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:42.963799000 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:42.984219074 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:43.003278017 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:58:43.024086952 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:43.044194937 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:58:45.860322952 CEST	192.168.2.3	8.8.8.8	0xc71c	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:46.506845951 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:46.526858091 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:46.555077076 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:58:46.573612928 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:46.594398022 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:58:52.439661980 CEST	192.168.2.3	8.8.8.8	0x4a62	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:52.509126902 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:52.529035091 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:52.552397013 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:58:52.570688963 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:52.590786934 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:58:54.559582949 CEST	192.168.2.3	8.8.8.8	0xcea6	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:54.611123085 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:54.630989075 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:54.651252031 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:58:54.669703007 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:54.690068007 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:58:56.637871027 CEST	192.168.2.3	8.8.8.8	0x98da	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:56.711035013 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:56.731127977 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:56.749512911 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:58:56.772804976 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:56.793273926 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:58:59.232460976 CEST	192.168.2.3	8.8.8.8	0xbf18	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:59.292783976 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:59.312763929 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:59.338818073 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:58:59.357353926 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:59.376303911 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:59:01.363595963 CEST	192.168.2.3	8.8.8.8	0x33a6	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:01.436424971 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:01.454658031 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:01.474961042 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:59:01.493232965 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:01.511754036 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:59:03.366775036 CEST	192.168.2.3	8.8.8.8	0x4894	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:03.423759937 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:03.441447020 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:03.462712049 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:59:03.482703924 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:03.503720045 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:59:05.917948008 CEST	192.168.2.3	8.8.8.8	0x428c	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:06.518330097 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:06.541033030 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:06.561108112 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:59:06.582118988 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:06.600199938 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:59:11.520944118 CEST	192.168.2.3	8.8.8.8	0xf42e	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:12.277647972 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:12.297575951 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:12.328339100 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:59:12.348893881 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:12.369224072 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:59:14.234563112 CEST	192.168.2.3	8.8.8.8	0x4340	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:14.331684113 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:14.353291035 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:14.371988058 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:59:14.392903090 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:14.413882971 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:59:15.707844973 CEST	192.168.2.3	8.8.8.8	0xca4b	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:15.767276049 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:15.789041996 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:15.809427023 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:59:15.838541031 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:15.856786013 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:59:17.091232061 CEST	192.168.2.3	8.8.8.8	0x160b	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:18.080478907 CEST	192.168.2.3	8.8.8.8	0x160b	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:18.249520063 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:18.269253969 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:18.287184954 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:59:18.305428028 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:18.325584888 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:59:19.656590939 CEST	192.168.2.3	8.8.8.8	0x9891	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:20.653614998 CEST	192.168.2.3	8.8.8.8	0x9891	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:20.699863911 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:20.720499992 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:20.740564108 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:59:20.761806011 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:20.780160904 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:59:22.015532970 CEST	192.168.2.3	8.8.8.8	0xc448	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:22.154289007 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:22.173866034 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:22.195880890 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:59:22.215950966 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:22.235685110 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:59:23.593552113 CEST	192.168.2.3	8.8.8.8	0x9641	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:24.188785076 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:24.206868887 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:24.227190971 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:59:24.245595932 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:24.265731096 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:59:25.542416096 CEST	192.168.2.3	8.8.8.8	0x72c8	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:26.630718946 CEST	192.168.2.3	8.8.8.8	0x72c8	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:27.172085047 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:27.189977884 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:27.247838974 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:59:27.268862963 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:27.287358046 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:59:28.925348043 CEST	192.168.2.3	8.8.8.8	0xbe66	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:30.260584116 CEST	192.168.2.3	8.8.8.8	0xbe66	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:30.844980955 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:30.866137028 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:30.884764910 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:59:30.905071974 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:30.923072100 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:59:32.225573063 CEST	192.168.2.3	8.8.8.8	0xc8b1	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:32.305984020 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:32.323930025 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:32.344903946 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:59:32.365597963 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:32.396919012 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:59:33.635987043 CEST	192.168.2.3	8.8.8.8	0x6b6b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:34.632500887 CEST	192.168.2.3	8.8.8.8	0x6b6b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:35.644903898 CEST	192.168.2.3	8.8.8.8	0x6b6b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:36.543714046 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:36.563648939 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:36.584182024 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:59:36.602427959 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:36.620733023 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:59:37.851984024 CEST	192.168.2.3	8.8.8.8	0xbe0f	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:38.863599062 CEST	192.168.2.3	8.8.8.8	0xbe0f	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:39.448174953 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:39.465929985 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:39.484544992 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:59:39.503390074 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:39.521467924 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:59:40.790900946 CEST	192.168.2.3	8.8.8.8	0x3976	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:40.836529016 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:40.854235888 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:40.874320984 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:59:40.892307043 