Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 20:39
Static task
static1
Behavioral task
behavioral1
Sample
0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe
Resource
win10v2004-20241007-en
General
-
Target
0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe
-
Size
244KB
-
MD5
57772ebf37c3c7376a932a39c1c7f770
-
SHA1
eac21915ff9db1604b77efcfd788bce5a051cb3a
-
SHA256
0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800
-
SHA512
2b1696e813912681063b0ae1463011463ea05380e18586d0d5fd6185c9a5c45077af192c90ed9db2f23ee8b879ce773befa781553a00080d5202c5d831b8f982
-
SSDEEP
3072:3q8QC2mCC97sjM2TGm54rYREkcuX8FdXIsLCiQU2jgXQk0rCQRGEsriUIwrmuVUt:zKwm5RDOCiQFju0ubEslxrmt
Malware Config
Signatures
-
GandCrab payload 4 IoCs
resource yara_rule behavioral1/memory/2692-258-0x0000000000400000-0x000000000044E000-memory.dmp family_gandcrab behavioral1/memory/2692-261-0x0000000000400000-0x000000000044E000-memory.dmp family_gandcrab behavioral1/memory/2692-259-0x0000000000450000-0x0000000000467000-memory.dmp family_gandcrab behavioral1/memory/2692-268-0x0000000000400000-0x000000000042C000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ambiobjqkgk = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\zyxyqj.exe\"" 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\K: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\S: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\U: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\G: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\J: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\M: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\O: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\P: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\Q: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\X: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\Z: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\B: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\E: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\L: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\N: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\R: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\T: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\V: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\W: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\A: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\Y: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe File opened (read-only) \??\I: 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\win.ini 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2692 wrote to memory of 1228 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 31 PID 2692 wrote to memory of 1228 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 31 PID 2692 wrote to memory of 1228 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 31 PID 2692 wrote to memory of 1228 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 31 PID 2692 wrote to memory of 1660 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 33 PID 2692 wrote to memory of 1660 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 33 PID 2692 wrote to memory of 1660 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 33 PID 2692 wrote to memory of 1660 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 33 PID 2692 wrote to memory of 1900 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 35 PID 2692 wrote to memory of 1900 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 35 PID 2692 wrote to memory of 1900 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 35 PID 2692 wrote to memory of 1900 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 35 PID 2692 wrote to memory of 808 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 37 PID 2692 wrote to memory of 808 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 37 PID 2692 wrote to memory of 808 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 37 PID 2692 wrote to memory of 808 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 37 PID 2692 wrote to memory of 2260 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 39 PID 2692 wrote to memory of 2260 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 39 PID 2692 wrote to memory of 2260 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 39 PID 2692 wrote to memory of 2260 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 39 PID 2692 wrote to memory of 688 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 41 PID 2692 wrote to memory of 688 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 41 PID 2692 wrote to memory of 688 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 41 PID 2692 wrote to memory of 688 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 41 PID 2692 wrote to memory of 1848 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 43 PID 2692 wrote to memory of 1848 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 43 PID 2692 wrote to memory of 1848 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 43 PID 2692 wrote to memory of 1848 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 43 PID 2692 wrote to memory of 2452 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 45 PID 2692 wrote to memory of 2452 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 45 PID 2692 wrote to memory of 2452 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 45 PID 2692 wrote to memory of 2452 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 45 PID 2692 wrote to memory of 880 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 47 PID 2692 wrote to memory of 880 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 47 PID 2692 wrote to memory of 880 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 47 PID 2692 wrote to memory of 880 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 47 PID 2692 wrote to memory of 3020 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 49 PID 2692 wrote to memory of 3020 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 49 PID 2692 wrote to memory of 3020 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 49 PID 2692 wrote to memory of 3020 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 49 PID 2692 wrote to memory of 2760 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 51 PID 2692 wrote to memory of 2760 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 51 PID 2692 wrote to memory of 2760 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 51 PID 2692 wrote to memory of 2760 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 51 PID 2692 wrote to memory of 2892 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 53 PID 2692 wrote to memory of 2892 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 53 PID 2692 wrote to memory of 2892 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 53 PID 2692 wrote to memory of 2892 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 53 PID 2692 wrote to memory of 2844 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 55 PID 2692 wrote to memory of 2844 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 55 PID 2692 wrote to memory of 2844 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 55 PID 2692 wrote to memory of 2844 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 55 PID 2692 wrote to memory of 768 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 57 PID 2692 wrote to memory of 768 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 57 PID 2692 wrote to memory of 768 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 57 PID 2692 wrote to memory of 768 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 57 PID 2692 wrote to memory of 2888 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 59 PID 2692 wrote to memory of 2888 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 59 PID 2692 wrote to memory of 2888 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 59 PID 2692 wrote to memory of 2888 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 59 PID 2692 wrote to memory of 2064 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 61 PID 2692 wrote to memory of 2064 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 61 PID 2692 wrote to memory of 2064 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 61 PID 2692 wrote to memory of 2064 2692 0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe 61
Processes
-
C:\Users\Admin\AppData\Local\Temp\0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe"C:\Users\Admin\AppData\Local\Temp\0351ef062484c1622ab574835ae1bd4f5e2c0142d8a6f207c8760df8d5e07800N.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1228
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1660
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1900
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:808
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2260
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:688
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1848
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2452
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:880
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:3020
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2760
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2892
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2844
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:768
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2888
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2064
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2640
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2584
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2980
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1124
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:560
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2156
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2620
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2540
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2108
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2796
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2840
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:552
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2696
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2936
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:3056
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1840
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1688
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2512
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1896
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2112
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2412
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1880
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:624
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1960
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1788
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:900
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:328
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1696
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2184
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1472
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1416
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1980
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1772
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1000
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:876
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1524
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2788
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2644
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1720
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2148
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:840
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:648
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2016
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2272
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2588
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2548
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2568
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2580
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2688
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2964
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2956
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1540
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:544
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1948
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2376
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2216
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2224
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1188
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:968
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:908
-