Windows Analysis Report
9gkAKTWOXp.exe

Overview

General Information

Sample Name: 9gkAKTWOXp.exe
Analysis ID: 694569
MD5: 74e135b472b7496b371ce3ba3acfeea8
SHA1: b64fdd870ff28291b8347317a838a5fb210a6056
SHA256: d093322a612760cb00ae6fb4c453851ba26f59f2e6a0920b5871a28bbddf9355
Tags: exe
Infos:

Detection

Gandcrab
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Contains functionality to determine the online IP of the system
Found Tor onion address
Uses nslookup.exe to query domains
Machine Learning detection for sample
May check the online IP address of the machine
Machine Learning detection for dropped file
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Queries information about the installed CPU (vendor, model number etc)
Drops PE files
Found evaded block containing many API calls
Contains functionality to enumerate device drivers
Checks for available system drives (often done to infect USB drives)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: 9gkAKTWOXp.exe Virustotal: Detection: 81% Perma Link
Source: 9gkAKTWOXp.exe Metadefender: Detection: 72% Perma Link
Source: 9gkAKTWOXp.exe ReversingLabs: Detection: 100%
Source: 9gkAKTWOXp.exe Avira: detected
Source: http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de Avira URL Cloud: Label: malware
Source: http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de Avira URL Cloud: Label: phishing
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen3
Source: 9gkAKTWOXp.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Joe Sandbox ML: detected
Source: 13.0.vkspii.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 1.2.9gkAKTWOXp.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 13.2.vkspii.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 21.2.vkspii.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 1.0.9gkAKTWOXp.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 21.0.vkspii.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00405750 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, 1_2_00405750
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00407C60 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 1_2_00407C60
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00405D80 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, 1_2_00405D80
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_004048A0 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW, 1_2_004048A0
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00407DB0 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 1_2_00407DB0
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00405540 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, 1_2_00405540
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00405050 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,MultiByteToWideChar,GetLastError,VirtualAlloc,VirtualFree,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, 1_2_00405050
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00406000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 1_2_00406000
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 13_2_004048A0 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW, 13_2_004048A0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 13_2_00405540 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, 13_2_00405540
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 13_2_00405750 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, 13_2_00405750
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 13_2_00405050 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,MultiByteToWideChar,GetLastError,VirtualAlloc,VirtualFree,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, 13_2_00405050
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 13_2_00407C60 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 13_2_00407C60
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 13_2_00406000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 13_2_00406000
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 13_2_00405D80 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, 13_2_00405D80
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 13_2_00407DB0 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 13_2_00407DB0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 21_2_004048A0 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW, 21_2_004048A0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 21_2_00405540 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, 21_2_00405540
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 21_2_00405750 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, 21_2_00405750
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 21_2_00405050 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,MultiByteToWideChar,GetLastError,VirtualAlloc,VirtualFree,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, 21_2_00405050
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 21_2_00407C60 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 21_2_00407C60
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 21_2_00406000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 21_2_00406000
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 21_2_00405D80 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, 21_2_00405D80
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 21_2_00407DB0 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 21_2_00407DB0
Source: 9gkAKTWOXp.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 9gkAKTWOXp.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: z: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: x: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: v: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: t: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: r: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: p: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: n: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: l: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: j: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: h: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: f: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: b: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: y: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: w: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: u: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: s: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: q: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: o: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: m: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: k: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: i: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: g: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: e: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_004066F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 1_2_004066F0
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_004064A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 1_2_004064A0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 13_2_004066F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 13_2_004066F0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 13_2_004064A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 13_2_004064A0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 21_2_004066F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 21_2_004066F0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 21_2_004064A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 21_2_004064A0

