Windows Analysis Report
2fiDcmkaZY.exe

Overview

General Information

Sample Name: 2fiDcmkaZY.exe
Analysis ID: 694570
MD5: a8ac57500de5dadf8c4db19959ddf2ec
SHA1: 202baa4b862222951619adc032fd2883562113b2
SHA256: fcc7cc8f57d5a2a525d8026e81f69318262ca4e9036a726e26b1e3406f6f52d5
Tags: exe
Infos:

Detection

Gandcrab
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Found evasive API chain (may stop execution after checking mutex)
Contains functionality to determine the online IP of the system
Found Tor onion address
Uses nslookup.exe to query domains
Machine Learning detection for sample
May check the online IP address of the machine
Machine Learning detection for dropped file
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
Drops PE files
Found evaded block containing many API calls
Contains functionality to enumerate device drivers
Checks for available system drives (often done to infect USB drives)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 2fiDcmkaZY.exe ReversingLabs: Detection: 100%
Antivirus / Scanner detection for submitted sample
Source: 2fiDcmkaZY.exe Avira: detected
Antivirus detection for URL or domain
Source: http://gdcbghvjyqy7jclk.onion.casa/2d028d577a0eb038 Avira URL Cloud: Label: malware
Source: http://gdcbghvjyqy7jclk.onion.top/2d028d577a0eb038 Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Avira: detection malicious, Label: TR/FileCoder.oytet
Machine Learning detection for sample
Source: 2fiDcmkaZY.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 20.0.tdicrr.exe.c70000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 20.2.tdicrr.exe.c70000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 13.0.tdicrr.exe.c70000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 0.2.2fiDcmkaZY.exe.a60000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 13.2.tdicrr.exe.c70000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 0.0.2fiDcmkaZY.exe.a60000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A648A0 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW, 0_2_00A648A0
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A67DB0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 0_2_00A67DB0
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A65D80 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, 0_2_00A65D80
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A67C60 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 0_2_00A67C60
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A65750 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, 0_2_00A65750
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A66000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 0_2_00A66000
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A65540 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, 0_2_00A65540
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A65050 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,MultiByteToWideChar,GetLastError,VirtualAlloc,VirtualFree,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, 0_2_00A65050
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Code function: 13_2_00C748A0 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW, 13_2_00C748A0
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Code function: 13_2_00C75D80 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, 13_2_00C75D80
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Code function: 13_2_00C77DB0 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 13_2_00C77DB0
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Code function: 13_2_00C75540 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, 13_2_00C75540
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Code function: 13_2_00C75750 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, 13_2_00C75750
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Code function: 13_2_00C75050 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,MultiByteToWideChar,GetLastError,VirtualAlloc,VirtualFree,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, 13_2_00C75050
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Code function: 13_2_00C77C60 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 13_2_00C77C60
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Code function: 13_2_00C76000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 13_2_00C76000
Uses 32bit PE files
Source: 2fiDcmkaZY.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 2fiDcmkaZY.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Checks for available system drives (often done to infect USB drives)
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: z: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: x: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: v: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: t: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: r: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: p: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: n: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: l: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: j: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: h: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: f: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: b: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: y: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: w: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: u: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: s: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: q: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: o: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: m: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: k: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: i: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: g: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: e: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A664A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 0_2_00A664A0
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A666F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 0_2_00A666F0
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Code function: 13_2_00C766F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 13_2_00C766F0
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Code function: 13_2_00C764A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 13_2_00C764A0

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:49726 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:49727 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:49728 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:49729 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:61454 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:61455 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:61456 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:61457 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:65325 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:65326 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:65327 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:65328 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:51486 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:51487 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:51488 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:51489 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:63448 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:63449 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:63450 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:63451 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:56753 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:56754 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:56755 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:56756 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:60977 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:60978 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:60979 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:60980 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:59222 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:59223 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:59224 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:59225 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:55070 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:55071 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:55072 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:55073 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:56684 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:56685 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:56686 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:56687 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:58534 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:58535 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:58536 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:58537 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:62661 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:62662 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:62663 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:62664 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:58583 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:58584 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:58585 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:58586 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:65515 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:65516 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:65517 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:65518 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:56689 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:56690 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:56691 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:56692 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:61346 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:61347 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:61348 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:61349 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:53974 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:53975 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:53976 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:53977 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:64934 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:64935 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:64936 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:64937 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:58474 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:58475 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:58476 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:58477 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:60179 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:60180 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:60181 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:60182 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:60286 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:60287 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:60288 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:60289 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:60021 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:60022 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:60023 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:60024 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:50904 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:50905 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:50906 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:50907 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:53825 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:53826 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:53827 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:53828 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:49771 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:49772 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:49773 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:49774 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:49581 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:49582 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:49583 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:49584 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:53557 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:53558 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:53559 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:53560 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:61295 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:61296 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:61297 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:61298 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:50088 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:50089 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:50090 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:50091 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:52190 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:52191 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:52192 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:52193 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:54587 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:54588 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:54589 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:54590 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:52102 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:52103 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:52104 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:52105 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:60910 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:60911 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:60912 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:60913 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:58625 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:58626 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:58627 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:58628 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:65495 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:65496 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:65497 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:65498 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:57484 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:57485 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:57486 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:57487 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:52098 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:52099 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:52100 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:52101 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:62059 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:62060 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:62061 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:62062 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:60296 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:60297 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:60298 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:60299 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:63730 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:63731 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:63732 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:63733 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:50079 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:50080 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:50081 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:50082 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:49961 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:49962 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:49963 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:49964 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:55611 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:55612 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:55613 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:55614 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:58874 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:58875 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:58876 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:58877 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:52894 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:52895 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:52896 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:52897 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:65332 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:65333 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:65334 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:65335 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:52975 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:52976 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:52977 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:52978 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:62936 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:62937 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:62938 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:62939 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:58443 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:58444 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:58445 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:58446 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:55728 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:55729 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:55730 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:55731 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:53429 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:53430 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:53431 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:53432 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:60181 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:60182 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:60183 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:60184 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:57379 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:57380 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:57381 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:57382 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:63940 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:63941 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:63942 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:63943 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:50446 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:50447 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:50448 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:50449 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:59807 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:51724 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:51725 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:51726 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:64496 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:64497 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:64498 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:64499 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:64312 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:64313 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:64314 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:64315 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:49263 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:49264 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:49265 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:49266 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:54369 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:54370 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:54371 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:54372 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:59585 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:59586 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:59587 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:59588 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:50564 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:50565 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:50566 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:50567 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:56116 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:56117 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:56118 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:56119 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:61018 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:61019 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:61020 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:61021 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:59298 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:59299 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:59300 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.5:59301 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:55594 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:55595 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:55596 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.5:55597 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:65117 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:65118 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:65119 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.5:65120 -> 8.8.8.8:53
Contains functionality to determine the online IP of the system
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A668F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 0_2_00A668F0
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A668F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 0_2_00A668F0
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Code function: 13_2_00C768F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 13_2_00C768F0
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Code function: 13_2_00C768F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 13_2_00C768F0
Found Tor onion address
Source: 2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/2d028d577a0eb038
Source: 2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: 1. http://gdcbghvjyqy7jclk.onion.top/2d028d577a0eb038
Source: 2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: 2. http://gdcbghvjyqy7jclk.onion.casa/2d028d577a0eb038
Source: 2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: 3. http://gdcbghvjyqy7jclk.onion.guide/2d028d577a0eb038
Source: 2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: 4. http://gdcbghvjyqy7jclk.onion.rip/2d028d577a0eb038
Source: 2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: 5. http://gdcbghvjyqy7jclk.onion.plus/2d028d577a0eb038
Uses nslookup.exe to query domains
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
May check the online IP address of the machine
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: 2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://gdcbghvjyqy7jclk.onion.casa/2d028d577a0eb038
Source: 2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://gdcbghvjyqy7jclk.onion.guide/2d028d577a0eb038
Source: 2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://gdcbghvjyqy7jclk.onion.plus/2d028d577a0eb038
Source: 2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://gdcbghvjyqy7jclk.onion.rip/2d028d577a0eb038
Source: 2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://gdcbghvjyqy7jclk.onion.top/2d028d577a0eb038
Source: 2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://gdcbghvjyqy7jclk.onion/2d028d577a0eb038
Source: 2fiDcmkaZY.exe, 00000000.00000002.599059548.000000000120A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ipv4bot.whatismyipaddress.com/
Source: 2fiDcmkaZY.exe, 00000000.00000002.599059548.000000000120A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ipv4bot.whatismyipaddress.com/n
Source: 2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.torproject.org/
Source: unknown DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A67A00 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree, 0_2_00A67A00
Creates a DirectInput object (often for capturing keystrokes)
Source: 2fiDcmkaZY.exe, 00000000.00000002.599059548.000000000120A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Gandcrab
Source: Yara match File source: 2fiDcmkaZY.exe, type: SAMPLE
Source: Yara match File source: 13.0.tdicrr.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.tdicrr.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.2fiDcmkaZY.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.tdicrr.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tdicrr.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2fiDcmkaZY.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.343462206.0000000000C79000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.346586335.0000000000C79000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.363374033.0000000000C79000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.304343043.0000000000A69000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.360474661.0000000000C79000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2fiDcmkaZY.exe PID: 6752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tdicrr.exe PID: 1476, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tdicrr.exe PID: 5864, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe, type: DROPPED
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A66000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 0_2_00A66000
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Code function: 13_2_00C76000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 13_2_00C76000
Too many similar processes found
Source: nslookup.exe Process created: 56

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2fiDcmkaZY.exe, type: SAMPLE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.0.tdicrr.exe.c70000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 20.0.tdicrr.exe.c70000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.2fiDcmkaZY.exe.a60000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 20.2.tdicrr.exe.c70000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.2.tdicrr.exe.c70000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.2fiDcmkaZY.exe.a60000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe, type: DROPPED Matched rule: Gandcrab Payload Author: kevoreilly
Uses 32bit PE files
Source: 2fiDcmkaZY.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 2fiDcmkaZY.exe, type: SAMPLE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2fiDcmkaZY.exe, type: SAMPLE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.0.tdicrr.exe.c70000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.0.tdicrr.exe.c70000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 20.0.tdicrr.exe.c70000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.2fiDcmkaZY.exe.a60000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 20.0.tdicrr.exe.c70000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.2fiDcmkaZY.exe.a60000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 20.2.tdicrr.exe.c70000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 20.2.tdicrr.exe.c70000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.2.tdicrr.exe.c70000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.2.tdicrr.exe.c70000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.2fiDcmkaZY.exe.a60000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.2fiDcmkaZY.exe.a60000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe, type: DROPPED Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe, type: DROPPED Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Detected potential crypto function
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A67EE0 0_2_00A67EE0
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Code function: 13_2_00C77EE0 13_2_00C77EE0
Source: 2fiDcmkaZY.exe ReversingLabs: Detection: 100%
Source: 2fiDcmkaZY.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\2fiDcmkaZY.exe "C:\Users\user\Desktop\2fiDcmkaZY.exe"
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe "C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe"
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe "C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe"
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File created: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@128/2@436/1
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A66D90 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree, 0_2_00A66D90
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A67520 wsprintfW,VirtualAlloc,VirtualAlloc,VirtualAlloc,VirtualAlloc,CreateToolhelp32Snapshot,VirtualFree,Process32FirstW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,Process32NextW,GetLastError,lstrlenW,VirtualFree,VirtualFree,FindCloseChangeNotification,VirtualFree, 0_2_00A67520
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6920:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5836:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5892:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5888:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6588:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5684:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:712:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_01
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=2d028d577a0eb038
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_01
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 2fiDcmkaZY.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A67DB0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 0_2_00A67DB0
Drops PE files
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe File created: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Jump to dropped file
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tbmdhshhgoz Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tbmdhshhgoz Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tbmdhshhgoz Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tbmdhshhgoz Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe TID: 6756 Thread sleep count: 65 > 30 Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe TID: 6756 Thread sleep time: -650000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evaded block containing many API calls
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Evaded block: after key decision
Contains functionality to enumerate device drivers
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree, 0_2_00A62F50
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree, 13_2_00C72F50
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A664A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 0_2_00A664A0
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A666F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 0_2_00A666F0
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Code function: 13_2_00C766F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 13_2_00C766F0
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Code function: 13_2_00C764A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 13_2_00C764A0
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe API call chain: ExitProcess graph end node
Source: 2fiDcmkaZY.exe, 00000000.00000002.599105239.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A67DB0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 0_2_00A67DB0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A639B0 GetProcessHeap, 0_2_00A639B0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A63A60 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid, 0_2_00A63A60
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A68BC0 cpuid 0_2_00A68BC0
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\2fiDcmkaZY.exe Code function: 0_2_00A66D90 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree, 0_2_00A66D90
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 694570 Sample: 2fiDcmkaZY.exe Startdate: 01/09/2022 Architecture: WINDOWS Score: 100 57 nomoreransom.bit 2->57 59 gandcrab.bit 2->59 61 3 other IPs or domains 2->61 65 Snort IDS alert for network traffic 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 5 other signatures 2->71 8 2fiDcmkaZY.exe 1 28 2->8         started        13 tdicrr.exe 2->13         started        15 tdicrr.exe 2->15         started        signatures3 process4 dnsIp5 63 ipv4bot.whatismyipaddress.com 8->63 40 C:\Users\user\AppData\Roaming\...\tdicrr.exe, PE32 8->40 dropped 73 Found evasive API chain (may stop execution after checking mutex) 8->73 75 Contains functionality to determine the online IP of the system 8->75 77 May check the online IP address of the machine 8->77 79 Uses nslookup.exe to query domains 8->79 17 nslookup.exe 1 8->17         started        20 nslookup.exe 1 8->20         started        22 nslookup.exe 1 8->22         started        24 26 other processes 8->24 81 Antivirus detection for dropped file 13->81 83 Machine Learning detection for dropped file 13->83 file6 signatures7 process8 dnsIp9 42 dns1.soprodns.ru 17->42 45 nomoreransom.bit 17->45 47 8.8.8.8.in-addr.arpa 17->47 26 conhost.exe 17->26         started        51 3 other IPs or domains 20->51 28 conhost.exe 20->28         started        53 3 other IPs or domains 22->53 30 conhost.exe 22->30         started        49 nomoreransom.bit 24->49 55 78 other IPs or domains 24->55 32 conhost.exe 24->32         started        34 conhost.exe 24->34         started        36 conhost.exe 24->36         started        38 23 other processes 24->38 signatures10 85 May check the online IP address of the machine 42->85 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
emsisoft.bit unknown unknown
ipv4bot.whatismyipaddress.com unknown unknown
nomoreransom.bit unknown unknown
gandcrab.bit unknown unknown
dns1.soprodns.ru unknown unknown
8.8.8.8.in-addr.arpa unknown unknown