General Info

File name

GandCrab.exe.zip.zip

Full analysis
https://app.any.run/tasks/d14c217e-6907-4637-81bd-fd4dfb3a808a
Verdict
Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Analysis date
7/11/2019, 15:05:05
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

evasion

ransomware

gandcrab

trojan

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

d72a8e2c2b73056f22106dd041c1b618

SHA1

a8701545357b546ad838df8fa9841957f1739b92

SHA256

d4dc112e3632645bf575b8df99cf4d84d63db15d0091677f4067ddd365e01081

SSDEEP

1536:ht0J7OqCkRDRD3aKf9cwAVmNrBAYZHQtgOi1rTl570yA/mBazMuRRcbCmm:HqCkvGKf/A0NrPVQtgv57YmwzMuR8m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
GANDCRAB was detected
  • nslookup.exe (PID: 3448)
  • nslookup.exe (PID: 2408)
  • nslookup.exe (PID: 3108)
  • nslookup.exe (PID: 3324)
  • nslookup.exe (PID: 3316)
  • nslookup.exe (PID: 2268)
  • nslookup.exe (PID: 3212)
  • nslookup.exe (PID: 1740)
  • nslookup.exe (PID: 1768)
  • nslookup.exe (PID: 2840)
  • nslookup.exe (PID: 3760)
  • nslookup.exe (PID: 3920)
GandCrab detected
  • 4.exe (PID: 2968)
Application was dropped or rewritten from another process
  • 4.exe (PID: 2968)
Changes the autorun value in the registry
  • 4.exe (PID: 2968)
Application launched itself
  • WinRAR.exe (PID: 3048)
Executable content was dropped or overwritten
  • WinRAR.exe (PID: 3456)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
788
ZipBitFlag:
0x0001
ZipCompression:
None
ZipModifyDate:
2019:07:11 12:58:15
ZipCRC:
0x69f05535
ZipCompressedSize:
84535
ZipUncompressedSize:
84535
ZipFileName:
GandCrab.exe.zip

Screenshots

Processes

Total processes
60
Monitored processes
15
Malicious processes
15
Suspicious processes
0

Behavior graph

+
start drop and start winrar.exe no specs winrar.exe #GANDCRAB 4.exe #GANDCRAB nslookup.exe #GANDCRAB nslookup.exe #GANDCRAB nslookup.exe #GANDCRAB nslookup.exe #GANDCRAB nslookup.exe #GANDCRAB nslookup.exe #GANDCRAB nslookup.exe #GANDCRAB nslookup.exe #GANDCRAB nslookup.exe #GANDCRAB nslookup.exe #GANDCRAB nslookup.exe #GANDCRAB nslookup.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3048
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\GandCrab.exe.zip.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll

PID
3456
CMD
"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb3048.33102\GandCrab.exe.zip
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\rar$exb3456.34073\4.exe

PID
2968
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXb3456.34073\4.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXb3456.34073\4.exe
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
11.0.0.1
Modules
Image
c:\users\admin\appdata\local\temp\rar$exb3456.34073\4.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\nslookup.exe

PID
2840
CMD
nslookup gandcrab.bit a.dnspod.com
Path
C:\Windows\system32\nslookup.exe
Indicators
Parent process
4.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
nslookup
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\nslookup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
3448
CMD
nslookup gandcrab.bit a.dnspod.com
Path
C:\Windows\system32\nslookup.exe
Indicators
Parent process
4.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
nslookup
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\nslookup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
3316
CMD
nslookup gandcrab.bit a.dnspod.com
Path
C:\Windows\system32\nslookup.exe
Indicators
Parent process
4.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
nslookup
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\nslookup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
3212
CMD
nslookup gandcrab.bit a.dnspod.com
Path
C:\Windows\system32\nslookup.exe
Indicators
Parent process
4.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
nslookup
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\nslookup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
2268
CMD
nslookup gandcrab.bit a.dnspod.com
Path
C:\Windows\system32\nslookup.exe
Indicators
Parent process
4.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
nslookup
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\nslookup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
1740
CMD
nslookup gandcrab.bit a.dnspod.com
Path
C:\Windows\system32\nslookup.exe
Indicators
Parent process
4.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
nslookup
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\nslookup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
1768
CMD
nslookup gandcrab.bit a.dnspod.com
Path
C:\Windows\system32\nslookup.exe
Indicators
Parent process
4.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
nslookup
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\nslookup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
3760
CMD
nslookup gandcrab.bit a.dnspod.com
Path
C:\Windows\system32\nslookup.exe
Indicators
Parent process
4.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
nslookup
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\nslookup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
3324
CMD
nslookup gandcrab.bit a.dnspod.com
Path
C:\Windows\system32\nslookup.exe
Indicators
Parent process
4.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
nslookup
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\nslookup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
3108
CMD
nslookup gandcrab.bit a.dnspod.com
Path
C:\Windows\system32\nslookup.exe
Indicators
Parent process
4.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
nslookup
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\nslookup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
3920
CMD
nslookup gandcrab.bit a.dnspod.com
Path
C:\Windows\system32\nslookup.exe
Indicators
Parent process
4.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
nslookup
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\nslookup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
2408
CMD
nslookup gandcrab.bit a.dnspod.com
Path
C:\Windows\system32\nslookup.exe
Indicators
Parent process
4.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
nslookup
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\nslookup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

