Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
09/01/2025, 14:45
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
-
Size
291KB
-
MD5
cadb52385ded087de7fae5b2413c37cb
-
SHA1
82af0fbb6ebe148ee6f771dbbe7adb2dddd0287a
-
SHA256
29708b8f7245cfe7e47d363ab1cd0006027e334870791461d126e37751c054a0
-
SHA512
8eb67074cf22243c52484eb6cd978ed50420e702c5862cf3649d001dab064ac4ccc685ac0e53da3e5cb77143d46286791664731c493c4bb9934dff5cad90c3e2
-
SSDEEP
3072:PHA3izhGQXZDoO6BHi/Fy+XvQBAg0Fujhf1wxcSbL7vf92/WNvbPALS1HKdYHMwB:nvoO0i4AOVwFdrNvbP8/YHMmoVd1xqsS
Malware Config
Signatures
-
GandCrab payload 4 IoCs
resource yara_rule behavioral1/memory/2556-3-0x0000000000280000-0x0000000000297000-memory.dmp family_gandcrab behavioral1/memory/2556-5-0x0000000000400000-0x0000000000946000-memory.dmp family_gandcrab behavioral1/memory/2556-6-0x0000000000400000-0x0000000000946000-memory.dmp family_gandcrab behavioral1/memory/2556-13-0x0000000000400000-0x000000000042C000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vojndvqiait = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\wzsnyn.exe\"" JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\G: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\H: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\I: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\P: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\S: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\L: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\B: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\K: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\N: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\Q: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\R: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\T: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\U: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\Y: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\Z: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\A: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\J: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\M: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\O: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\V: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\W: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe File opened (read-only) \??\X: JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2556 wrote to memory of 468 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 30 PID 2556 wrote to memory of 468 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 30 PID 2556 wrote to memory of 468 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 30 PID 2556 wrote to memory of 468 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 30 PID 2556 wrote to memory of 2476 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 33 PID 2556 wrote to memory of 2476 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 33 PID 2556 wrote to memory of 2476 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 33 PID 2556 wrote to memory of 2476 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 33 PID 2556 wrote to memory of 2880 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 35 PID 2556 wrote to memory of 2880 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 35 PID 2556 wrote to memory of 2880 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 35 PID 2556 wrote to memory of 2880 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 35 PID 2556 wrote to memory of 2996 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 37 PID 2556 wrote to memory of 2996 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 37 PID 2556 wrote to memory of 2996 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 37 PID 2556 wrote to memory of 2996 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 37 PID 2556 wrote to memory of 2500 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 39 PID 2556 wrote to memory of 2500 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 39 PID 2556 wrote to memory of 2500 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 39 PID 2556 wrote to memory of 2500 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 39 PID 2556 wrote to memory of 2676 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 41 PID 2556 wrote to memory of 2676 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 41 PID 2556 wrote to memory of 2676 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 41 PID 2556 wrote to memory of 2676 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 41 PID 2556 wrote to memory of 2884 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 43 PID 2556 wrote to memory of 2884 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 43 PID 2556 wrote to memory of 2884 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 43 PID 2556 wrote to memory of 2884 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 43 PID 2556 wrote to memory of 2648 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 45 PID 2556 wrote to memory of 2648 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 45 PID 2556 wrote to memory of 2648 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 45 PID 2556 wrote to memory of 2648 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 45 PID 2556 wrote to memory of 2712 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 47 PID 2556 wrote to memory of 2712 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 47 PID 2556 wrote to memory of 2712 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 47 PID 2556 wrote to memory of 2712 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 47 PID 2556 wrote to memory of 2060 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 49 PID 2556 wrote to memory of 2060 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 49 PID 2556 wrote to memory of 2060 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 49 PID 2556 wrote to memory of 2060 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 49 PID 2556 wrote to memory of 2280 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 51 PID 2556 wrote to memory of 2280 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 51 PID 2556 wrote to memory of 2280 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 51 PID 2556 wrote to memory of 2280 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 51 PID 2556 wrote to memory of 1860 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 53 PID 2556 wrote to memory of 1860 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 53 PID 2556 wrote to memory of 1860 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 53 PID 2556 wrote to memory of 1860 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 53 PID 2556 wrote to memory of 1928 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 55 PID 2556 wrote to memory of 1928 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 55 PID 2556 wrote to memory of 1928 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 55 PID 2556 wrote to memory of 1928 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 55 PID 2556 wrote to memory of 1824 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 57 PID 2556 wrote to memory of 1824 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 57 PID 2556 wrote to memory of 1824 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 57 PID 2556 wrote to memory of 1824 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 57 PID 2556 wrote to memory of 1716 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 59 PID 2556 wrote to memory of 1716 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 59 PID 2556 wrote to memory of 1716 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 59 PID 2556 wrote to memory of 1716 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 59 PID 2556 wrote to memory of 380 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 61 PID 2556 wrote to memory of 380 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 61 PID 2556 wrote to memory of 380 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 61 PID 2556 wrote to memory of 380 2556 JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe 61
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:468
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2476
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2880
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2996
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2500
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2676
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2648
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2712
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2060
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2280
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1860
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1928
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1824
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1716
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:380
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1972
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1948
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2748
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2708
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1872
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1496
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2144
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1360
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1800
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1412
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:896
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1364
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1640
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2216
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1720
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1804
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:3020
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:696
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2352
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2264
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:988
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:788
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2220
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1616
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2380
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2620
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2520
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2800
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2796
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2892
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2656
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2812
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2920
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2824
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2652
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1192
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2700
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1924
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1644
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1908
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2036
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1752
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1144
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1796
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2940
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1848
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2540
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2972
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1096
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1568
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1648
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1344
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1780
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1984
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2632
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:948
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2068
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1388
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2440
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1232
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2108
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2612
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1712
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2100
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2732
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2512
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2792
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2248
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2104
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2208
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2704
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2492
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2724
-