Summary

a972a2d70f76546096764c7f655c8434df56a0498cf2b80596f5170449547e8d.exe

File a972a2d70f76546096764c7f655c8434df56a0498cf2b80596f5170449547e8d.exe

Summary
Download Resubmit sample Download yara

Size 97.5KB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5 952009908d87ed7a55d12c82cdb1504b
SHA1 21676606d29b2a4141b024c2b0ed602736972e36
SHA256 a972a2d70f76546096764c7f655c8434df56a0498cf2b80596f5170449547e8d
SHA512
79554097b38e4ad97f16c1e9194e8964f20c8358d6dfcb9ee8d816c79a20037947ff73159096b4e8a979b3592717eafe6d661afbff38450c75dfa0ed39f8d992
CRC32 7C1961B7
ssdeep None
Yara
  • suspicious_packer_section - The packer/protector section names/keywords
  • Gandcrab - Gandcrab Payload
  • ReflectiveLoader - Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
  • CrowdStrike_CSIT_18151_01 - This rule detects GandCrab ransomware once it is in an unpacked state.
  • network_http - Communications over HTTP
  • win_mutex - Create or check mutex
  • win_registry - Affect system registries
  • win_files_operation - Affect private profile

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

6549889

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE June 9, 2025, 1:42 p.m. June 9, 2025, 1:48 p.m. 400 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-06-09 10:27:07,000 [analyzer] DEBUG: Starting analyzer from: C:\tmpwoh6zt
2025-06-09 10:27:07,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\bFOuXSYPBpJPLWeNYEVuWMcsnXAPZQQ
2025-06-09 10:27:07,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\fyQbGaePhmLZarlUzu
2025-06-09 10:27:07,280 [analyzer] DEBUG: Started auxiliary module Curtain
2025-06-09 10:27:07,296 [analyzer] DEBUG: Started auxiliary module DbgView
2025-06-09 10:27:07,858 [analyzer] DEBUG: Started auxiliary module Disguise
2025-06-09 10:27:08,062 [analyzer] DEBUG: Loaded monitor into process with pid 500
2025-06-09 10:27:08,062 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-06-09 10:27:08,062 [analyzer] DEBUG: Started auxiliary module Human
2025-06-09 10:27:08,062 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-06-09 10:27:08,062 [analyzer] DEBUG: Started auxiliary module Reboot
2025-06-09 10:27:08,187 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-06-09 10:27:08,187 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-06-09 10:27:08,203 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-06-09 10:27:08,203 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-06-09 10:27:08,375 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\a972a2d70f76546096764c7f655c8434df56a0498cf2b80596f5170449547e8d.exe' with arguments '' and pid 2432
2025-06-09 10:27:08,608 [analyzer] DEBUG: Loaded monitor into process with pid 2432
2025-06-09 10:27:09,828 [analyzer] INFO: Added new file to list with pid 2432 and path C:\Users\Administrator\AppData\Roaming\Microsoft\ltxtem.exe
2025-06-09 10:27:11,812 [analyzer] INFO: Injected into process with pid 2816 and name u'nslookup.exe'
2025-06-09 10:27:12,062 [analyzer] DEBUG: Loaded monitor into process with pid 2816
2025-06-09 10:27:14,375 [analyzer] INFO: Process with pid 2816 has terminated
2025-06-09 12:46:06,292 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-06-09 12:46:07,246 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-06-09 12:46:07,246 [lib.api.process] INFO: Successfully terminated process with pid 2432.
2025-06-09 12:46:07,260 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-06-09 13:42:02,061 [cuckoo.core.scheduler] INFO: Task #6549094: acquired machine win7x643 (label=win7x643)
2025-06-09 13:42:02,061 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.203 for task #6549094