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:40.910653114 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:59:42.179858923 CEST	192.168.2.3	8.8.8.8	0x94a7	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:42.235496044 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:42.262891054 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:42.281209946 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:59:42.301537037 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:42.322125912 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:59:43.590250015 CEST	192.168.2.3	8.8.8.8	0x70ae	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:44.583146095 CEST	192.168.2.3	8.8.8.8	0x70ae	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:45.599035978 CEST	192.168.2.3	8.8.8.8	0x70ae	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:45.651026011 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:45.671057940 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:45.691448927 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:59:45.711695910 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:45.737027884 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:59:47.058562040 CEST	192.168.2.3	8.8.8.8	0xed4	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:48.075234890 CEST	192.168.2.3	8.8.8.8	0xed4	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:48.150029898 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:48.168544054 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:48.189199924 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:59:48.220005989 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:48.239259958 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:59:49.506455898 CEST	192.168.2.3	8.8.8.8	0xae84	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:50.521322966 CEST	192.168.2.3	8.8.8.8	0xae84	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:50.556144953 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:50.576560974 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:50.605078936 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:59:50.625201941 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:50.649034023 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:59:51.926340103 CEST	192.168.2.3	8.8.8.8	0x4be7	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:51.969147921 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:51.989362001 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:52.023263931 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:59:52.043279886 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:52.063211918 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:59:53.315284014 CEST	192.168.2.3	8.8.8.8	0x8b86	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:53.910933018 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:53.930680037 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:53.952245951 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:59:53.975918055 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:53.997132063 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:59:55.249011993 CEST	192.168.2.3	8.8.8.8	0x1e6d	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:56.259572983 CEST	192.168.2.3	8.8.8.8	0x1e6d	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:56.303123951 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:56.322889090 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:56.342972994 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:59:56.360950947 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:56.381031036 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:59:57.561789036 CEST	192.168.2.3	8.8.8.8	0x2252	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:57.647419930 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:57.667177916 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:57.687539101 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:59:57.705862045 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:57.726016045 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Aug 31, 2022 23:59:58.812098026 CEST	192.168.2.3	8.8.8.8	0x82c8	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:59.818274021 CEST	192.168.2.3	8.8.8.8	0x82c8	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:59.859764099 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:59.877731085 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:59.898864031 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:59:59.919053078 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:59.939438105 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:00:01.037652969 CEST	192.168.2.3	8.8.8.8	0xb09	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:02.037312031 CEST	192.168.2.3	8.8.8.8	0xb09	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:02.080656052 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:00:02.100950956 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:02.120944977 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:00:02.142087936 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:02.160962105 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:00:03.267693043 CEST	192.168.2.3	8.8.8.8	0xa990	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:03.353477001 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:00:03.371157885 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:03.391253948 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Sep 1, 2022 00:00:03.411292076 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:03.431119919 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Sep 1, 2022 00:00:04.517784119 CEST	192.168.2.3	8.8.8.8	0x31a	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:05.099412918 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:00:05.118977070 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:05.138813972 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:00:05.158775091 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:05.176877975 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:00:06.266103029 CEST	192.168.2.3	8.8.8.8	0xd96a	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:07.256401062 CEST	192.168.2.3	8.8.8.8	0xd96a	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:07.412708044 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:00:07.433896065 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:07.455720901 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:00:07.481525898 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:07.502496004 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:00:08.675157070 CEST	192.168.2.3	8.8.8.8	0xa920	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:09.687948942 CEST	192.168.2.3	8.8.8.8	0xa920	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:09.849908113 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:00:09.867791891 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:09.889720917 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Sep 1, 2022 00:00:09.911396027 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.coin	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:09.936009884 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.coin	28	IN (0x0001)
Sep 1, 2022 00:00:11.257081985 CEST	192.168.2.3	8.8.8.8	0xa868	Standard query (0)	dns2.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:11.291388988 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:00:11.310934067 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:11.330852985 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:00:11.350931883 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:11.371195078 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 31, 2022 23:58:04.649065018 CEST	8.8.8.8	192.168.2.3	0x837d	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:04.690844059 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:04.712151051 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:04.738368988 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:04.757306099 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:04.775638103 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:07.250682116 CEST	8.8.8.8	192.168.2.3	0xc956	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:07.311570883 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:07.330202103 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:07.351011992 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:07.383272886 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:07.404005051 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:14.937246084 CEST	8.8.8.8	192.168.2.3	0x17	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:15.000052929 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:15.024588108 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:15.043148041 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:15.064032078 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:15.082518101 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:18.234639883 CEST	8.8.8.8	192.168.2.3	0xbb4f	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:18.235239029 CEST	8.8.8.8	192.168.2.3	0xbb4f	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:18.303237915 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:18.324134111 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:18.344474077 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:18.363096952 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:18.391031981 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:18.899728060 CEST	8.8.8.8	192.168.2.3	0x17	Server failure (2)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:21.646465063 CEST	8.8.8.8	192.168.2.3	0xccdb	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:21.675831079 CEST	8.8.8.8	192.168.2.3	0xccdb	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:21.698769093 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:21.720890999 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:21.744118929 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:21.768213034 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:21.789768934 