Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 21:35
Static task
static1
Behavioral task
behavioral1
Sample
02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe
Resource
win10v2004-20241007-en
General
-
Target
02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe
-
Size
321KB
-
MD5
47e0113790ce12370edea2fe5cc337a0
-
SHA1
509383fcc1dc2ef59faddcbf535fae3adafee30f
-
SHA256
02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15
-
SHA512
892b1fec4f8dc82a9b1ef54c7c0f4ae061d94e1090411eb9f1ccfb41c141336622ec46e8546fab234bdf9e739fdebc886d41a839136bb6eef0d1111adaab1458
-
SSDEEP
6144:PfwD/eHK1rGTAOfrIV/QHxOtJkkgYsGGdzKLK:PfwDz1+q4Hsi+LK
Malware Config
Signatures
-
GandCrab payload 4 IoCs
resource yara_rule behavioral1/memory/2128-6-0x0000000000400000-0x000000000045F000-memory.dmp family_gandcrab behavioral1/memory/2128-4-0x0000000000360000-0x0000000000377000-memory.dmp family_gandcrab behavioral1/memory/2128-3-0x0000000000400000-0x000000000045F000-memory.dmp family_gandcrab behavioral1/memory/2128-13-0x0000000000400000-0x000000000042C000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\feguxtxuwlb = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\vivojp.exe\"" 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\A: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\H: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\I: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\L: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\V: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\E: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\G: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\P: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\S: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\U: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\J: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\Q: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\T: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\X: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\R: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\W: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\Z: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\B: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\K: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\M: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\N: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe File opened (read-only) \??\O: 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2484 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 30 PID 2128 wrote to memory of 2484 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 30 PID 2128 wrote to memory of 2484 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 30 PID 2128 wrote to memory of 2484 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 30 PID 2128 wrote to memory of 2848 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 32 PID 2128 wrote to memory of 2848 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 32 PID 2128 wrote to memory of 2848 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 32 PID 2128 wrote to memory of 2848 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 32 PID 2128 wrote to memory of 2776 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 34 PID 2128 wrote to memory of 2776 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 34 PID 2128 wrote to memory of 2776 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 34 PID 2128 wrote to memory of 2776 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 34 PID 2128 wrote to memory of 2924 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 36 PID 2128 wrote to memory of 2924 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 36 PID 2128 wrote to memory of 2924 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 36 PID 2128 wrote to memory of 2924 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 36 PID 2128 wrote to memory of 2792 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 38 PID 2128 wrote to memory of 2792 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 38 PID 2128 wrote to memory of 2792 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 38 PID 2128 wrote to memory of 2792 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 38 PID 2128 wrote to memory of 2784 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 40 PID 2128 wrote to memory of 2784 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 40 PID 2128 wrote to memory of 2784 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 40 PID 2128 wrote to memory of 2784 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 40 PID 2128 wrote to memory of 2428 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 42 PID 2128 wrote to memory of 2428 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 42 PID 2128 wrote to memory of 2428 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 42 PID 2128 wrote to memory of 2428 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 42 PID 2128 wrote to memory of 2708 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 44 PID 2128 wrote to memory of 2708 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 44 PID 2128 wrote to memory of 2708 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 44 PID 2128 wrote to memory of 2708 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 44 PID 2128 wrote to memory of 2680 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 46 PID 2128 wrote to memory of 2680 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 46 PID 2128 wrote to memory of 2680 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 46 PID 2128 wrote to memory of 2680 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 46 PID 2128 wrote to memory of 2432 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 48 PID 2128 wrote to memory of 2432 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 48 PID 2128 wrote to memory of 2432 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 48 PID 2128 wrote to memory of 2432 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 48 PID 2128 wrote to memory of 2712 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 50 PID 2128 wrote to memory of 2712 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 50 PID 2128 wrote to memory of 2712 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 50 PID 2128 wrote to memory of 2712 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 50 PID 2128 wrote to memory of 2204 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 52 PID 2128 wrote to memory of 2204 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 52 PID 2128 wrote to memory of 2204 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 52 PID 2128 wrote to memory of 2204 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 52 PID 2128 wrote to memory of 2388 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 54 PID 2128 wrote to memory of 2388 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 54 PID 2128 wrote to memory of 2388 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 54 PID 2128 wrote to memory of 2388 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 54 PID 2128 wrote to memory of 2264 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 56 PID 2128 wrote to memory of 2264 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 56 PID 2128 wrote to memory of 2264 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 56 PID 2128 wrote to memory of 2264 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 56 PID 2128 wrote to memory of 2340 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 58 PID 2128 wrote to memory of 2340 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 58 PID 2128 wrote to memory of 2340 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 58 PID 2128 wrote to memory of 2340 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 58 PID 2128 wrote to memory of 2416 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 60 PID 2128 wrote to memory of 2416 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 60 PID 2128 wrote to memory of 2416 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 60 PID 2128 wrote to memory of 2416 2128 02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe 60
Processes
-
C:\Users\Admin\AppData\Local\Temp\02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe"C:\Users\Admin\AppData\Local\Temp\02fbbb032a9a66d6cfbe2ef2cad2b8466f4f9d29b84c86a26106e727b4d21f15N.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2484
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2848
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2776
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2924
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2792
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2784
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2428
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2708
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2680
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2432
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2712
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2204
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2388
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2264
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2340
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2416
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2212
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2056
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2284
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1944
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1684
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2628
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1836
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1948
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1752
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1556
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1568
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2064
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1760
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:308
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1976
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1060
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2228
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:712
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:888
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2704
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2332
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2324
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1148
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2476
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2464
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2800
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1588
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2840
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2780
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2328
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1052
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2216
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2176
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2424
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2232
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1528
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2304
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2456
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:956
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1576
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1268
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2032
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1120
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1208
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1012
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1792
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:772
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1932
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1640
-