84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7

General

Target

84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
Size

324KB
MD5

85ec6689a9ae9bd4e66ede444813bf45
SHA1

7234cb1ff9944f2bfb35e0ee0b74217ebed42ad9
SHA256

84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7
SHA512

875970afdb9bd508f7f4f804a767babccb0ec130e5c171b2f17ec9043c5ac0fbe64eb647825024b8b3ade39acc53e1f710395044e2e8bf1b0c6f7a2d5c8f3245

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\btwtatfpfxb = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\ritrle.exe\""	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe

description	ioc	process
File opened (read-only)	\??\I:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\K:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\L:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\U:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\Y:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\E:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\H:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\Q:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\G:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\N:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\R:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\T:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\V:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\W:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\A:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\F:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\M:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\O:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\P:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\S:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\X:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\Z:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\B:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
File opened (read-only)	\??\J:	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe

pid	process
3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe

description	pid	process	target process
PID 3944 wrote to memory of 2452	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 2452	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 2452	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 3484	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 3484	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 3484	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 2612	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 2612	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 2612	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 2368	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 2368	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 2368	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1576	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1576	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1576	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 2984	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 2984	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 2984	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 3896	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 3896	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 3896	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1348	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1348	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1348	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1424	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1424	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1424	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1120	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1120	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1120	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 2464	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 2464	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 2464	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 824	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 824	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 824	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 388	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 388	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 388	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1848	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1848	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1848	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1568	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1568	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1568	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 2128	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 2128	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 2128	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 3528	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 3528	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 3528	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1512	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1512	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1512	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 424	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 424	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 424	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1168	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1168	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 1168	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 3480	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 3480	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 3480	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe
PID 3944 wrote to memory of 2024	3944	84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe
"C:\Users\Admin\AppData\Local\Temp\84ca757e6112d21636f4d72e737100a36209780a340a9f0039b0b72e95a98ba7.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2452

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:3484

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2612

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2368

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1576

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2984

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:3896

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1348

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1424

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1120

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2464

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:824

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:388

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1848

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1568

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2128

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:3528

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1512

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:424

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1168

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:3480

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2024

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1760

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:4064

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:512

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:4076

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:364

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2976

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2600

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1236

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1796

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3192

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1640

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2416

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2336

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2144

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:3408

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2724

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1428

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3740

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1256

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2320

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2176

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3228

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:3184

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:572

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:496

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3904

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2932

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2380

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2184

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1972

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1156

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1392

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2224

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1808

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:4040

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2080

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:4012

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:700

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1420

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2864

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:3540

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3808

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2496

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2268

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:3888

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3376

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1240

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1532

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1632

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1656

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1828

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2208

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:184

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3364

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2472

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1744

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:4080

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2776

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1224

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2140

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:3488

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3292

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2168

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1160

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1172

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3756

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:3936

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:200

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1468

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1516

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:3716

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2640

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2152

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1652

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:3712

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:3620

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2288

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:4048

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1088

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:3816

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1564

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:504

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2476

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2460

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1480

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2064

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:500

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2996

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2732

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:656

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:3828

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:188

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1736

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3600

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2004

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:752

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:3872

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2544

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1304

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:3136

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:3964

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1104

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:640

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:3596

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:3800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/364-142-0x0000000000000000-mapping.dmp

Download
memory/388-128-0x0000000000000000-mapping.dmp

Download
memory/424-134-0x0000000000000000-mapping.dmp

Download
memory/496-162-0x0000000000000000-mapping.dmp

Download
memory/512-140-0x0000000000000000-mapping.dmp

Download
memory/572-161-0x0000000000000000-mapping.dmp

Download
memory/700-175-0x0000000000000000-mapping.dmp

Download
memory/824-127-0x0000000000000000-mapping.dmp

Download
memory/1120-125-0x0000000000000000-mapping.dmp

Download
memory/1156-168-0x0000000000000000-mapping.dmp

Download
memory/1168-135-0x0000000000000000-mapping.dmp

Download
memory/1236-145-0x0000000000000000-mapping.dmp

Download
memory/1256-156-0x0000000000000000-mapping.dmp

Download
memory/1348-123-0x0000000000000000-mapping.dmp

Download
memory/1392-169-0x0000000000000000-mapping.dmp

Download
memory/1420-176-0x0000000000000000-mapping.dmp

Download
memory/1424-124-0x0000000000000000-mapping.dmp

Download
memory/1428-154-0x0000000000000000-mapping.dmp

Download
memory/1512-133-0x0000000000000000-mapping.dmp

Download
memory/1568-130-0x0000000000000000-mapping.dmp

Download
memory/1576-120-0x0000000000000000-mapping.dmp

Download
memory/1640-148-0x0000000000000000-mapping.dmp

Download
memory/1760-138-0x0000000000000000-mapping.dmp

Download
memory/1796-146-0x0000000000000000-mapping.dmp

Download
memory/1808-171-0x0000000000000000-mapping.dmp

Download
memory/1848-129-0x0000000000000000-mapping.dmp

Download
memory/1972-167-0x0000000000000000-mapping.dmp

Download
memory/2024-137-0x0000000000000000-mapping.dmp

Download
memory/2080-173-0x0000000000000000-mapping.dmp

Download
memory/2128-131-0x0000000000000000-mapping.dmp

Download
memory/2144-151-0x0000000000000000-mapping.dmp

Download
memory/2176-158-0x0000000000000000-mapping.dmp

Download
memory/2184-166-0x0000000000000000-mapping.dmp

Download
memory/2224-170-0x0000000000000000-mapping.dmp

Download
memory/2320-157-0x0000000000000000-mapping.dmp

Download
memory/2336-150-0x0000000000000000-mapping.dmp

Download
memory/2368-119-0x0000000000000000-mapping.dmp

Download
memory/2380-165-0x0000000000000000-mapping.dmp

Download
memory/2416-149-0x0000000000000000-mapping.dmp

Download
memory/2452-116-0x0000000000000000-mapping.dmp

Download
memory/2464-126-0x0000000000000000-mapping.dmp

Download
memory/2600-144-0x0000000000000000-mapping.dmp

Download
memory/2612-118-0x0000000000000000-mapping.dmp

Download
memory/2724-153-0x0000000000000000-mapping.dmp

Download
memory/2864-177-0x0000000000000000-mapping.dmp

Download
memory/2932-164-0x0000000000000000-mapping.dmp

Download
memory/2976-143-0x0000000000000000-mapping.dmp

Download
memory/2984-121-0x0000000000000000-mapping.dmp

Download
memory/3184-160-0x0000000000000000-mapping.dmp

Download
memory/3192-147-0x0000000000000000-mapping.dmp

Download
memory/3228-159-0x0000000000000000-mapping.dmp

Download
memory/3408-152-0x0000000000000000-mapping.dmp

Download
memory/3480-136-0x0000000000000000-mapping.dmp

Download
memory/3484-117-0x0000000000000000-mapping.dmp

Download
memory/3528-132-0x0000000000000000-mapping.dmp

Download
memory/3540-178-0x0000000000000000-mapping.dmp

Download
memory/3740-155-0x0000000000000000-mapping.dmp

Download
memory/3808-179-0x0000000000000000-mapping.dmp

Download
memory/3896-122-0x0000000000000000-mapping.dmp

Download
memory/3904-163-0x0000000000000000-mapping.dmp

Download
memory/3944-114-0x0000000000400000-0x00000000012D6000-memory.dmp

Filesize
14.8MB

Download
memory/3944-115-0x00000000013E0000-0x000000000152A000-memory.dmp

Filesize
1.3MB

Download
memory/4012-174-0x0000000000000000-mapping.dmp

Download
memory/4040-172-0x0000000000000000-mapping.dmp

Download
memory/4064-139-0x0000000000000000-mapping.dmp

Download
memory/4076-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads