Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-05-2021 13:18
Static task
static1
Behavioral task
behavioral1
Sample
19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
Resource
win10v20210410
General
-
Target
19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
-
Size
181KB
-
MD5
4a12911191d436aa3a2e7760d3ad61a3
-
SHA1
6ae081144769492edb4dc82a6c3aeeb7bd71583b
-
SHA256
19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c
-
SHA512
c5a6cbd11fc23dfa9bdf4b321e5a840f0c9d681d4935e20d71ad30ddfbdab9124fe42071a0d59ee276286281c1f95bdd5f5f56764a74e597ffa005c1a0cb81c9
Malware Config
Signatures
-
GandCrab Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1824-115-0x0000000002250000-0x0000000002267000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vmdngubvees = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\gemzaj.exe\"" 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exedescription ioc process File opened (read-only) \??\M: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\S: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\U: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\V: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\F: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\H: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\W: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\T: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\X: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\Y: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\Z: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\A: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\B: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\L: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\P: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\K: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\N: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\O: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\Q: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\E: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\G: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\I: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\J: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe File opened (read-only) \??\R: 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exepid process 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe -
Suspicious use of SetWindowsHookAW 64 IoCs
Processes:
19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exepid process 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exedescription pid process target process PID 1824 wrote to memory of 2792 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 2792 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 2792 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 3260 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 3260 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 3260 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 3924 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 3924 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 3924 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 2108 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 2108 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 2108 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 2252 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 2252 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 2252 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 2120 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 2120 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 2120 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 2156 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 2156 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 2156 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1680 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1680 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1680 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1828 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1828 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1828 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 728 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 728 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 728 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 2104 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 2104 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 2104 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 4024 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 4024 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 4024 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 3864 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 3864 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 3864 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 3944 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 3944 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 3944 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1404 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1404 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1404 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 3408 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 3408 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 3408 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1020 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1020 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1020 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 620 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 620 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 620 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 3856 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 3856 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 3856 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1756 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1756 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1756 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1572 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1572 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1572 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe PID 1824 wrote to memory of 1292 1824 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe"C:\Users\Admin\AppData\Local\Temp\19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookAW
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.corp-servers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.corp-servers.ru2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/184-154-0x0000000000000000-mapping.dmp
-
memory/412-141-0x0000000000000000-mapping.dmp
-
memory/504-153-0x0000000000000000-mapping.dmp
-
memory/620-133-0x0000000000000000-mapping.dmp
-
memory/728-125-0x0000000000000000-mapping.dmp
-
memory/732-170-0x0000000000000000-mapping.dmp
-
memory/800-142-0x0000000000000000-mapping.dmp
-
memory/1020-132-0x0000000000000000-mapping.dmp
-
memory/1196-157-0x0000000000000000-mapping.dmp
-
memory/1292-137-0x0000000000000000-mapping.dmp
-
memory/1364-171-0x0000000000000000-mapping.dmp
-
memory/1368-149-0x0000000000000000-mapping.dmp
-
memory/1404-130-0x0000000000000000-mapping.dmp
-
memory/1432-168-0x0000000000000000-mapping.dmp
-
memory/1520-173-0x0000000000000000-mapping.dmp
-
memory/1572-136-0x0000000000000000-mapping.dmp
-
memory/1680-123-0x0000000000000000-mapping.dmp
-
memory/1756-135-0x0000000000000000-mapping.dmp
-
memory/1808-143-0x0000000000000000-mapping.dmp
-
memory/1824-114-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1824-115-0x0000000002250000-0x0000000002267000-memory.dmpFilesize
92KB
-
memory/1828-124-0x0000000000000000-mapping.dmp
-
memory/1920-172-0x0000000000000000-mapping.dmp
-
memory/2028-161-0x0000000000000000-mapping.dmp
-
memory/2032-152-0x0000000000000000-mapping.dmp
-
memory/2104-126-0x0000000000000000-mapping.dmp
-
memory/2108-119-0x0000000000000000-mapping.dmp
-
memory/2120-121-0x0000000000000000-mapping.dmp
-
memory/2136-158-0x0000000000000000-mapping.dmp
-
memory/2156-122-0x0000000000000000-mapping.dmp
-
memory/2168-178-0x0000000000000000-mapping.dmp
-
memory/2248-156-0x0000000000000000-mapping.dmp
-
memory/2252-120-0x0000000000000000-mapping.dmp
-
memory/2260-163-0x0000000000000000-mapping.dmp
-
memory/2288-145-0x0000000000000000-mapping.dmp
-
memory/2316-174-0x0000000000000000-mapping.dmp
-
memory/2332-144-0x0000000000000000-mapping.dmp
-
memory/2336-138-0x0000000000000000-mapping.dmp
-
memory/2644-151-0x0000000000000000-mapping.dmp
-
memory/2656-146-0x0000000000000000-mapping.dmp
-
memory/2756-177-0x0000000000000000-mapping.dmp
-
memory/2792-116-0x0000000000000000-mapping.dmp
-
memory/2888-169-0x0000000000000000-mapping.dmp
-
memory/3008-140-0x0000000000000000-mapping.dmp
-
memory/3092-165-0x0000000000000000-mapping.dmp
-
memory/3100-148-0x0000000000000000-mapping.dmp
-
memory/3104-139-0x0000000000000000-mapping.dmp
-
memory/3112-147-0x0000000000000000-mapping.dmp
-
memory/3224-164-0x0000000000000000-mapping.dmp
-
memory/3260-117-0x0000000000000000-mapping.dmp
-
memory/3408-131-0x0000000000000000-mapping.dmp
-
memory/3568-159-0x0000000000000000-mapping.dmp
-
memory/3624-175-0x0000000000000000-mapping.dmp
-
memory/3724-179-0x0000000000000000-mapping.dmp
-
memory/3856-134-0x0000000000000000-mapping.dmp
-
memory/3860-167-0x0000000000000000-mapping.dmp
-
memory/3864-128-0x0000000000000000-mapping.dmp
-
memory/3880-160-0x0000000000000000-mapping.dmp
-
memory/3900-155-0x0000000000000000-mapping.dmp
-
memory/3924-118-0x0000000000000000-mapping.dmp
-
memory/3944-129-0x0000000000000000-mapping.dmp
-
memory/3952-166-0x0000000000000000-mapping.dmp
-
memory/4012-176-0x0000000000000000-mapping.dmp
-
memory/4024-127-0x0000000000000000-mapping.dmp
-
memory/4036-162-0x0000000000000000-mapping.dmp
-
memory/4068-150-0x0000000000000000-mapping.dmp