Registry activity

Total events
982
Read events
935
Write events
47
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2968
4.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
rouokaeykrb
C:\Users\admin\AppData\Local\Temp\Rar$EXb3456.34073\4.exe
2968
4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4_RASAPI32
EnableFileTracing
0
2968
4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4_RASAPI32
EnableConsoleTracing
0
2968
4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4_RASAPI32
FileTracingMask
4294901760
2968
4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4_RASAPI32
ConsoleTracingMask
4294901760
2968
4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4_RASAPI32
MaxFileSize
1048576
2968
4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4_RASAPI32
FileDirectory
%windir%\tracing
2968
4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4_RASMANCS
EnableFileTracing
0
2968
4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4_RASMANCS
EnableConsoleTracing
0
2968
4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4_RASMANCS
FileTracingMask
4294901760
2968
4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4_RASMANCS
ConsoleTracingMask
4294901760
2968
4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4_RASMANCS
MaxFileSize
1048576
2968
4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4_RASMANCS
FileDirectory
%windir%\tracing
2968
4.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2968
4.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2968
4.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2968
4.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3048
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3048
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3048
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3048
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\GandCrab.exe.zip.zip
3048
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3048
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3048
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3048
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3048
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
3048
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3048
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3456
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3456
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3456
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3456
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
1
C:\Users\admin\AppData\Local\Temp\GandCrab.exe.zip.zip
3456
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Rar$DIb3048.33102\GandCrab.exe.zip
3456
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3456
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3456
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3456
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3456
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
3456
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3456
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
1
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3456
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXb3456.34073\4.exe
executable
MD5: a635d6a35c2fc054042b6868ef52a0c3
SHA256: 643f8043c0b0f89cedbfc3177ab7cfe99a8e2c7fe16691f3d54fb18bc14b8f45
2968
4.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\ipv4bot_whatismyipaddress_com[1].htm
––
MD5:  ––
SHA256:  ––
2968
4.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f
binary
MD5: 19529c971c827129dca4f646e036872e
SHA256: 5499d32c76ba4083e2e20e39a7199524058b6742fae966edaf5dbb0652029a1b
3048
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DIb3048.33102\GandCrab.exe.zip
compressed
MD5: 35ceedc16b0e266d2fabafcc6c760d91
SHA256: 042bf39f7d33613eb5dd085cbe871a1f1e5c3b9dee64a4ca9d6d1e5d3b6b3f61

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
61
DNS requests
62
Threats
98

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2968 4.exe GET 200 66.171.248.178:80 http://ipv4bot.whatismyipaddress.com/ US
text
shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2968 4.exe 66.171.248.178:80 Alchemy Communications, Inc. US malicious
2840 nslookup.exe 58.251.121.110:53 China Unicom Shenzen network CN malicious
3448 nslookup.exe 58.251.121.110:53 China Unicom Shenzen network CN malicious
3316 nslookup.exe 58.251.121.110:53 China Unicom Shenzen network CN malicious
3212 nslookup.exe 58.251.121.110:53 China Unicom Shenzen network CN malicious
2268 nslookup.exe 58.251.121.110:53 China Unicom Shenzen network CN malicious
1740 nslookup.exe 58.251.121.110:53 China Unicom Shenzen network CN malicious
1768 nslookup.exe 58.251.121.110:53 China Unicom Shenzen network CN malicious
3760 nslookup.exe 58.251.121.110:53 China Unicom Shenzen network CN malicious
–– –– 58.251.121.110:53 China Unicom Shenzen network CN malicious
3324 nslookup.exe 58.251.121.110:53 China Unicom Shenzen network CN malicious
3108 nslookup.exe 58.251.121.110:53 China Unicom Shenzen network CN malicious
3920 nslookup.exe 58.251.121.110:53 China Unicom Shenzen network CN malicious
2408 nslookup.exe 58.251.121.110:53 China Unicom Shenzen network CN malicious

DNS requests

Domain IP Reputation
ipv4bot.whatismyipaddress.com 66.171.248.178
shared
a.dnspod.com 58.251.121.110
101.226.79.205
shared
110.121.251.58.in-addr.arpa No response unknown
gandcrab.bit No response malicious

Threats

PID Process Class Message
2968 4.exe Misc activity SUSPICIOUS [PTsecurity] IP Check (whatismyipaddress)
2840 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
2840 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
2840 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
2840 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
2840 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
2840 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
2840 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
2840 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3448 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3448 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3448 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3448 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3448 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3448 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3448 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3448 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3316 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3316 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3316 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3316 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3316 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3316 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3316 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3316 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3212 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3212 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3212 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3212 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3212 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3212 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3212 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3212 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
2268 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
2268 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
2268 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
2268 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
2268 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
2268 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
2268 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
2268 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
1740 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
1740 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
1740 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
1740 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
1740 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
1740 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
1740 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
1740 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
1768 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
1768 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
1768 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
1768 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
1768 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
1768 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
1768 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
1768 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3760 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3760 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3760 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3760 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3760 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3760 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3760 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3760 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3324 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3324 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3324 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3324 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3324 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3324 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3324 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3324 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3108 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3108 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3108 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3108 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3108 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3108 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3108 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3108 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3920 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3920 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3920 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3920 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3920 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3920 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
3920 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
3920 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
2408 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
2408 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
2408 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
2408 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
2408 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
2408 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
2408 nslookup.exe A Network Trojan was detected ET TROJAN Observed GandCrab Domain (gandcrab .bit)
2408 nslookup.exe Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit

1 ETPRO signatures available at the full report

Debug output strings

No debug info.