Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17/01/2025, 16:14
Static task
static1
Behavioral task
behavioral1
Sample
21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe
Resource
win10v2004-20241007-en
General
-
Target
21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe
-
Size
240KB
-
MD5
fb1caeec84e0c4438963ce0fb133278d
-
SHA1
2884cf44f8241a427a61ab7c54842e78a8b5b609
-
SHA256
21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706
-
SHA512
c55e0b640d3601f2b4d897599619796153e7007bdbd64a8455fd035ad787870bf2b8bde68a15dec40a4a24c0be8fc97790d125f9ab56b05ee3001679982ef997
-
SSDEEP
6144:0haKwdeU7LyrC6pnv445VEXs5kzlu/e7QCsXqB:0hydeUvEpbQsx/eMvqB
Malware Config
Signatures
-
GandCrab payload 4 IoCs
resource yara_rule behavioral1/memory/2316-260-0x00000000002C0000-0x00000000002D7000-memory.dmp family_gandcrab behavioral1/memory/2316-259-0x0000000000400000-0x000000000044D000-memory.dmp family_gandcrab behavioral1/memory/2316-262-0x0000000000400000-0x000000000044D000-memory.dmp family_gandcrab behavioral1/memory/2316-269-0x0000000000400000-0x000000000042C000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 Destination IP 107.178.223.183 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zsdpmlfkadp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\bcbybc.exe\"" 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\U: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\W: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\X: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\Y: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\V: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\G: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\M: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\N: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\P: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\T: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\K: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\Q: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\R: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\Z: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\L: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\O: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\S: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\A: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\E: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\H: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\I: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe File opened (read-only) \??\J: 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\win.ini 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 612 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 30 PID 2316 wrote to memory of 612 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 30 PID 2316 wrote to memory of 612 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 30 PID 2316 wrote to memory of 612 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 30 PID 2316 wrote to memory of 1544 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 32 PID 2316 wrote to memory of 1544 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 32 PID 2316 wrote to memory of 1544 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 32 PID 2316 wrote to memory of 1544 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 32 PID 2316 wrote to memory of 2068 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 34 PID 2316 wrote to memory of 2068 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 34 PID 2316 wrote to memory of 2068 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 34 PID 2316 wrote to memory of 2068 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 34 PID 2316 wrote to memory of 536 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 36 PID 2316 wrote to memory of 536 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 36 PID 2316 wrote to memory of 536 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 36 PID 2316 wrote to memory of 536 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 36 PID 2316 wrote to memory of 1764 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 38 PID 2316 wrote to memory of 1764 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 38 PID 2316 wrote to memory of 1764 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 38 PID 2316 wrote to memory of 1764 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 38 PID 2316 wrote to memory of 2312 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 40 PID 2316 wrote to memory of 2312 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 40 PID 2316 wrote to memory of 2312 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 40 PID 2316 wrote to memory of 2312 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 40 PID 2316 wrote to memory of 2620 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 42 PID 2316 wrote to memory of 2620 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 42 PID 2316 wrote to memory of 2620 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 42 PID 2316 wrote to memory of 2620 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 42 PID 2316 wrote to memory of 2380 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 44 PID 2316 wrote to memory of 2380 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 44 PID 2316 wrote to memory of 2380 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 44 PID 2316 wrote to memory of 2380 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 44 PID 2316 wrote to memory of 1776 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 46 PID 2316 wrote to memory of 1776 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 46 PID 2316 wrote to memory of 1776 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 46 PID 2316 wrote to memory of 1776 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 46 PID 2316 wrote to memory of 1592 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 48 PID 2316 wrote to memory of 1592 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 48 PID 2316 wrote to memory of 1592 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 48 PID 2316 wrote to memory of 1592 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 48 PID 2316 wrote to memory of 1608 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 50 PID 2316 wrote to memory of 1608 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 50 PID 2316 wrote to memory of 1608 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 50 PID 2316 wrote to memory of 1608 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 50 PID 2316 wrote to memory of 2792 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 52 PID 2316 wrote to memory of 2792 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 52 PID 2316 wrote to memory of 2792 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 52 PID 2316 wrote to memory of 2792 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 52 PID 2316 wrote to memory of 3036 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 54 PID 2316 wrote to memory of 3036 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 54 PID 2316 wrote to memory of 3036 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 54 PID 2316 wrote to memory of 3036 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 54 PID 2316 wrote to memory of 1916 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 56 PID 2316 wrote to memory of 1916 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 56 PID 2316 wrote to memory of 1916 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 56 PID 2316 wrote to memory of 1916 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 56 PID 2316 wrote to memory of 1908 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 58 PID 2316 wrote to memory of 1908 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 58 PID 2316 wrote to memory of 1908 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 58 PID 2316 wrote to memory of 1908 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 58 PID 2316 wrote to memory of 2948 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 60 PID 2316 wrote to memory of 2948 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 60 PID 2316 wrote to memory of 2948 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 60 PID 2316 wrote to memory of 2948 2316 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe 60
Processes
-
C:\Users\Admin\AppData\Local\Temp\21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe"C:\Users\Admin\AppData\Local\Temp\21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:612
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1544
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2068
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:536
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1764
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2312
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2620
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2380
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1776
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1592
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1608
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2792
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:3036
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1916
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1908
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2948
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2808
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:580
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2812
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2820
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2648
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2772
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2352
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2712
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2172
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2428
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2056
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2880
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:628
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:944
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1740
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:3020
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:3064
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1732
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1508
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2180
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2104
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2032
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1060
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1924
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1864
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1052
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1564
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1548
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2580
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1976
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2476
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:352
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:856
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2200
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1616
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2036
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2436
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2228
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2944
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2804
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2940
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2680
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:2992
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2904
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2656
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2052
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1336
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2272
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2284
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:568
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:436
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1072
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2852
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2264
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:608
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2444
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:348
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:2156
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2132
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2336
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:448
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:1192
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:812
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵
- System Location Discovery: System Language Discovery
PID:2000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5fc807cca56c0920e6c0e8036d22fbc61
SHA15d2189f4c501f40dfe09365e2242b0932263f043
SHA2564e4aaff6eabcb85f2f4b5cd624073281b988c2c2605343cc06dcff08ef1baf1a
SHA512cd002ba320c564d221779bb2da246affc3f17fb28e26266173a85ef480a1e486caf2fec4a17fe61841354cb1de3f0c8ad605f87f3851bae15a0515e657002a46