Networking

barindex
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51141 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51142 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51143 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51144 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:52957 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:52958 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:52959 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:52960 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60584 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60585 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60586 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60587 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57136 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57137 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57138 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57139 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:56044 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:56045 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:56046 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:56047 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59638 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59639 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59640 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59641 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55640 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55641 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55642 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55643 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57706 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57707 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57708 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57709 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65322 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65323 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65324 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65325 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60769 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60770 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60771 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60772 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65109 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65110 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65111 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65112 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53850 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53851 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53852 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53853 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57573 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57574 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57575 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57576 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:53307 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:53308 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:53309 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:53310 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59435 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59436 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59437 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59438 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53846 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53847 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53848 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53849 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:53468 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:53469 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:53470 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:53471 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53625 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53626 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53627 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53628 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61418 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61419 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61420 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61421 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65198 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65199 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65200 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65201 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59583 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59584 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59585 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59586 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53051 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53052 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53053 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53054 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:60090 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:60091 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:60092 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:60093 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63564 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63565 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63566 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63567 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53430 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53431 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53432 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53433 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65513 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65514 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65515 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65516 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59822 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59823 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59824 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59825 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64597 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64598 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64599 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64600 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64825 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64826 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64827 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64828 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51994 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51995 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51996 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51997 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58121 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58122 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58123 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58124 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:49168 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:49169 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:49170 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:49171 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58303 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58304 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58305 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58306 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:63448 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:63449 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:63450 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:63451 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:49876 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:49877 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:49878 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:49879 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65387 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65388 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65389 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65390 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:54155 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:54156 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:54157 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:54158 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64604 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64605 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64606 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64607 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50786 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50787 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50788 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50789 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64123 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64124 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64125 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64126 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64969 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64970 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64971 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64972 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49203 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49204 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49205 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49206 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60474 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60475 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60476 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60477 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:59376 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:59377 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:59378 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:59379 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56618 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56619 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56620 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56621 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61186 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61187 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61188 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61189 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57389 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57390 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57391 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57392 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50230 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50231 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50232 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50233 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53271 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53272 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53273 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53274 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:59829 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:59830 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:59831 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:59832 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:62433 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:62434 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:62435 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:62436 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64273 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64274 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64275 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64276 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:51107 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:51108 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:51109 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:51110 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52457 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52458 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52459 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52460 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55246 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55247 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55248 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55249 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64973 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64974 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53039 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53040 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53041 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53042 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55459 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55460 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55461 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55462 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:60818 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:60819 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:60820 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:60821 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:62426 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:62427 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:62428 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:62429 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61128 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61129 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61130 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61131 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:58914 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:58915 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:58916 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:58917 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50624 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50625 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50626 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50627 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55651 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55652 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55653 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55654 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64378 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64379 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64380 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64381 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52112 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52113 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52114 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52115 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:63689 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:63690 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:63691 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:63692 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57826 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57827 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57828 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57829 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52743 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52744 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52745 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52746 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60646 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60647 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60648 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60649 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:55953 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:55954 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:55955 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:55956 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51594 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51595 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51596 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51597 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61361 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61362 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61363 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61364 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:58482 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:58483 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:58484 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:58485 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51891 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51892 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51893 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51894 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60420 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60421 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60422 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60423 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:54285 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:54286 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:54287 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:54288 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59765 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59766 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59767 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59768 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:54433 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:54434 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:54435 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:54436 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65463 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65464 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65465 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65466 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50092 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50093 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50094 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50095 -> 8.8.8.8:53
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_004068F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 1_2_004068F0
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_004068F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 1_2_004068F0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 13_2_004068F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 13_2_004068F0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 13_2_004068F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 13_2_004068F0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 21_2_004068F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 21_2_004068F0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 21_2_004068F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 21_2_004068F0
Source: 9gkAKTWOXp.exe, 00000001.00000000.253403415.000000000040E000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000000.253403415.000000000040E000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: 1. http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000000.253403415.000000000040E000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: 2. http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000000.253403415.000000000040E000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: 3. http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000000.253403415.000000000040E000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: 4. http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000000.253403415.000000000040E000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: 5. http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: 1. http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: 2. http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: 3. http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: 4. http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: 5. http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000000.288179215.000000000040E000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000000.288179215.000000000040E000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 1. http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000000.288179215.000000000040E000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 2. http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000000.288179215.000000000040E000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 3. http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000000.288179215.000000000040E000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 4. http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000000.288179215.000000000040E000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 5. http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 1. http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 2. http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 3. http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 4. http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 5. http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de
Source: vkspii.exe, 00000015.00000000.302558828.000000000040E000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/e644d32fec6144de
Source: vkspii.exe, 00000015.00000000.302558828.000000000040E000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 1. http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de
Source: vkspii.exe, 00000015.00000000.302558828.000000000040E000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 2. http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de
Source: vkspii.exe, 00000015.00000000.302558828.000000000040E000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 3. http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de
Source: vkspii.exe, 00000015.00000000.302558828.000000000040E000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 4. http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de
Source: vkspii.exe, 00000015.00000000.302558828.000000000040E000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 5. http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de
Source: vkspii.exe, 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/e644d32fec6144de
Source: vkspii.exe, 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 1. http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de
Source: vkspii.exe, 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 2. http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de
Source: vkspii.exe, 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 3. http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de
Source: vkspii.exe, 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 4. http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de
Source: vkspii.exe, 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: 5. http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de
Source: 9gkAKTWOXp.exe String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/e644d32fec6144de
Source: 9gkAKTWOXp.exe String found in binary or memory: 1. http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de
Source: 9gkAKTWOXp.exe String found in binary or memory: 2. http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de
Source: 9gkAKTWOXp.exe String found in binary or memory: 3. http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de
Source: 9gkAKTWOXp.exe String found in binary or memory: 4. http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de
Source: 9gkAKTWOXp.exe String found in binary or memory: 5. http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de
Source: vkspii.exe.1.dr String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/e644d32fec6144de
Source: vkspii.exe.1.dr String found in binary or memory: 1. http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de
Source: vkspii.exe.1.dr String found in binary or memory: 2. http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de
Source: vkspii.exe.1.dr String found in binary or memory: 3. http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de
Source: vkspii.exe.1.dr String found in binary or memory: 4. http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de
Source: vkspii.exe.1.dr String found in binary or memory: 5. http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: 9gkAKTWOXp.exe, vkspii.exe.1.dr String found in binary or memory: http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de
Source: 9gkAKTWOXp.exe, vkspii.exe.1.dr String found in binary or memory: http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de
Source: 9gkAKTWOXp.exe, vkspii.exe.1.dr String found in binary or memory: http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de
Source: 9gkAKTWOXp.exe, vkspii.exe.1.dr String found in binary or memory: http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de
Source: 9gkAKTWOXp.exe, vkspii.exe.1.dr String found in binary or memory: http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de
Source: 9gkAKTWOXp.exe, vkspii.exe.1.dr String found in binary or memory: http://gdcbghvjyqy7jclk.onion/e644d32fec6144de
Source: 9gkAKTWOXp.exe, vkspii.exe.1.dr String found in binary or memory: https://www.torproject.org/
Source: unknown DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00407A00 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree, 1_2_00407A00