2025-06-09 13:42:02,341 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 33856 (interface=vboxnet0, host=192.168.168.203)
2025-06-09 13:42:02,550 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x643
2025-06-09 13:42:03,065 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x643 to vmcloak
2025-06-09 13:43:58,467 [cuckoo.core.guest] INFO: Starting analysis #6549094 on guest (id=win7x643, ip=192.168.168.203)
2025-06-09 13:43:59,475 [cuckoo.core.guest] DEBUG: win7x643: not ready yet
2025-06-09 13:44:04,516 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x643, ip=192.168.168.203)
2025-06-09 13:44:04,604 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x643, ip=192.168.168.203, monitor=latest, size=6660546)
2025-06-09 13:44:05,980 [cuckoo.core.resultserver] DEBUG: Task #6549094: live log analysis.log initialized.
2025-06-09 13:44:07,141 [cuckoo.core.resultserver] DEBUG: Task #6549094 is sending a BSON stream
2025-06-09 13:44:07,864 [cuckoo.core.resultserver] DEBUG: Task #6549094 is sending a BSON stream
2025-06-09 13:44:08,349 [cuckoo.core.resultserver] DEBUG: Task #6549094: File upload for 'shots/0001.jpg'
2025-06-09 13:44:08,426 [cuckoo.core.resultserver] DEBUG: Task #6549094 uploaded file length: 133489
2025-06-09 13:44:10,911 [cuckoo.core.resultserver] DEBUG: Task #6549094 is sending a BSON stream
2025-06-09 13:44:20,539 [cuckoo.core.guest] DEBUG: win7x643: analysis #6549094 still processing
2025-06-09 13:44:35,786 [cuckoo.core.guest] DEBUG: win7x643: analysis #6549094 still processing
2025-06-09 13:44:50,889 [cuckoo.core.guest] DEBUG: win7x643: analysis #6549094 still processing
2025-06-09 13:45:05,962 [cuckoo.core.guest] DEBUG: win7x643: analysis #6549094 still processing
2025-06-09 13:45:21,050 [cuckoo.core.guest] DEBUG: win7x643: analysis #6549094 still processing
2025-06-09 13:45:36,124 [cuckoo.core.guest] DEBUG: win7x643: analysis #6549094 still processing
2025-06-09 13:45:51,251 [cuckoo.core.guest] DEBUG: win7x643: analysis #6549094 still processing
2025-06-09 13:46:06,502 [cuckoo.core.resultserver] DEBUG: Task #6549094: File upload for 'curtain/1749465966.5.curtain.log'
2025-06-09 13:46:06,506 [cuckoo.core.resultserver] DEBUG: Task #6549094 uploaded file length: 36
2025-06-09 13:46:06,597 [cuckoo.core.guest] DEBUG: win7x643: analysis #6549094 still processing
2025-06-09 13:46:07,167 [cuckoo.core.resultserver] DEBUG: Task #6549094: File upload for 'sysmon/1749465967.09.sysmon.xml'
2025-06-09 13:46:07,246 [cuckoo.core.resultserver] DEBUG: Task #6549094 uploaded file length: 7378582
2025-06-09 13:46:07,261 [cuckoo.core.resultserver] DEBUG: Task #6549094: File upload for 'files/f2e0d77f0abb7f89_ltxtem.exe'
2025-06-09 13:46:07,272 [cuckoo.core.resultserver] DEBUG: Task #6549094 uploaded file length: 99840
2025-06-09 13:46:07,367 [cuckoo.core.resultserver] DEBUG: Task #6549094 had connection reset for <Context for LOG>
2025-06-09 13:46:09,623 [cuckoo.core.guest] INFO: win7x643: analysis completed successfully
2025-06-09 13:46:09,639 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-06-09 13:46:09,668 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-06-09 13:46:10,258 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x643 to path /srv/cuckoo/cwd/storage/analyses/6549094/memory.dmp
2025-06-09 13:46:10,260 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x643
2025-06-09 13:48:42,108 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.203 for task #6549094
2025-06-09 13:48:42,495 [cuckoo.core.scheduler] DEBUG: Released database task #6549094
2025-06-09 13:48:42,515 [cuckoo.core.scheduler] INFO: Task #6549094: analysis procedure completed

