Analysis
-
max time kernel
6s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 10:01
Static task
static1
Behavioral task
behavioral1
Sample
7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe
Resource
win10v2004-20241007-en
General
-
Target
7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe
-
Size
231KB
-
MD5
a2111a35365c5e7fd89b567412ca4ad6
-
SHA1
2a4a0c3880b90850a82552b72ec13ad3e793a444
-
SHA256
7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109
-
SHA512
73122914c555107c8bf83bd9c954cac8a4c7da8ded849559a7966956a93126f2a641f81090d3be237dbbf473bc66bdc1be5ccc2dcef119329c83a842d2c60ca3
-
SSDEEP
3072:RPgE0E5wfNm5RQ9vGeriZuxqrzmT0MKgM2Au2c5L97zPy+yc4WABa/Km:RPgEifAIOe6eOqAMKgMy5B7G2z
Malware Config
Signatures
-
GandCrab payload 4 IoCs
resource yara_rule behavioral1/memory/656-262-0x0000000000400000-0x0000000000B4A000-memory.dmp family_gandcrab behavioral1/memory/656-260-0x00000000002A0000-0x00000000002B7000-memory.dmp family_gandcrab behavioral1/memory/656-259-0x0000000000400000-0x0000000000B4A000-memory.dmp family_gandcrab behavioral1/memory/656-269-0x0000000000400000-0x000000000042C000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\auugwpjzhdy = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\gcukxp.exe\"" 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\W: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\Z: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\L: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\J: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\N: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\P: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\R: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\T: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\V: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\Y: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\A: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\G: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\K: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\O: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\X: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\E: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\H: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\I: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\M: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\Q: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\S: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe File opened (read-only) \??\B: 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\win.ini 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
description pid Process Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe Token: SeLoadDriverPrivilege 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 656 wrote to memory of 996 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe 30 PID 656 wrote to memory of 996 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe 30 PID 656 wrote to memory of 996 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe 30 PID 656 wrote to memory of 996 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe 30 PID 656 wrote to memory of 1516 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe 32 PID 656 wrote to memory of 1516 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe 32 PID 656 wrote to memory of 1516 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe 32 PID 656 wrote to memory of 1516 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe 32 PID 656 wrote to memory of 1980 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe 34 PID 656 wrote to memory of 1980 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe 34 PID 656 wrote to memory of 1980 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe 34 PID 656 wrote to memory of 1980 656 7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe"C:\Users\Admin\AppData\Local\Temp\7c5a55cfa74b375f2194e29633da183d764a9381d52af8e71bfc1c2a61fb8109.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:996
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1516
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1980
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2980
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2300
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:788
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1760
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2272
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2320
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1732
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2504
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:800
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2808
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2712
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2816
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2592
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2580
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2612
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2588
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1932
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2728
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:736
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1892
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:840
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2948
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2008
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2236
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:492
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1916
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1620
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:3012
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1064
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2088
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2332
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1548
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1748
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2160
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1940
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1856
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2336
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2376
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1800
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1680
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1116
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1888
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1632
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1464
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1476
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2312
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2484
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1724
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1056
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:888
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2664
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2776
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2692
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2128
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2872
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2148
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2576
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2680
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:3048
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1584
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1712
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2536
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2176
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2256
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1616
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2796
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2648
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2744
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:572
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:740
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2020
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:744
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1868
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2384
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD53a5d637ba83eaafdc89d0623175f3568
SHA1cb987f363097369154e0fd1b60042a310f2f4926
SHA256179754ac0d01e340b0aca186362e2da4bea1fd266a0680d749b28a17a3dfbad2
SHA51213954d047122efe0ecaf07e384b033ef00b730da18525eded610668a36fec935a2bf9b2c1b30b64eb6cd18a807061ebf28b8c812dab069d114e764138342bdf4