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: Yara match File source: 9gkAKTWOXp.exe, type: SAMPLE
Source: Yara match File source: 13.0.vkspii.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.9gkAKTWOXp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.vkspii.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.vkspii.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.9gkAKTWOXp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.vkspii.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.288179215.000000000040E000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.253403415.000000000040E000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.302558828.000000000040E000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 9gkAKTWOXp.exe PID: 4664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vkspii.exe PID: 6028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vkspii.exe PID: 4024, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe, type: DROPPED
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00406000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 1_2_00406000
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 13_2_00406000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 13_2_00406000
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 21_2_00406000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 21_2_00406000
Source: nslookup.exe Process created: 43

System Summary

barindex
Source: 9gkAKTWOXp.exe, type: SAMPLE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.0.vkspii.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 1.2.9gkAKTWOXp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.2.vkspii.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 21.2.vkspii.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 1.0.9gkAKTWOXp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 21.0.vkspii.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe, type: DROPPED Matched rule: Gandcrab Payload Author: kevoreilly
Source: 9gkAKTWOXp.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 9gkAKTWOXp.exe, type: SAMPLE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 9gkAKTWOXp.exe, type: SAMPLE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.0.vkspii.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.0.vkspii.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 1.2.9gkAKTWOXp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 1.2.9gkAKTWOXp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.2.vkspii.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.2.vkspii.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 21.2.vkspii.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 1.0.9gkAKTWOXp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 21.2.vkspii.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 1.0.9gkAKTWOXp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 21.0.vkspii.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 21.0.vkspii.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe, type: DROPPED Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe, type: DROPPED Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00402000 1_2_00402000
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00407EE0 1_2_00407EE0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 13_2_00402000 13_2_00402000
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 13_2_00407EE0 13_2_00407EE0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 21_2_00402000 21_2_00402000
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 21_2_00407EE0 21_2_00407EE0
Source: 9gkAKTWOXp.exe Virustotal: Detection: 81%
Source: 9gkAKTWOXp.exe Metadefender: Detection: 72%
Source: 9gkAKTWOXp.exe ReversingLabs: Detection: 100%
Source: 9gkAKTWOXp.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\9gkAKTWOXp.exe "C:\Users\user\Desktop\9gkAKTWOXp.exe"
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe "C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe"
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe "C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe"
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File created: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@127/2@529/0
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00406D90 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree, 1_2_00406D90
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00404640 CreateToolhelp32Snapshot,VirtualAlloc,Process32FirstW,CloseHandle,lstrcmpiW,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,Process32NextW,VirtualFree,FindCloseChangeNotification, 1_2_00404640
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1976:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3196:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4272:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5500:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4184:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5116:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3184:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4820:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1328:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3880:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1944:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1360:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_01
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=66326910ce147b1b
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5208:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2140:120:WilError_01
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 9gkAKTWOXp.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00407C60 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 1_2_00407C60
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe File created: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Jump to dropped file
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qfkhrdewlal Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qfkhrdewlal Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qfkhrdewlal Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qfkhrdewlal Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe TID: 4584 Thread sleep count: 80 > 30 Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe TID: 4584 Thread sleep time: -800000s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree, 1_2_00402F50
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree, 13_2_00402F50
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree, 21_2_00402F50
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_004066F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 1_2_004066F0
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_004064A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 1_2_004064A0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 13_2_004066F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 13_2_004066F0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 13_2_004064A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 13_2_004064A0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 21_2_004066F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 21_2_004066F0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Code function: 21_2_004064A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 21_2_004064A0
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00407C60 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 1_2_00407C60
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00405050 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,MultiByteToWideChar,GetLastError,VirtualAlloc,VirtualFree,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, 1_2_00405050
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00403A60 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid, 1_2_00403A60
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00408BC0 cpuid 1_2_00408BC0
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe Code function: 1_2_00406D90 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree, 1_2_00406D90
No contacted IP infos