Signatures

Yara rules detected for file (8 events)
description The packer/protector section names/keywords rule suspicious_packer_section
description Gandcrab Payload rule Gandcrab
description Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended rule ReflectiveLoader
description This rule detects GandCrab ransomware once it is in an unpacked state. rule CrowdStrike_CSIT_18151_01
description Communications over HTTP rule network_http
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect private profile rule win_files_operation
Allocates read-write-execute memory (usually to unpack itself) (13 events)
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00170000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00160000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00200000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00220000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00200000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2432
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01cd0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2432
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00140000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2432
region_size: 98304
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02840000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00140000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ca0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2432
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ca0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2432
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01cd0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
Queries for the computername (1 event)
Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: OYPUWMIKCDX
1 1 0
Uses Windows APIs to generate a cryptographic key (3 events)
Time & API Arguments Status Return Repeated

CryptGenKey

 crypto_handle: 0x00386660
algorithm_identifier: 0x0000a400 (CALG_RSA_KEYX)
flags: 134217729
key:
provider_handle: 0x00394ef8
1 1 0

CryptExportKey

 buffer: ¤RSA1#‹@ÑO"%¸` õk>NæRÅ"Ò×("Xû½œ=—š_xÄË ØWpž¶§·ü ( ÒQ÷lº{&Ìbõngñå`#ÇÕU.3ÝCíëc®¥lÿ±òa³Që߫\oþw!ÓLÙ 8®æOE理ÔÌÌÞ4Î0àþ};ƒ-‡":V2è ™“#H¸³|©‰•´"B‰«„ÀçÐ7Ù=Zi¦ÿµþM(Ó±Ёxغ•a ¯Ùôs”önŒÞ£Iœÿ:Î=b[ÇÒÿ#5éø ããH Œj+d«ÉG¥,F2/?öbM܆ä2):¡xiÊg ‹~$¸Ø`U8(V‰
crypto_handle: 0x00386660
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: ¤RSA2#‹@ÑO"%¸` õk>NæRÅ"Ò×("Xû½œ=—š_xÄË ØWpž¶§·ü ( ÒQ÷lº{&Ìbõngñå`#ÇÕU.3ÝCíëc®¥lÿ±òa³Që߫\oþw!ÓLÙ 8®æOE理ÔÌÌÞ4Î0àþ};ƒ-‡":V2è ™“#H¸³|©‰•´"B‰«„ÀçÐ7Ù=Zi¦ÿµþM(Ó±Ёxغ•a ¯Ùôs”önŒÞ£Iœÿ:Î=b[ÇÒÿ#5éø ããH Œj+d«ÉG¥,F2/?öbM܆ä2):¡xiÊg ‹~$¸Ø`U8(V‰gµÑz—y5À(V{&$K±Å°·µ183‘  r–rój©†.¹3«Øâ_%P¬.¥Ÿ²Pÿu§µ¶‰Ö*í‹GÙúŽ…ñ©[[=%8Ü«×Wôj0Q>ïík®œÆ'Çö˫Ηgt"ÂÅ£,JYXKÉÉ)MœÕà#…ÁÑEžúRŠ¿åÊÿN”B˜Ö¹‰äÙøˆWæ•Ðý…ÕY ÒåŠÔøU«>ìÜ$¤çAøª×óîºýÃܐÄü™Ö’Ü/\ö´‰ßCAÀ#R•ªHoýÊë®'±€8ZHY5ƒ}©;›‰£_o¢n Ø©[°74sJé:ý!sæ^$Ѝ·è|=•ý´ÕL·É¦/%â?ÆéY#”ënÆw(iYh0$Ú¤Âÿ«ˆ(¬} py.0µH-eàG±•±A*å³ ØíÃƘf² Åj¢òœŒxëj8Pë'ǘ§3jÃ,œ|5hÞÖq§=»änmÂÉaKÓµò‹ÙR`˜ºÈ ‘`6n(ΔoÇpÏ7Ì\Lý®GQ$î Dp.xí 㕧ÌoˆÚ`òh€u0µóÞa…Ÿ' 83±¶ó Ðâ¾$2ÜÃûá»®Úé•n͈IâGìÿ:¨‰…Ž«È@é½Û)Ó¤˜A ]ôvó,¾ÿ0̬ÍÙRmF!AXšÊ¿L= -%ن¯|"Ãb…c«Äq®cŒn]C‹»5ÅHš#mMÈÏ¢EwÁôaܤ¥„0€ÕI–Ç—°ò1ÿõ½†”ºû²È7y¯€Ɩ\KGÃîíÃRøt6øu´³úU ÇA×äa¯R¶ëڞR)@¯è´˜;%¡)û(í{äLж£ºq,Gº#ôAÅtÓÌÉťู[)Ä]h¶ë‰ÿvšØýsB­p^_)5úìàŽò§n&ÄAzÊÑò7w8jÒVK“âê`Ö3èóÖz`ÌR20n˜ݦŸ¿[/%‰£i/œ\Ê摰âH-òÍ| ãYX‹»wÐÀvʾrDU#žDA²FDP7s„‹- Àw‚bïHøÿhŸÿd s œ€ÈEÝOMç%ýülQº_ôâôyüM•FÐ Ojš¡%ª † +ÃSñâç?¿ï/±tü#Yû ,÷YJ2s`¾`*GÛ¬9*Âl"¤äT
crypto_handle: 0x00386660
flags: 0
crypto_export_handle: 0x00000000
blob_type: 7
1 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)
section .imports
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 60085519
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 67031551
1 1 0
Creates executable files on the filesystem (1 event)
file C:\Users\Administrator\AppData\Roaming\Microsoft\ltxtem.exe
Drops an executable to the user AppData folder (1 event)
file C:\Users\Administrator\AppData\Roaming\Microsoft\ltxtem.exe
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000008c
process_name: pythonw.exe
process_identifier: 2844
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: SearchProtocolHost.exe
process_identifier: 2196
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: a972a2d70f76546096764c7f655c8434df56a0498cf2b80596f5170449547e8d.exe
process_identifier: 2432
1 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 event)
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 46
family: 0
1 0 0
The executable is compressed using UPX (2 events)
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
Uses Windows utilities for basic Windows functionality (2 events)
cmdline nslookup nomoreransom.coin dns1.soprodns.ru
cmdline nslookup nomoreransom.bit dns1.soprodns.ru
Raised Snort alerts (3 events)
snort ET INFO External IP Lookup Domain in DNS Lookup (whatismyipaddress .com)
snort ET INFO Observed DNS Query for EmerDNS TLD (.coin)
snort ET INFO DNS Query Domain .bit
Raised Suricata alerts (4 events)
suricata ET INFO External IP Lookup Domain in DNS Lookup (whatismyipaddress .com)
suricata ET HUNTING Observed DNS Query for EmerDNS TLD (.coin)
suricata ETPRO MALWARE GandCrab DNS Lookup 1
suricata ET INFO DNS Query Domain .bit
Checks the CPU name from registry, possibly for anti-virtualization (1 event)
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
Installs itself for autorun at Windows startup (1 event)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\entcwvsijqw reg_value "C:\Users\Administrator\AppData\Roaming\Microsoft\ltxtem.exe"
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (10 events)
Time & API Arguments Status Return Repeated

RegSetValueExW

 key_handle: 0x00000310
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
value: 1
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadDecisionReason
1 0 0

RegSetValueExW

 key_handle: 0x00000310
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
value: $J=äÙÛ
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadDecisionTime
1 0 0

RegSetValueExW

 key_handle: 0x00000310
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadDecision
1 0 0

RegSetValueExW

 key_handle: 0x00000310
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
value: Network
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadNetworkName
1 0 0

RegSetValueExW

 key_handle: 0x0000030c
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
value: 1
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
1 0 0

RegSetValueExW

 key_handle: 0x0000030c
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
value: $J=äÙÛ
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
1 0 0

RegSetValueExW

 key_handle: 0x0000030c
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
1 0 0

RegSetValueExW

 key_handle: 0x0000030c
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
value: 1
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
1 0 0

RegSetValueExW

 key_handle: 0x0000030c
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
value: $J=äÙÛ
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
1 0 0

RegSetValueExW

 key_handle: 0x0000030c
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
1 0 0
File has been identified by 14 AntiVirus engine on IRMA as malicious (14 events)
G Data Antivirus (Windows) Virus: Generic.Ransom.GandCrab.FE4F49D2 (Engine A)
Avast Core Security (Linux) Win32:MalwareX-gen [Ransom]
C4S ClamAV (Linux) Win.Ransomware.Gandcrab-10044321-0
Trend Micro SProtect (Linux) Ransom.Win32.GANDCRAB.SMILB
Trellix (Linux) Ransom-Gandcrab
WithSecure (Linux) Trojan.TR/Crypt.XPACK.Gen3
eScan Antivirus (Linux) Generic.Ransom.GandCrab.FE4F49D2(DB)
ESET Security (Windows) a variant of Win32/Filecoder.GandCrab.H trojan
Sophos Anti-Virus (Linux) Mal/Palevo-B
DrWeb Antivirus (Linux) Trojan.Encoder.35855
ClamAV (Linux) Win.Ransomware.Gandcrab-10044321-0
Bitdefender Antivirus (Linux) Generic.Ransom.GandCrab.FE4F49D2
Kaspersky Standard (Windows) HEUR:Trojan-Ransom.Win32.GandCrypt.gen
Emsisoft Commandline Scanner (Windows) Generic.Ransom.GandCrab.FE4F49D2 (B)
File has been identified by 65 AntiVirus engines on VirusTotal as malicious (50 out of 65 events)
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.GandCrypt.ts6l
Cynet Malicious (score: 100)
CAT-QuickHeal Trojan.MauvaiseRI.S5252497
Skyhigh BehavesLike.Win32.Generic.nm
ALYac Generic.Ransom.GandCrab.FE4F49D2
Cylance Unsafe
VIPRE Generic.Ransom.GandCrab.FE4F49D2
Sangfor Ransom.Win32.Gandcrab_1.se
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Generic.Ransom.GandCrab.FE4F49D2
K7GW Trojan ( 005641f81 )
K7AntiVirus Ransomware ( 0053d33d1 )
Arcabit Generic.Ransom.GandCrab.FE4F49D2
Symantec ML.Attribute.HighConfidence
Elastic Windows.Generic.Threat
ESET-NOD32 a variant of Win32/Filecoder.GandCrab.H
APEX Malicious
Avast Win32:RansomX-gen [Ransom]
ClamAV Win.Ransomware.Gandcrab-6667060-0
Kaspersky Trojan-Ransom.Win32.GandCrypt.jzh
Alibaba Ransom:Win32/GandCrab.36304da0
NANO-Antivirus Trojan.Win32.Inject.eyyizx
SUPERAntiSpyware Ransom.GandCrab/Variant
MicroWorld-eScan Generic.Ransom.GandCrab.FE4F49D2
Rising Ransom.GandCrab!1.B8D6 (CLASSIC)
Emsisoft Generic.Ransom.GandCrab.FE4F49D2 (B)
F-Secure Trojan.TR/Crypt.XPACK.Gen3
DrWeb Trojan.Encoder.35855
Zillya Trojan.Filecoder.Win32.7540
TrendMicro Ransom.Win32.GANDCRAB.SMILB
Trapmine malicious.high.ml.score
CTX exe.ransomware.gandcrab
Sophos Mal/Palevo-B
SentinelOne Static AI - Malicious PE
FireEye Generic.mg.952009908d87ed7a
Jiangmin Trojan.Generic.bzhzc
Webroot W32.Adware.Gen
Google Detected
Avira TR/Crypt.XPACK.Gen3
Antiy-AVL HackTool/Win32.Inject
Kingsoft malware.kb.a.1000
Gridinsoft Ransom.Win32.Filecoder.bot!s1
Xcitium Packed.Win32.MUPX.Gen@24tbus
Microsoft Ransom:Win32/GandCrab!pz
ZoneAlarm Mal/Palevo-B
GData Generic.Ransom.GandCrab.FE4F49D2
Varist W32/S-69916e6d!Eldorado
AhnLab-V3 Trojan/Win32.Gandcrab.R255229
McAfee Ransom-Gandcrab!952009908D87
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.