Analysis
-
max time kernel
152s -
max time network
181s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-10-2021 15:39
Static task
static1
Behavioral task
behavioral1
Sample
cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Resource
win10v20210408
General
-
Target
cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
-
Size
244KB
-
MD5
cd0de24dd59d160507545851f4c0d917
-
SHA1
a78fca87aace910f8e59dd614664e082249b8a68
-
SHA256
cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08
-
SHA512
130ac29407b1a5903c144684e846a8eabe54d47ed13ebcc676eb1d4b598b52c446c6f5021fdea2035d838e562b6a08e7f0578bfe3379824dbd1b5b9ce374e12d
Malware Config
Signatures
-
GandCrab Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1208-62-0x0000000000400000-0x0000000000B4B000-memory.dmp family_gandcrab behavioral1/memory/1208-65-0x0000000000280000-0x0000000000297000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nvokxegqxmj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\oeqhai.exe\"" cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exedescription ioc process File opened (read-only) \??\E: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\H: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\K: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\L: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\O: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\A: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\I: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\M: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\T: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\W: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\X: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\Y: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\Z: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\F: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\J: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\N: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\P: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\R: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\U: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\G: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\Q: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\S: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\V: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe File opened (read-only) \??\B: cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe -
Drops file in Windows directory 1 IoCs
Processes:
cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exedescription ioc process File opened for modification C:\Windows\win.ini cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exepid process 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
Processes:
cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exedescription pid process Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe Token: SeLoadDriverPrivilege 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exedescription pid process target process PID 1208 wrote to memory of 1728 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1728 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1728 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1728 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1220 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1220 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1220 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1220 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1244 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1244 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1244 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1244 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 976 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 976 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 976 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 976 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1920 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1920 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1920 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1920 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1760 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1760 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1760 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1760 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 568 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 568 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 568 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 568 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1624 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1624 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1624 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1624 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 680 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 680 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 680 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 680 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 896 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 896 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 896 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 896 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1744 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1744 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1744 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1744 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1020 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1020 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1020 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1020 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1420 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1420 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1420 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1420 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1696 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1696 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1696 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1696 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1732 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1732 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1732 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1732 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1764 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1764 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1764 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe PID 1208 wrote to memory of 1764 1208 cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe"C:\Users\Admin\AppData\Local\Temp\cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/516-119-0x0000000000000000-mapping.dmp
-
memory/568-72-0x0000000000000000-mapping.dmp
-
memory/596-113-0x0000000000000000-mapping.dmp
-
memory/616-95-0x0000000000000000-mapping.dmp
-
memory/664-89-0x0000000000000000-mapping.dmp
-
memory/680-74-0x0000000000000000-mapping.dmp
-
memory/684-114-0x0000000000000000-mapping.dmp
-
memory/696-84-0x0000000000000000-mapping.dmp
-
memory/788-98-0x0000000000000000-mapping.dmp
-
memory/856-88-0x0000000000000000-mapping.dmp
-
memory/896-75-0x0000000000000000-mapping.dmp
-
memory/924-124-0x0000000000000000-mapping.dmp
-
memory/968-102-0x0000000000000000-mapping.dmp
-
memory/976-69-0x0000000000000000-mapping.dmp
-
memory/1020-77-0x0000000000000000-mapping.dmp
-
memory/1060-123-0x0000000000000000-mapping.dmp
-
memory/1100-105-0x0000000000000000-mapping.dmp
-
memory/1108-83-0x0000000000000000-mapping.dmp
-
memory/1144-107-0x0000000000000000-mapping.dmp
-
memory/1148-86-0x0000000000000000-mapping.dmp
-
memory/1184-82-0x0000000000000000-mapping.dmp
-
memory/1200-108-0x0000000000000000-mapping.dmp
-
memory/1208-60-0x00000000002EB000-0x0000000000307000-memory.dmpFilesize
112KB
-
memory/1208-65-0x0000000000280000-0x0000000000297000-memory.dmpFilesize
92KB
-
memory/1208-63-0x0000000075C71000-0x0000000075C73000-memory.dmpFilesize
8KB
-
memory/1208-62-0x0000000000400000-0x0000000000B4B000-memory.dmpFilesize
7.3MB
-
memory/1208-61-0x0000000000400000-0x0000000000B4B000-memory.dmpFilesize
7.3MB
-
memory/1220-67-0x0000000000000000-mapping.dmp
-
memory/1228-128-0x0000000000000000-mapping.dmp
-
memory/1244-68-0x0000000000000000-mapping.dmp
-
memory/1264-94-0x0000000000000000-mapping.dmp
-
memory/1296-111-0x0000000000000000-mapping.dmp
-
memory/1364-127-0x0000000000000000-mapping.dmp
-
memory/1420-78-0x0000000000000000-mapping.dmp
-
memory/1436-116-0x0000000000000000-mapping.dmp
-
memory/1480-97-0x0000000000000000-mapping.dmp
-
memory/1484-121-0x0000000000000000-mapping.dmp
-
memory/1544-120-0x0000000000000000-mapping.dmp
-
memory/1596-117-0x0000000000000000-mapping.dmp
-
memory/1616-99-0x0000000000000000-mapping.dmp
-
memory/1624-73-0x0000000000000000-mapping.dmp
-
memory/1636-129-0x0000000000000000-mapping.dmp
-
memory/1648-96-0x0000000000000000-mapping.dmp
-
memory/1672-104-0x0000000000000000-mapping.dmp
-
memory/1696-79-0x0000000000000000-mapping.dmp
-
memory/1700-93-0x0000000000000000-mapping.dmp
-
memory/1704-118-0x0000000000000000-mapping.dmp
-
memory/1724-106-0x0000000000000000-mapping.dmp
-
memory/1728-66-0x0000000000000000-mapping.dmp
-
memory/1732-80-0x0000000000000000-mapping.dmp
-
memory/1744-76-0x0000000000000000-mapping.dmp
-
memory/1748-109-0x0000000000000000-mapping.dmp
-
memory/1752-115-0x0000000000000000-mapping.dmp
-
memory/1756-85-0x0000000000000000-mapping.dmp
-
memory/1760-71-0x0000000000000000-mapping.dmp
-
memory/1764-81-0x0000000000000000-mapping.dmp
-
memory/1844-122-0x0000000000000000-mapping.dmp
-
memory/1848-90-0x0000000000000000-mapping.dmp
-
memory/1908-125-0x0000000000000000-mapping.dmp
-
memory/1912-112-0x0000000000000000-mapping.dmp
-
memory/1916-110-0x0000000000000000-mapping.dmp
-
memory/1920-70-0x0000000000000000-mapping.dmp
-
memory/1924-101-0x0000000000000000-mapping.dmp
-
memory/1936-91-0x0000000000000000-mapping.dmp
-
memory/1976-87-0x0000000000000000-mapping.dmp
-
memory/2008-126-0x0000000000000000-mapping.dmp
-
memory/2020-92-0x0000000000000000-mapping.dmp
-
memory/2032-103-0x0000000000000000-mapping.dmp
-
memory/2036-100-0x0000000000000000-mapping.dmp