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:24.804043055 CEST	8.8.8.8	192.168.2.3	0xea6e	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:24.869385004 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:24.904200077 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:24.924804926 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:24.943135023 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:24.964257956 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:27.255918026 CEST	8.8.8.8	192.168.2.3	0xa774	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:27.311678886 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:27.336108923 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:27.355282068 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:27.381726027 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:27.402415991 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:28.756191015 CEST	8.8.8.8	192.168.2.3	0xea6e	Server failure (2)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:33.272780895 CEST	8.8.8.8	192.168.2.3	0xaf62	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:33.337179899 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:33.357716084 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:33.378457069 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:33.398911953 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:33.424699068 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:36.474462986 CEST	8.8.8.8	192.168.2.3	0xd7cb	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:36.549562931 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:36.570236921 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:36.600003004 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:36.618398905 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:36.638629913 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:39.644859076 CEST	8.8.8.8	192.168.2.3	0x3115	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:39.735524893 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:39.759757996 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:39.798645973 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:39.823673964 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:39.854238987 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:40.380073071 CEST	8.8.8.8	192.168.2.3	0x3115	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:42.943233967 CEST	8.8.8.8	192.168.2.3	0x4b60	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:42.983344078 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:43.002011061 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:43.023278952 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:43.043633938 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:43.062766075 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:43.196578026 CEST	8.8.8.8	192.168.2.3	0x4b60	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:46.470341921 CEST	8.8.8.8	192.168.2.3	0xc71c	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:46.525938988 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:46.544490099 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:46.573009968 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:46.593744993 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:46.614161015 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:52.489172935 CEST	8.8.8.8	192.168.2.3	0x4a62	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:52.528167963 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:52.548969030 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:52.570151091 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:52.590229988 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:52.608671904 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:54.588342905 CEST	8.8.8.8	192.168.2.3	0xcea6	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:54.628262997 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:54.650563002 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:54.668998957 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:54.689425945 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:54.709500074 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:56.674391985 CEST	8.8.8.8	192.168.2.3	0x98da	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:56.730349064 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:56.748970032 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:56.769344091 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:56.792510033 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:56.812910080 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:59.266350985 CEST	8.8.8.8	192.168.2.3	0xbf18	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:59.311882973 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:58:59.332475901 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:59.356389046 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:58:59.374880075 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:58:59.394289017 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:01.399610996 CEST	8.8.8.8	192.168.2.3	0x33a6	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:01.453686953 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:01.474419117 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:01.492651939 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:01.511037111 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:01.529551029 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:03.405114889 CEST	8.8.8.8	192.168.2.3	0x4894	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:03.440768003 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:03.461023092 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:03.482172012 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:03.502460003 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:03.521188974 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:06.501457930 CEST	8.8.8.8	192.168.2.3	0x428c	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:06.537347078 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:06.560595989 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:06.581572056 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:06.599746943 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:06.617580891 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:12.252245903 CEST	8.8.8.8	192.168.2.3	0xf42e	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:12.296758890 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:12.317811966 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:12.348246098 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:12.368700981 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:12.389571905 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:14.311661005 CEST	8.8.8.8	192.168.2.3	0x4340	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:14.352329969 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:14.371464014 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:14.392226934 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:14.412553072 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:14.435400963 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:15.756638050 CEST	8.8.8.8	192.168.2.3	0xca4b	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:15.786377907 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:15.808978081 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:15.827245951 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:15.856257915 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:15.874497890 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:18.240111113 CEST	8.8.8.8	192.168.2.3	0x160b	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:18.268676043 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:18.286752939 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:18.304971933 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:18.325037003 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:18.345073938 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:18.697067022 CEST	8.8.8.8	192.168.2.3	0x160b	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:20.690124035 CEST	8.8.8.8	192.168.2.3	0x9891	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:20.719475031 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:20.740108013 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:20.757486105 CEST	8.8.8.8	192.168.2.3	0x9891	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:20.760489941 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:20.779664040 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:20.799532890 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:22.145498037 CEST	8.8.8.8	192.168.2.3	0xc448	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:22.173274994 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:22.191287994 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:22.215575933 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:22.235313892 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:22.255491972 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:24.179404020 CEST	8.8.8.8	192.168.2.3	0x9641	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:24.206090927 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:24.226692915 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:24.245124102 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:24.265338898 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:24.285284042 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:27.165951967 CEST	8.8.8.8	192.168.2.3	0x72c8	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:27.189124107 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:27.209870100 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:27.267399073 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:27.286777020 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:27.307277918 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:27.705112934 CEST	8.8.8.8	192.168.2.3	0x72c8	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:30.836324930 CEST	8.8.8.8	192.168.2.3	0xbe66	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:30.862699986 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:30.884212971 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:30.904670000 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:30.922668934 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:30.942532063 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:32.146146059 CEST	8.8.8.8	192.168.2.3	0xbe66	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:32.299428940 CEST	8.8.8.8	192.168.2.3	0xc8b1	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:32.323093891 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:32.343451023 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:32.364872932 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:32.385454893 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:32.415087938 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:36.530746937 CEST	8.8.8.8	192.168.2.3	0x6b6b	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:36.563038111 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:36.583677053 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:36.602057934 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:36.620131016 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:36.640644073 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:36.792453051 CEST	8.8.8.8	192.168.2.3	0x6b6b	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:39.088445902 CEST	8.8.8.8	192.168.2.3	0x6b6b	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:39.439719915 CEST	8.8.8.8	192.168.2.3	0xbe0f	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:39.465456009 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:39.483722925 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:39.503002882 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:39.521054029 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:39.540900946 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:39.567404985 CEST	8.8.8.8	192.168.2.3	0xbe0f	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:40.827275038 CEST	8.8.8.8	192.168.2.3	0x3976	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:40.853662968 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:40.873889923 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:40.891818047 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:40.909749031 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:40.930310965 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:42.224383116 CEST	8.8.8.8	192.168.2.3	0x94a7	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:42.254621983 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:42.280628920 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:42.301055908 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:42.321456909 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:42.341794014 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:45.634243011 CEST	8.8.8.8	192.168.2.3	0x70ae	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:45.670564890 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:45.691019058 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:45.711270094 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:45.729429960 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:45.756819010 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:45.793020010 CEST	8.8.8.8	192.168.2.3	0x70ae	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:46.698057890 CEST	8.8.8.8	192.168.2.3	0x70ae	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:48.139800072 CEST	8.8.8.8	192.168.2.3	0xed4	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:48.167660952 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:48.188586950 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:48.209095001 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:48.238341093 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:48.259392023 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:48.697335958 CEST	8.8.8.8	192.168.2.3	0xed4	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:50.544496059 CEST	8.8.8.8	192.168.2.3	0xae84	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:50.575448990 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:50.592947006 CEST	8.8.8.8	192.168.2.3	0xae84	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:50.596391916 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:50.624696016 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:50.648333073 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:50.668668032 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:51.954930067 CEST	8.8.8.8	192.168.2.3	0x4be7	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:51.988468885 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:52.008342981 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:52.042766094 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:52.062791109 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:52.083273888 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:53.888886929 CEST	8.8.8.8	192.168.2.3	0x8b86	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:53.930005074 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:53.951704979 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:53.972112894 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:53.996426105 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:54.017124891 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:56.294773102 CEST	8.8.8.8	192.168.2.3	0x1e6d	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:56.322354078 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:56.342601061 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:56.360450983 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:56.380527020 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:56.400538921 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:56.951119900 CEST	8.8.8.8	192.168.2.3	0x1e6d	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:57.635045052 CEST	8.8.8.8	192.168.2.3	0x2252	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:57.666646004 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:57.687072039 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:57.705380917 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:57.725605011 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:57.745647907 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:59.852207899 CEST	8.8.8.8	192.168.2.3	0x82c8	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:59.877156019 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:59:59.898338079 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:59.918551922 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:59:59.938997030 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:59:59.959988117 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:00:02.071805954 CEST	8.8.8.8	192.168.2.3	0xb09	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:02.100327969 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:00:02.120507956 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:02.141537905 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:00:02.160455942 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:02.179536104 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:00:02.700483084 CEST	8.8.8.8	192.168.2.3	0xb09	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:03.343596935 CEST	8.8.8.8	192.168.2.3	0xa990	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:03.370637894 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:00:03.390731096 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:03.410953045 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Sep 1, 2022 00:00:03.430705070 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:03.450587988 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Sep 1, 2022 00:00:03.829907894 CEST	8.8.8.8	192.168.2.3	0x82c8	Server failure (2)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:05.091319084 CEST	8.8.8.8	192.168.2.3	0x31a	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:05.118396044 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:00:05.138398886 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:05.158288956 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:00:05.176443100 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:05.194662094 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:00:07.399528980 CEST	8.8.8.8	192.168.2.3	0xd96a	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:07.432984114 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:00:07.454828024 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:07.479063988 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:00:07.501718998 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:07.524806976 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:00:07.918035030 CEST	8.8.8.8	192.168.2.3	0xd96a	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:09.840522051 CEST	8.8.8.8	192.168.2.3	0xa920	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:09.867008924 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:00:09.887459040 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:09.910227060 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Sep 1, 2022 00:00:09.933176994 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.coin	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:09.956068039 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.coin	none	none	28	IN (0x0001)
Sep 1, 2022 00:00:11.285418034 CEST	8.8.8.8	192.168.2.3	0xa868	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:11.304387093 CEST	8.8.8.8	192.168.2.3	0xa920	Name error (3)	dns2.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:11.310426950 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:00:11.330421925 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:11.350558043 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:00:11.370852947 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:00:11.388839006 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)

Target ID:	1
Start time:	23:57:53
Start date:	31/08/2022
Path:	C:\Users\user\Desktop\gI5xZdIxUs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\gI5xZdIxUs.exe"
Imagebase:	0xfc60000
File size:	101710 bytes
MD5 hash:	98A12EC721C098842FBFD7384D5A72AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000001.00000000.272296797.000000000FC6A000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000001.00000000.272303387.000000000FC72000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: nslookup.exePID: 5960, Parent PID: 5280

General

Target ID:	5
Start time:	23:58:02
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns1.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exePID: 792, Parent PID: 5960

General

Target ID:	7
Start time:	23:58:03
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: nslookup.exePID: 4684, Parent PID: 5280

General

Target ID:	11
Start time:	23:58:05
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exePID: 5556, Parent PID: 4684

General

Target ID:	13
Start time:	23:58:06
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: isqmkp.exePID: 5464, Parent PID: 3452

General

Target ID:	14
Start time:	23:58:08
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe"
Imagebase:	0xf9d0000
File size:	101710 bytes
MD5 hash:	F4758788F11A0DE8D11EB4B8C515FFBD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000E.00000000.307654244.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000E.00000000.307645700.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: Florian Roth Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: Florian Roth Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: ditekSHen Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: kevoreilly
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: nslookup.exePID: 4596, Parent PID: 5280

General

Target ID:	15
Start time:	23:58:08
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns2.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exePID: 1920, Parent PID: 4596

General

Target ID:	16
Start time:	23:58:13
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: nslookup.exePID: 6112, Parent PID: 5280

General

Target ID:	17
Start time:	23:58:16
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns2.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exePID: 4624, Parent PID: 6112

General

Target ID:	18
Start time:	23:58:16
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: isqmkp.exePID: 1572, Parent PID: 3452

General

Target ID:	20
Start time:	23:58:17
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe"
Imagebase:	0xf9d0000
File size:	101710 bytes
MD5 hash:	F4758788F11A0DE8D11EB4B8C515FFBD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000014.00000000.322631215.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000014.00000000.322638424.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, Author: Joe Security

Analysis Process: nslookup.exePID: 1916, Parent PID: 5280

General

Target ID:	21
Start time:	23:58:19
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns2.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5388, Parent PID: 1916

General

Target ID:	22
Start time:	23:58:19
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 5244, Parent PID: 5280

General

Target ID:	23
Start time:	23:58:22
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 4592, Parent PID: 5244

General

Target ID:	24
Start time:	23:58:23
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68f300000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 6028, Parent PID: 5280

General

Target ID:	25
Start time:	23:58:25
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns1.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 1012, Parent PID: 6028

General

Target ID:	26
Start time:	23:58:26
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 5116, Parent PID: 5280

General

Target ID:	27
Start time:	23:58:28
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x7ff651c80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5552, Parent PID: 5116

General

Target ID:	28
Start time:	23:58:31
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 680, Parent PID: 5280

General

Target ID:	30
Start time:	23:58:34
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns2.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 496, Parent PID: 680

General

Target ID:	31
Start time:	23:58:34
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 5124, Parent PID: 5280

General

Target ID:	33
Start time:	23:58:37
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns2.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5484, Parent PID: 5124

General

Target ID:	34
Start time:	23:58:37
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 4972, Parent PID: 5280

General

Target ID:	36
Start time:	23:58:40
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns2.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 6096, Parent PID: 4972

General

Target ID:	37
Start time:	23:58:41
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 5604, Parent PID: 5280

General

Target ID:	39
Start time:	23:58:44
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 1784, Parent PID: 5604

General

Target ID:	40
Start time:	23:58:45
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 736, Parent PID: 5280

General

Target ID:	41
Start time:	23:58:48
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns1.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 6060, Parent PID: 736

General

Target ID:	42
Start time:	23:58:49
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 4460, Parent PID: 5280

General

Target ID:	43
Start time:	23:58:53
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 4560, Parent PID: 4460

General

Target ID:	44
Start time:	23:58:53
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 6052, Parent PID: 5280

General

Target ID:	45
Start time:	23:58:55
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns2.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5984, Parent PID: 6052

General

Target ID:	46
Start time:	23:58:56
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 5424, Parent PID: 5280

General

Target ID:	47
Start time:	23:58:57
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns2.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 1000, Parent PID: 5424

General

Target ID:	48
Start time:	23:58:58
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 4364, Parent PID: 5280

General

Target ID:	49
Start time:	23:59:00
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns2.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 1552, Parent PID: 4364

General

Target ID:	50
Start time:	23:59:00
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 5188, Parent PID: 5280

General

Target ID:	51
Start time:	23:59:02
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 1960, Parent PID: 5188

General

Target ID:	52
Start time:	23:59:02
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 1164, Parent PID: 5280

General

Target ID:	53
Start time:	23:59:04
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.coin dns1.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5824, Parent PID: 1164

General

Target ID:	55
Start time:	23:59:04
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 1092, Parent PID: 5280

General

Target ID:	58
Start time:	23:59:07
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5844, Parent PID: 1092

General

Target ID:	59
Start time:	23:59:08
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 968, Parent PID: 5280

General

Target ID:	60
Start time:	23:59:13
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns2.soprodns.ru
Imagebase:	0x140000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5636, Parent PID: 968

General

Target ID:	61
Start time:	23:59:13
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

⊘No disassembly

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gI5xZdIxUs.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Windows Analysis Report
gI5xZdIxUs.exe

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre