| File name: | 1.zip |
| Full analysis: | https://app.any.run/tasks/9144a1fa-bfb3-4640-a456-9096a3707a1a |
| Verdict: | Malicious activity |
| Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
| Analysis date: | December 02, 2023, 20:58:24 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 6ECDCEEEEC01C7BA211B7E8E7B450924 |
| SHA1: | 215CE6912E1698D83E616B0F6EC71B06A9677E07 |
| SHA256: | 4AC88919133B624C40B0A650835337C801773DA77C052FCB2F0C3C33FD8DCDB2 |
| SSDEEP: | 98304:bCEIJ6aOLBqwihkip2yUSkpxXsN/LqgelHDKVYm2H4tH8miGAZGcHnkReCRGZl7D:cizYwBENy |
MALICIOUS
Drops the executable file immediately after the start
- 0ea0d741b1d8d8d8f7cc13e0bddd3c72.exe (PID: 3428)
- 1beed9f3366247d8c6386931141fe34a.exe (PID: 3384)
- 1d3e2b2e4d0ab4c1acb0a687b64943e5.exe (PID: 3516)
- 30bb32a0f3ab57854990cca5831dbb28.exe (PID: 3124)
- 19f2b925c23f25e8b1ef3b632bc6d051.exe (PID: 3564)
- 4167f1d1828a149544e695544b00be91.exe (PID: 2488)
- 4e6f1eb13cee8ce32332fe0b1b71a987.exe (PID: 2928)
- 4e61623c584b552ebf702c98ffa56e66.exe (PID: 2820)
- 2fc4bd2e79e4ed0e657b9c0db52b54fb.exe (PID: 1496)
- Unicorn-37084.exe (PID: 3928)
- Unicorn-25792.exe (PID: 3364)
- Unicorn-12724.exe (PID: 3844)
- Unicorn-48075.exe (PID: 3824)
- Unicorn-29713.exe (PID: 2120)
- Unicorn-5117.exe (PID: 2864)
- Unicorn-32912.exe (PID: 2576)
- Unicorn-37214.exe (PID: 2168)
- Unicorn-12299.exe (PID: 3048)
- Unicorn-10253.exe (PID: 3592)
- Unicorn-61500.exe (PID: 1088)
- Unicorn-45719.exe (PID: 1560)
- Unicorn-13046.exe (PID: 2788)
- Unicorn-31926.exe (PID: 3084)
- Unicorn-46871.exe (PID: 644)
- Unicorn-7229.exe (PID: 1072)
- Unicorn-35910.exe (PID: 2508)
- Unicorn-56238.exe (PID: 1600)
- Unicorn-25247.exe (PID: 3780)
- Unicorn-26834.exe (PID: 3704)
- Unicorn-20058.exe (PID: 3964)
- Unicorn-15211.exe (PID: 3384)
- Unicorn-20058.exe (PID: 2984)
- Unicorn-17344.exe (PID: 3552)
- Unicorn-43986.exe (PID: 2416)
- Unicorn-54847.exe (PID: 2368)
- Unicorn-18011.exe (PID: 3668)
- Unicorn-1562.exe (PID: 3288)
- Unicorn-8936.exe (PID: 3256)
- Unicorn-30940.exe (PID: 1928)
- Unicorn-38677.exe (PID: 1832)
- Unicorn-55444.exe (PID: 968)
- Unicorn-8957.exe (PID: 3524)
- Unicorn-63704.exe (PID: 528)
- Unicorn-29932.exe (PID: 3096)
- Unicorn-2543.exe (PID: 3640)
- Unicorn-52055.exe (PID: 3240)
- Unicorn-48236.exe (PID: 1856)
- Unicorn-56404.exe (PID: 2744)
- Unicorn-40622.exe (PID: 2384)
- Unicorn-25486.exe (PID: 2504)
- Unicorn-981.exe (PID: 3072)
- Unicorn-27053.exe (PID: 2948)
- Unicorn-37830.exe (PID: 3492)
- Unicorn-43960.exe (PID: 2460)
- Unicorn-62242.exe (PID: 2400)
- Unicorn-1966.exe (PID: 1448)
- Unicorn-9149.exe (PID: 1900)
- Unicorn-25577.exe (PID: 3148)
- Unicorn-19931.exe (PID: 952)
- Unicorn-41822.exe (PID: 2164)
- Unicorn-3482.exe (PID: 1356)
- Unicorn-52704.exe (PID: 1808)
- Unicorn-44515.exe (PID: 3720)
- Unicorn-21956.exe (PID: 272)
- Unicorn-32668.exe (PID: 2724)
- Unicorn-30621.exe (PID: 3196)
- Unicorn-40836.exe (PID: 3388)
- Unicorn-8526.exe (PID: 4008)
- Unicorn-3622.exe (PID: 3012)
- Unicorn-44920.exe (PID: 2928)
- Unicorn-44728.exe (PID: 1984)
- Unicorn-61619.exe (PID: 2232)
- Unicorn-24656.exe (PID: 1364)
- Unicorn-40644.exe (PID: 2648)
- Unicorn-9817.exe (PID: 2688)
- Unicorn-32637.exe (PID: 2792)
- 32ce4b3733014440d770a8d3b81544d2.exe (PID: 3132)
- Unicorn-10820.exe (PID: 2952)
- Unicorn-62735.exe (PID: 3144)
- Unicorn-6949.exe (PID: 1672)
- Unicorn-26040.exe (PID: 3188)
- Unicorn-27432.exe (PID: 2004)
- Unicorn-5195.exe (PID: 3412)
- Unicorn-29129.exe (PID: 3460)
- Unicorn-40198.exe (PID: 3276)
- Unicorn-4442.exe (PID: 3940)
- Unicorn-57110.exe (PID: 1816)
- Unicorn-16056.exe (PID: 3536)
- Unicorn-64317.exe (PID: 916)
- Unicorn-3825.exe (PID: 3024)
- Unicorn-30367.exe (PID: 2332)
- Unicorn-63716.exe (PID: 4280)
- Unicorn-12569.exe (PID: 3644)
- Unicorn-5148.exe (PID: 3496)
- Unicorn-12953.exe (PID: 4912)
- Unicorn-628.exe (PID: 4560)
- Unicorn-57686.exe (PID: 3216)
- Unicorn-509.exe (PID: 3744)
- Unicorn-893.exe (PID: 4568)
- Unicorn-23187.exe (PID: 4552)
- Unicorn-16846.exe (PID: 2880)
- Unicorn-43872.exe (PID: 4456)
- Unicorn-43580.exe (PID: 4960)
- Unicorn-62325.exe (PID: 2108)
- Unicorn-58625.exe (PID: 4904)
- Unicorn-55309.exe (PID: 5128)
- Unicorn-51464.exe (PID: 2316)
- Unicorn-52040.exe (PID: 4496)
- Unicorn-23159.exe (PID: 4984)
- Unicorn-52040.exe (PID: 4520)
- Unicorn-38126.exe (PID: 5008)
- Unicorn-6923.exe (PID: 4596)
- Unicorn-22557.exe (PID: 5200)
- Unicorn-15646.exe (PID: 4944)
- Unicorn-46586.exe (PID: 5088)
- Unicorn-22082.exe (PID: 5060)
- Unicorn-32990.exe (PID: 4264)
- Unicorn-52040.exe (PID: 4504)
- Unicorn-52040.exe (PID: 4512)
- Unicorn-49108.exe (PID: 5192)
- Unicorn-54297.exe (PID: 5160)
- Unicorn-62901.exe (PID: 4464)
- Unicorn-30036.exe (PID: 4896)
- Unicorn-3970.exe (PID: 5016)
- Unicorn-60571.exe (PID: 4976)
- Unicorn-30250.exe (PID: 5112)
- Unicorn-47956.exe (PID: 4484)
- Unicorn-50670.exe (PID: 5096)
- Unicorn-28112.exe (PID: 5152)
- Unicorn-54754.exe (PID: 5104)
- Unicorn-54074.exe (PID: 3156)
- Unicorn-35247.exe (PID: 4936)
- Unicorn-17705.exe (PID: 5024)
- Unicorn-42694.exe (PID: 5308)
- Unicorn-12906.exe (PID: 5208)
- Unicorn-40918.exe (PID: 5176)
- Unicorn-28112.exe (PID: 5144)
- Unicorn-51657.exe (PID: 5316)
- Unicorn-9921.exe (PID: 5332)
- Unicorn-40918.exe (PID: 5168)
Steals credentials from Web Browsers
- 1d3e2b2e4d0ab4c1acb0a687b64943e5.exe (PID: 3516)
Actions looks like stealing of personal data
- 1d3e2b2e4d0ab4c1acb0a687b64943e5.exe (PID: 3516)
- 32ce4b3733014440d770a8d3b81544d2.exe (PID: 3132)
Application was injected by another process
- explorer.exe (PID: 1388)
- dwm.exe (PID: 932)
- taskeng.exe (PID: 288)
- ctfmon.exe (PID: 1804)
Runs injected code in another process
- 1c3a625a1a0c02ee834a598795a0d0ef.exe (PID: 3052)
- 21c323f09a68551f40c6d5e6cb74412b.exe (PID: 3640)
- 344491bfb811ee82b644bc02e3287893.exe (PID: 3792)
- explorer.exe (PID: 1388)
Starts NET.EXE for service management
- net.exe (PID: 3740)
- 32ce4b3733014440d770a8d3b81544d2.exe (PID: 3132)
- net.exe (PID: 2764)
Changes the autorun value in the registry
- explorer.exe (PID: 1388)
UAC/LUA settings modification
- 19f2b925c23f25e8b1ef3b632bc6d051.exe (PID: 3564)
Changes appearance of the Explorer extensions
- 19f2b925c23f25e8b1ef3b632bc6d051.exe (PID: 3564)
Changes the login/logoff helper path in the registry
- 19f2b925c23f25e8b1ef3b632bc6d051.exe (PID: 3564)
Uses Task Scheduler to run other applications
- cmd.exe (PID: 2988)
GandCrab is detected
- 4e61623c584b552ebf702c98ffa56e66.exe (PID: 2820)
GANDCRAB has been detected (SURICATA)
- nslookup.exe (PID: 2640)
- nslookup.exe (PID: 2888)
SIMDA has been detected (SURICATA)
- explorer.exe (PID: 1388)
SHIZ has been detected (SURICATA)
- explorer.exe (PID: 1388)
Connects to the CnC server
- explorer.exe (PID: 1388)
SUSPICIOUS
Executing commands from a ".bat" file
- explorer.exe (PID: 1388)
Process drops legitimate windows executable
- WinRAR.exe (PID: 2644)
Starts CMD.EXE for commands execution
- explorer.exe (PID: 1388)
- cmd.exe (PID: 2424)
- 4167f1d1828a149544e695544b00be91.exe (PID: 2488)
- 43aea7db92460a8baf31acdcd1a3bb88.exe (PID: 2380)
Application launched itself
- cmd.exe (PID: 2424)
Reads the Internet Settings
- cmd.exe (PID: 3856)
- 1b3551d3d26b8ccdf47fa5f3907b9c2a.exe (PID: 3756)
- cmd.exe (PID: 3204)
- 1beed9f3366247d8c6386931141fe34a.exe (PID: 3384)
- 1d3e2b2e4d0ab4c1acb0a687b64943e5.exe (PID: 3516)
- 30bb32a0f3ab57854990cca5831dbb28.exe (PID: 3124)
- 43aea7db92460a8baf31acdcd1a3bb88.exe (PID: 2380)
- 4167f1d1828a149544e695544b00be91.exe (PID: 2488)
- 4e6f1eb13cee8ce32332fe0b1b71a987.exe (PID: 2928)
- budha.exe (PID: 3200)
- 4e61623c584b552ebf702c98ffa56e66.exe (PID: 2820)
Starts itself from another location
- 0ea0d741b1d8d8d8f7cc13e0bddd3c72.exe (PID: 3428)
- 1beed9f3366247d8c6386931141fe34a.exe (PID: 3384)
- 4e6f1eb13cee8ce32332fe0b1b71a987.exe (PID: 2928)
- 2fc4bd2e79e4ed0e657b9c0db52b54fb.exe (PID: 1496)
- Unicorn-37084.exe (PID: 3928)
- Unicorn-12724.exe (PID: 3844)
- Unicorn-25792.exe (PID: 3364)
- Unicorn-37214.exe (PID: 2168)
- Unicorn-48075.exe (PID: 3824)
- Unicorn-29713.exe (PID: 2120)
- Unicorn-5117.exe (PID: 2864)
- Unicorn-32912.exe (PID: 2576)
- Unicorn-12299.exe (PID: 3048)
- Unicorn-10253.exe (PID: 3592)
- Unicorn-61500.exe (PID: 1088)
- Unicorn-38677.exe (PID: 1832)
- Unicorn-31926.exe (PID: 3084)
- Unicorn-46871.exe (PID: 644)
- Unicorn-45719.exe (PID: 1560)
- Unicorn-26834.exe (PID: 3704)
- Unicorn-35910.exe (PID: 2508)
- Unicorn-56238.exe (PID: 1600)
- Unicorn-25247.exe (PID: 3780)
- Unicorn-13046.exe (PID: 2788)
- Unicorn-15211.exe (PID: 3384)
- Unicorn-20058.exe (PID: 2984)
- Unicorn-17344.exe (PID: 3552)
- Unicorn-54847.exe (PID: 2368)
- Unicorn-43986.exe (PID: 2416)
- Unicorn-8936.exe (PID: 3256)
- Unicorn-1562.exe (PID: 3288)
- Unicorn-63704.exe (PID: 528)
- Unicorn-8957.exe (PID: 3524)
- Unicorn-30940.exe (PID: 1928)
- Unicorn-55444.exe (PID: 968)
- Unicorn-29932.exe (PID: 3096)
- Unicorn-52055.exe (PID: 3240)
- Unicorn-56404.exe (PID: 2744)
- Unicorn-7229.exe (PID: 1072)
- Unicorn-2543.exe (PID: 3640)
- Unicorn-27053.exe (PID: 2948)
- Unicorn-40622.exe (PID: 2384)
- Unicorn-25486.exe (PID: 2504)
- Unicorn-981.exe (PID: 3072)
- Unicorn-25577.exe (PID: 3148)
- Unicorn-43960.exe (PID: 2460)
- Unicorn-62242.exe (PID: 2400)
- Unicorn-1966.exe (PID: 1448)
- Unicorn-20058.exe (PID: 3964)
- Unicorn-9149.exe (PID: 1900)
- Unicorn-37830.exe (PID: 3492)
- Unicorn-3482.exe (PID: 1356)
- Unicorn-26040.exe (PID: 3188)
- Unicorn-54074.exe (PID: 3156)
- Unicorn-41822.exe (PID: 2164)
- Unicorn-19931.exe (PID: 952)
- Unicorn-27432.exe (PID: 2004)
- Unicorn-52704.exe (PID: 1808)
- Unicorn-44515.exe (PID: 3720)
- Unicorn-32668.exe (PID: 2724)
- Unicorn-18011.exe (PID: 3668)
- Unicorn-8526.exe (PID: 4008)
- Unicorn-3622.exe (PID: 3012)
- Unicorn-4442.exe (PID: 3940)
- Unicorn-30621.exe (PID: 3196)
- Unicorn-44920.exe (PID: 2928)
- Unicorn-40836.exe (PID: 3388)
- Unicorn-40644.exe (PID: 2648)
- Unicorn-44728.exe (PID: 1984)
- Unicorn-9817.exe (PID: 2688)
- Unicorn-24656.exe (PID: 1364)
- Unicorn-48236.exe (PID: 1856)
- Unicorn-62735.exe (PID: 3144)
- Unicorn-21956.exe (PID: 272)
- Unicorn-6949.exe (PID: 1672)
- Unicorn-57110.exe (PID: 1816)
- Unicorn-29129.exe (PID: 3460)
- Unicorn-40198.exe (PID: 3276)
- Unicorn-61619.exe (PID: 2232)
- Unicorn-16056.exe (PID: 3536)
- Unicorn-30367.exe (PID: 2332)
- Unicorn-64317.exe (PID: 916)
- Unicorn-3825.exe (PID: 3024)
- Unicorn-32637.exe (PID: 2792)
- Unicorn-63716.exe (PID: 4280)
- Unicorn-10820.exe (PID: 2952)
- Unicorn-5148.exe (PID: 3496)
- Unicorn-12953.exe (PID: 4912)
- Unicorn-12569.exe (PID: 3644)
- Unicorn-628.exe (PID: 4560)
- Unicorn-509.exe (PID: 3744)
- Unicorn-5195.exe (PID: 3412)
- Unicorn-23187.exe (PID: 4552)
- Unicorn-16846.exe (PID: 2880)
- Unicorn-43872.exe (PID: 4456)
- Unicorn-43580.exe (PID: 4960)
- Unicorn-58625.exe (PID: 4904)
- Unicorn-51464.exe (PID: 2316)
- Unicorn-52040.exe (PID: 4496)
- Unicorn-52040.exe (PID: 4520)
- Unicorn-6923.exe (PID: 4596)
- Unicorn-55309.exe (PID: 5128)
- Unicorn-47956.exe (PID: 4484)
- Unicorn-22557.exe (PID: 5200)
- Unicorn-15646.exe (PID: 4944)
- Unicorn-22082.exe (PID: 5060)
- Unicorn-32990.exe (PID: 4264)
- Unicorn-52040.exe (PID: 4504)
- Unicorn-52040.exe (PID: 4512)
- Unicorn-49108.exe (PID: 5192)
- Unicorn-54297.exe (PID: 5160)
- Unicorn-62901.exe (PID: 4464)
- Unicorn-30036.exe (PID: 4896)
- Unicorn-893.exe (PID: 4568)
- Unicorn-3970.exe (PID: 5016)
- Unicorn-57686.exe (PID: 3216)
- Unicorn-62325.exe (PID: 2108)
- Unicorn-40918.exe (PID: 5168)
- Unicorn-46586.exe (PID: 5088)
- Unicorn-30250.exe (PID: 5112)
- Unicorn-23159.exe (PID: 4984)
- Unicorn-50670.exe (PID: 5096)
- Unicorn-28112.exe (PID: 5152)
- Unicorn-54754.exe (PID: 5104)
- Unicorn-60571.exe (PID: 4976)
- Unicorn-17705.exe (PID: 5024)
Drops 7-zip archiver for unpacking
- WinRAR.exe (PID: 2644)
Changes the desktop background image
- 19f2b925c23f25e8b1ef3b632bc6d051.exe (PID: 3564)
The process checks if it is being run in the virtual environment
- 1c3a625a1a0c02ee834a598795a0d0ef.exe (PID: 3052)
- 344491bfb811ee82b644bc02e3287893.exe (PID: 3792)
- 21c323f09a68551f40c6d5e6cb74412b.exe (PID: 3640)
- 4b279a7081ce7020ffda0c7f074695e9.exe (PID: 788)
- explorer.exe (PID: 1388)
Malware-specific behavior (creating "System.dll" in Temp)
- 1d3e2b2e4d0ab4c1acb0a687b64943e5.exe (PID: 3516)
The process creates files with name similar to system file names
- 1d3e2b2e4d0ab4c1acb0a687b64943e5.exe (PID: 3516)
- 30bb32a0f3ab57854990cca5831dbb28.exe (PID: 3124)
- 32ce4b3733014440d770a8d3b81544d2.exe (PID: 3132)
The process verifies whether the antivirus software is installed
- 1c3a625a1a0c02ee834a598795a0d0ef.exe (PID: 3052)
- 21c323f09a68551f40c6d5e6cb74412b.exe (PID: 3640)
Uses ATTRIB.EXE to modify file attributes
- 43aea7db92460a8baf31acdcd1a3bb88.exe (PID: 2380)
Connects to FTP
- 1b3551d3d26b8ccdf47fa5f3907b9c2a.exe (PID: 3756)
Checks for Java to be installed
- 4b279a7081ce7020ffda0c7f074695e9.exe (PID: 788)
Uses NSLOOKUP.EXE to check DNS info
- 4e61623c584b552ebf702c98ffa56e66.exe (PID: 2820)
Write to the desktop.ini file (may be used to cloak folders)
- 32ce4b3733014440d770a8d3b81544d2.exe (PID: 3132)
The process executes via Task Scheduler
- IEMontior.exe (PID: 5716)
Reads security settings of Internet Explorer
- budha.exe (PID: 3200)
Reads settings of System Certificates
- budha.exe (PID: 3200)
Checks Windows Trust Settings
- budha.exe (PID: 3200)
INFO
Drops the executable file immediately after the start
- WinRAR.exe (PID: 2644)
- explorer.exe (PID: 1388)
Reads the Internet Settings
- explorer.exe (PID: 1388)
Manual execution by a user
- cmd.exe (PID: 2424)
- notepad.exe (PID: 3784)
Checks supported languages
- 00c6bb56bd5037deb24159a6873a05b6.exe (PID: 2300)
- 10efa4395373062c24f47ab22520d4de.exe (PID: 3044)
- 069ab28b192fd0b755447ebbc6afb0d4.exe (PID: 1696)
- 07d447798672ed80abae7b2c2fc2af90.exe (PID: 644)
- 0ea0d741b1d8d8d8f7cc13e0bddd3c72.exe (PID: 3428)
- WwanSvc.exe (PID: 2728)
- 19f2b925c23f25e8b1ef3b632bc6d051.exe (PID: 3564)
- 1b3551d3d26b8ccdf47fa5f3907b9c2a.exe (PID: 3756)
- 1beed9f3366247d8c6386931141fe34a.exe (PID: 3384)
- 1c3a625a1a0c02ee834a598795a0d0ef.exe (PID: 3052)
- edurss.exe (PID: 3608)
- 1d3e2b2e4d0ab4c1acb0a687b64943e5.exe (PID: 3516)
- 205965129fc9e40e8c75ec62b28a32e7.exe (PID: 3652)
- 21c323f09a68551f40c6d5e6cb74412b.exe (PID: 3640)
- 2348c1e1359506c785b9a37489abad8c.exe (PID: 3812)
- 2fc4bd2e79e4ed0e657b9c0db52b54fb.exe (PID: 1496)
- 30bb32a0f3ab57854990cca5831dbb28.exe (PID: 3124)
- 37dc2b37075ac8b7d7b0d7a64ce93cb1.exe (PID: 284)
- 4167f1d1828a149544e695544b00be91.exe (PID: 2488)
- 41b3bac994107f1387e41ecfce5b2cf6.exe (PID: 1616)
- 435d1ad1b5517baf8ad78f89d441e76a.exe (PID: 1752)
- 32ce4b3733014440d770a8d3b81544d2.exe (PID: 3132)
- 344491bfb811ee82b644bc02e3287893.exe (PID: 3792)
- 43aea7db92460a8baf31acdcd1a3bb88.exe (PID: 2380)
- 469376f722271ca46c61cd3d8e6734e5.exe (PID: 2436)
- 47e131c1cd0e819ff5f5c7943797925b.exe (PID: 552)
- 4b279a7081ce7020ffda0c7f074695e9.exe (PID: 788)
- 4886a0d31ac52cc4431c7f8bbced0329.exe (PID: 2576)
- 4e61623c584b552ebf702c98ffa56e66.exe (PID: 2820)
- 4e6f1eb13cee8ce32332fe0b1b71a987.exe (PID: 2928)
- budha.exe (PID: 3200)
- 4fb70c00b8120ac4a10e5e6495c5be77.exe (PID: 600)
- Unicorn-37084.exe (PID: 3928)
- Unicorn-48075.exe (PID: 3824)
- Unicorn-25792.exe (PID: 3364)
- Unicorn-12724.exe (PID: 3844)
- Unicorn-37214.exe (PID: 2168)
- Unicorn-29713.exe (PID: 2120)
- Unicorn-5117.exe (PID: 2864)
- Unicorn-13046.exe (PID: 2788)
- Unicorn-12299.exe (PID: 3048)
- Unicorn-61500.exe (PID: 1088)
- Unicorn-10253.exe (PID: 3592)
- Unicorn-38677.exe (PID: 1832)
- Unicorn-45719.exe (PID: 1560)
- Unicorn-47.exe (PID: 3924)
- Unicorn-31926.exe (PID: 3084)
- Unicorn-32912.exe (PID: 2576)
- Unicorn-7229.exe (PID: 1072)
- Unicorn-1562.exe (PID: 3288)
- Unicorn-56238.exe (PID: 1600)
- Unicorn-25247.exe (PID: 3780)
- Unicorn-43986.exe (PID: 2416)
- Unicorn-54847.exe (PID: 2368)
- Unicorn-46871.exe (PID: 644)
- Unicorn-35910.exe (PID: 2508)
- Unicorn-17344.exe (PID: 3552)
- Unicorn-18011.exe (PID: 3668)
- Unicorn-15211.exe (PID: 3384)
- Unicorn-30940.exe (PID: 1928)
- Unicorn-55444.exe (PID: 968)
- Unicorn-8936.exe (PID: 3256)
- Unicorn-8957.exe (PID: 3524)
- Unicorn-63704.exe (PID: 528)
- Unicorn-26834.exe (PID: 3704)
- Unicorn-20058.exe (PID: 2984)
- Unicorn-20058.exe (PID: 3964)
- Unicorn-48236.exe (PID: 1856)
- Unicorn-2543.exe (PID: 3640)
- Unicorn-56404.exe (PID: 2744)
- Unicorn-52055.exe (PID: 3240)
- Unicorn-40622.exe (PID: 2384)
- Unicorn-27053.exe (PID: 2948)
- Unicorn-25486.exe (PID: 2504)
- Unicorn-29932.exe (PID: 3096)
- Unicorn-37830.exe (PID: 3492)
- Unicorn-25577.exe (PID: 3148)
- Unicorn-9149.exe (PID: 1900)
- Unicorn-43960.exe (PID: 2460)
- Unicorn-54074.exe (PID: 3156)
- Unicorn-3482.exe (PID: 1356)
- Unicorn-981.exe (PID: 3072)
- Unicorn-27432.exe (PID: 2004)
- Unicorn-41822.exe (PID: 2164)
- Unicorn-44515.exe (PID: 3720)
- Unicorn-21956.exe (PID: 272)
- Unicorn-26040.exe (PID: 3188)
- Unicorn-52704.exe (PID: 1808)
- Unicorn-19931.exe (PID: 952)
- Unicorn-32668.exe (PID: 2724)
- Unicorn-30621.exe (PID: 3196)
- Unicorn-1966.exe (PID: 1448)
- Unicorn-62242.exe (PID: 2400)
- Unicorn-40836.exe (PID: 3388)
- Unicorn-4442.exe (PID: 3940)
- Unicorn-44920.exe (PID: 2928)
- Unicorn-40644.exe (PID: 2648)
- Unicorn-8526.exe (PID: 4008)
- Unicorn-3622.exe (PID: 3012)
- Unicorn-44728.exe (PID: 1984)
- Unicorn-34614.exe (PID: 3296)
- Unicorn-10820.exe (PID: 2952)
- Unicorn-24656.exe (PID: 1364)
- Unicorn-32637.exe (PID: 2792)
- Unicorn-6949.exe (PID: 1672)
- Unicorn-62735.exe (PID: 3144)
- Unicorn-5195.exe (PID: 3412)
- Unicorn-61619.exe (PID: 2232)
- Unicorn-9817.exe (PID: 2688)
- Unicorn-40198.exe (PID: 3276)
- Unicorn-29129.exe (PID: 3460)
- Unicorn-3825.exe (PID: 3024)
- Unicorn-57110.exe (PID: 1816)
- Unicorn-64317.exe (PID: 916)
- Unicorn-30367.exe (PID: 2332)
- Unicorn-16846.exe (PID: 2880)
- Unicorn-509.exe (PID: 3744)
- Unicorn-5148.exe (PID: 3496)
- Unicorn-16056.exe (PID: 3536)
- Unicorn-57686.exe (PID: 3216)
- Unicorn-51464.exe (PID: 2316)
- Unicorn-317.exe (PID: 2544)
- Unicorn-32990.exe (PID: 4264)
- Unicorn-63716.exe (PID: 4280)
- Unicorn-12569.exe (PID: 3644)
- Unicorn-62325.exe (PID: 2108)
- Unicorn-52040.exe (PID: 4512)
- Unicorn-62901.exe (PID: 4464)
- Unicorn-43872.exe (PID: 4456)
- Unicorn-52040.exe (PID: 4520)
- Unicorn-47956.exe (PID: 4484)
- Unicorn-52040.exe (PID: 4496)
- Unicorn-628.exe (PID: 4560)
- Unicorn-893.exe (PID: 4568)
- Unicorn-30036.exe (PID: 4896)
- Unicorn-58625.exe (PID: 4904)
- Unicorn-12953.exe (PID: 4912)
- Unicorn-52040.exe (PID: 4504)
- Unicorn-23187.exe (PID: 4552)
- Unicorn-6923.exe (PID: 4596)
- Unicorn-43580.exe (PID: 4960)
- Unicorn-29844.exe (PID: 4968)
- Unicorn-38126.exe (PID: 5008)
- Unicorn-60571.exe (PID: 4976)
- Unicorn-3970.exe (PID: 5016)
- Unicorn-17705.exe (PID: 5024)
- Unicorn-22082.exe (PID: 5060)
- Unicorn-35247.exe (PID: 4936)
- Unicorn-15646.exe (PID: 4944)
- Unicorn-23159.exe (PID: 4984)
- Unicorn-54754.exe (PID: 5104)
- Unicorn-50670.exe (PID: 5096)
- Unicorn-30250.exe (PID: 5112)
- Unicorn-55309.exe (PID: 5128)
- Unicorn-28112.exe (PID: 5144)
- Unicorn-46586.exe (PID: 5088)
- Unicorn-49108.exe (PID: 5192)
- Unicorn-22557.exe (PID: 5200)
- Unicorn-12906.exe (PID: 5208)
- Unicorn-9921.exe (PID: 5332)
- Unicorn-42694.exe (PID: 5308)
- Unicorn-51657.exe (PID: 5316)
- Unicorn-7121.exe (PID: 5324)
- Unicorn-28112.exe (PID: 5152)
- Unicorn-54297.exe (PID: 5160)
- Unicorn-40918.exe (PID: 5168)
- Unicorn-40918.exe (PID: 5176)
- Unicorn-18692.exe (PID: 5536)
- Unicorn-16628.exe (PID: 5352)
- Unicorn-57660.exe (PID: 5360)
- Unicorn-19128.exe (PID: 5384)
- Unicorn-49776.exe (PID: 5436)
- Unicorn-56461.exe (PID: 5528)
- wmpnscfg.exe (PID: 5552)
- Unicorn-18526.exe (PID: 5620)
- Unicorn-65034.exe (PID: 5612)
- Unicorn-64934.exe (PID: 5632)
- IEMontior.exe (PID: 5716)
- Unicorn-9803.exe (PID: 5700)
- Unicorn-11090.exe (PID: 5724)
- Unicorn-14519.exe (PID: 5744)
- Unicorn-21012.exe (PID: 5780)
- Unicorn-14042.exe (PID: 5800)
- Unicorn-59797.exe (PID: 5640)
- Unicorn-34692.exe (PID: 5672)
- Unicorn-31459.exe (PID: 5868)
- Unicorn-24302.exe (PID: 5924)
- Unicorn-48231.exe (PID: 5812)
- Unicorn-59828.exe (PID: 5820)
- Unicorn-3114.exe (PID: 5828)
- Unicorn-17312.exe (PID: 5836)
- Unicorn-47252.exe (PID: 5860)
- Unicorn-43352.exe (PID: 6032)
- Unicorn-18656.exe (PID: 6040)
- Unicorn-13996.exe (PID: 5936)
- Unicorn-37946.exe (PID: 5952)
- Unicorn-23647.exe (PID: 5996)
- Unicorn-59689.exe (PID: 6008)
- Unicorn-53004.exe (PID: 6016)
- Unicorn-43352.exe (PID: 6024)
- Unicorn-19285.exe (PID: 6116)
- Unicorn-43160.exe (PID: 6108)
- Unicorn-8350.exe (PID: 6124)
- Unicorn-8350.exe (PID: 6132)
- Unicorn-26632.exe (PID: 6140)
- Unicorn-37567.exe (PID: 3404)
- Unicorn-30354.exe (PID: 6052)
- Unicorn-16518.exe (PID: 6060)
- Unicorn-24686.exe (PID: 6068)
- Unicorn-4266.exe (PID: 6092)
- Unicorn-18001.exe (PID: 6076)
- Unicorn-4266.exe (PID: 6100)
- Unicorn-4266.exe (PID: 6084)
- Unicorn-50674.exe (PID: 4932)
- Unicorn-45683.exe (PID: 5032)
- Unicorn-60888.exe (PID: 4952)
- Unicorn-12355.exe (PID: 2944)
- Unicorn-59418.exe (PID: 600)
- Unicorn-65448.exe (PID: 3588)
- Unicorn-9555.exe (PID: 4612)
- Unicorn-30473.exe (PID: 5084)
- Unicorn-24607.exe (PID: 4996)
- Unicorn-16082.exe (PID: 5228)
- Unicorn-42533.exe (PID: 5260)
- Unicorn-63581.exe (PID: 4632)
- Unicorn-15148.exe (PID: 5408)
- Unicorn-18678.exe (PID: 5564)
- Unicorn-12455.exe (PID: 5400)
- Unicorn-6980.exe (PID: 5552)
- Unicorn-52673.exe (PID: 5600)
- Unicorn-21946.exe (PID: 5604)
- Unicorn-15261.exe (PID: 5596)
- Unicorn-7722.exe (PID: 5272)
- Unicorn-5941.exe (PID: 5340)
- Unicorn-30546.exe (PID: 5240)
- Unicorn-23892.exe (PID: 4624)
- Unicorn-18491.exe (PID: 4528)
- Unicorn-39574.exe (PID: 4472)
- Unicorn-5418.exe (PID: 4604)
- Unicorn-4406.exe (PID: 4272)
- Unicorn-64078.exe (PID: 4620)
- Unicorn-62161.exe (PID: 5756)
- Unicorn-7940.exe (PID: 5664)
- Unicorn-31625.exe (PID: 5656)
- Unicorn-6424.exe (PID: 5764)
- Unicorn-37920.exe (PID: 5808)
- Unicorn-23892.exe (PID: 5608)
- Unicorn-39574.exe (PID: 4492)
- Unicorn-26244.exe (PID: 5908)
- Unicorn-7577.exe (PID: 5972)
- Unicorn-36258.exe (PID: 4176)
- Unicorn-63768.exe (PID: 5896)
- Unicorn-7888.exe (PID: 5984)
- Unicorn-10191.exe (PID: 5244)
- Unicorn-55308.exe (PID: 5396)
- Unicorn-17697.exe (PID: 5404)
- Unicorn-17068.exe (PID: 6156)
- Unicorn-77.exe (PID: 6164)
- Unicorn-53773.exe (PID: 6172)
- Unicorn-42558.exe (PID: 5044)
- Unicorn-42558.exe (PID: 5852)
- Unicorn-21536.exe (PID: 6200)
- Unicorn-30280.exe (PID: 6208)
- Unicorn-11151.exe (PID: 6240)
- Unicorn-23655.exe (PID: 6684)
- Unicorn-64079.exe (PID: 6608)
- Unicorn-23787.exe (PID: 6692)
- Unicorn-48703.exe (PID: 6700)
- Unicorn-1805.exe (PID: 6708)
- Unicorn-44784.exe (PID: 6716)
- Unicorn-10677.exe (PID: 6728)
- Unicorn-39846.exe (PID: 6752)
- Unicorn-30302.exe (PID: 6764)
- Unicorn-14911.exe (PID: 6180)
- Unicorn-19895.exe (PID: 6652)
- Unicorn-63514.exe (PID: 6776)
- Unicorn-57292.exe (PID: 6792)
- Unicorn-43213.exe (PID: 6828)
- Unicorn-49792.exe (PID: 6800)
- Unicorn-4675.exe (PID: 6808)
- Unicorn-25750.exe (PID: 6816)
- Unicorn-43478.exe (PID: 6836)
- Unicorn-42.exe (PID: 6860)
- Unicorn-51546.exe (PID: 6848)
- Unicorn-59714.exe (PID: 6876)
- Unicorn-59714.exe (PID: 6868)
- Unicorn-8567.exe (PID: 6884)
- Unicorn-25479.exe (PID: 6908)
- Unicorn-28272.exe (PID: 6900)
- Unicorn-56206.exe (PID: 6916)
- Unicorn-50084.exe (PID: 6992)
- Unicorn-45735.exe (PID: 6924)
- Unicorn-39870.exe (PID: 6940)
- Unicorn-39870.exe (PID: 6932)
- Unicorn-43954.exe (PID: 6964)
- Unicorn-24618.exe (PID: 6956)
- Unicorn-43954.exe (PID: 6980)
- Unicorn-27425.exe (PID: 7016)
- Unicorn-64474.exe (PID: 6892)
- Unicorn-39870.exe (PID: 6948)
- Unicorn-43954.exe (PID: 6972)
- Unicorn-27425.exe (PID: 7008)
- Unicorn-6648.exe (PID: 7032)
- Unicorn-61958.exe (PID: 7140)
- Unicorn-36248.exe (PID: 7056)
- Unicorn-33867.exe (PID: 7076)
- Unicorn-28001.exe (PID: 7068)
- Unicorn-12750.exe (PID: 7084)
- Unicorn-9362.exe (PID: 7092)
- Unicorn-31729.exe (PID: 7116)
- Unicorn-23063.exe (PID: 7108)
- Unicorn-33940.exe (PID: 7176)
- Unicorn-29093.exe (PID: 7192)
- Unicorn-505.exe (PID: 7200)
- Unicorn-33556.exe (PID: 7024)
- Unicorn-8090.exe (PID: 7000)
- Unicorn-39897.exe (PID: 7124)
- Unicorn-5159.exe (PID: 7232)
- Unicorn-18180.exe (PID: 7248)
- Unicorn-59575.exe (PID: 7264)
- Unicorn-32277.exe (PID: 7256)
- Unicorn-59575.exe (PID: 7272)
- Unicorn-17887.exe (PID: 7296)
- Unicorn-13803.exe (PID: 7280)
- Unicorn-17887.exe (PID: 7304)
- Unicorn-23753.exe (PID: 7288)
- Unicorn-9170.exe (PID: 7208)
- Unicorn-42662.exe (PID: 7220)
- Unicorn-7873.exe (PID: 7240)
- Unicorn-3212.exe (PID: 7336)
- Unicorn-59404.exe (PID: 7344)
- Unicorn-20244.exe (PID: 7360)
- Unicorn-44749.exe (PID: 7392)
- Unicorn-20510.exe (PID: 7368)
- Unicorn-55220.exe (PID: 7376)
- Unicorn-53658.exe (PID: 7400)
- Unicorn-36083.exe (PID: 7384)
- Unicorn-63872.exe (PID: 7432)
- Unicorn-24215.exe (PID: 7408)
- Unicorn-2080.exe (PID: 7416)
- Unicorn-24745.exe (PID: 7424)
- Unicorn-51328.exe (PID: 7324)
- Unicorn-16517.exe (PID: 7316)
- Unicorn-20244.exe (PID: 7352)
- Unicorn-60919.exe (PID: 7480)
- Unicorn-61634.exe (PID: 7456)
- Unicorn-61634.exe (PID: 7464)
- Unicorn-16928.exe (PID: 7488)
- Unicorn-47920.exe (PID: 7516)
- Unicorn-38798.exe (PID: 7528)
- Unicorn-39871.exe (PID: 7540)
- Unicorn-39871.exe (PID: 7548)
- Unicorn-4364.exe (PID: 7560)
- Unicorn-21448.exe (PID: 7440)
- Unicorn-24978.exe (PID: 7448)
- Unicorn-62865.exe (PID: 7496)
- Unicorn-50448.exe (PID: 7644)
- Unicorn-41074.exe (PID: 7604)
- Unicorn-27975.exe (PID: 7628)
- Unicorn-31393.exe (PID: 7652)
- Unicorn-44888.exe (PID: 7680)
- Unicorn-33120.exe (PID: 7700)
- Unicorn-29036.exe (PID: 7692)
- Unicorn-60364.exe (PID: 7572)
- Unicorn-41890.exe (PID: 7580)
- Unicorn-21588.exe (PID: 7636)
- Unicorn-13495.exe (PID: 7772)
- Unicorn-8542.exe (PID: 7764)
- Unicorn-447.exe (PID: 7788)
- Unicorn-447.exe (PID: 7780)
- Unicorn-33888.exe (PID: 7804)
- Unicorn-12705.exe (PID: 7820)
- Unicorn-37204.exe (PID: 7708)
- Unicorn-6569.exe (PID: 7724)
- Unicorn-30525.exe (PID: 7748)
- Unicorn-9607.exe (PID: 7756)
- Unicorn-57551.exe (PID: 7796)
- Unicorn-21370.exe (PID: 7812)
- Unicorn-8230.exe (PID: 7860)
- Unicorn-37780.exe (PID: 7876)
- Unicorn-63967.exe (PID: 7852)
- Unicorn-2969.exe (PID: 7868)
- Unicorn-18298.exe (PID: 7892)
- Unicorn-11692.exe (PID: 7884)
- Unicorn-8926.exe (PID: 7836)
- Unicorn-1023.exe (PID: 7828)
- Unicorn-23582.exe (PID: 7844)
- Unicorn-9383.exe (PID: 7916)
- Unicorn-30307.exe (PID: 7928)
- Unicorn-42824.exe (PID: 7936)
- Unicorn-22404.exe (PID: 7944)
- Unicorn-46643.exe (PID: 7956)
- Unicorn-53030.exe (PID: 7964)
- Unicorn-50971.exe (PID: 7900)
- Unicorn-5299.exe (PID: 7908)
- Unicorn-31563.exe (PID: 8008)
- Unicorn-40229.exe (PID: 8032)
- Unicorn-59243.exe (PID: 8096)
- Unicorn-32601.exe (PID: 8104)
- Unicorn-37696.exe (PID: 8040)
- Unicorn-285.exe (PID: 8064)
- Unicorn-59243.exe (PID: 8080)
- Unicorn-59243.exe (PID: 8088)
- Unicorn-50578.exe (PID: 8072)
- Unicorn-32601.exe (PID: 8112)
- Unicorn-39294.exe (PID: 7980)
- Unicorn-50230.exe (PID: 7972)
- Unicorn-13778.exe (PID: 7992)
- Unicorn-40229.exe (PID: 8016)
- Unicorn-40229.exe (PID: 8024)
- Unicorn-64147.exe (PID: 8188)
- Unicorn-44886.exe (PID: 8180)
- Unicorn-18375.exe (PID: 2412)
- Unicorn-38823.exe (PID: 8144)
- Unicorn-53021.exe (PID: 6192)
- Unicorn-53021.exe (PID: 6188)
- Unicorn-21797.exe (PID: 6152)
- Unicorn-16530.exe (PID: 8172)
- Unicorn-57681.exe (PID: 3080)
- Unicorn-49016.exe (PID: 2716)
- Unicorn-30688.exe (PID: 8120)
- Unicorn-19222.exe (PID: 8128)
- Unicorn-38823.exe (PID: 8136)
- Unicorn-38823.exe (PID: 8152)
Reads the computer name
- 069ab28b192fd0b755447ebbc6afb0d4.exe (PID: 1696)
- 19f2b925c23f25e8b1ef3b632bc6d051.exe (PID: 3564)
- WwanSvc.exe (PID: 2728)
- 1b3551d3d26b8ccdf47fa5f3907b9c2a.exe (PID: 3756)
- 1beed9f3366247d8c6386931141fe34a.exe (PID: 3384)
- edurss.exe (PID: 3608)
- 1d3e2b2e4d0ab4c1acb0a687b64943e5.exe (PID: 3516)
- 1c3a625a1a0c02ee834a598795a0d0ef.exe (PID: 3052)
- 30bb32a0f3ab57854990cca5831dbb28.exe (PID: 3124)
- 21c323f09a68551f40c6d5e6cb74412b.exe (PID: 3640)
- 344491bfb811ee82b644bc02e3287893.exe (PID: 3792)
- 41b3bac994107f1387e41ecfce5b2cf6.exe (PID: 1616)
- 43aea7db92460a8baf31acdcd1a3bb88.exe (PID: 2380)
- 37dc2b37075ac8b7d7b0d7a64ce93cb1.exe (PID: 284)
- 4167f1d1828a149544e695544b00be91.exe (PID: 2488)
- 4e6f1eb13cee8ce32332fe0b1b71a987.exe (PID: 2928)
- 435d1ad1b5517baf8ad78f89d441e76a.exe (PID: 1752)
- 0ea0d741b1d8d8d8f7cc13e0bddd3c72.exe (PID: 3428)
- 2348c1e1359506c785b9a37489abad8c.exe (PID: 3812)
- 2fc4bd2e79e4ed0e657b9c0db52b54fb.exe (PID: 1496)
- 469376f722271ca46c61cd3d8e6734e5.exe (PID: 2436)
- 32ce4b3733014440d770a8d3b81544d2.exe (PID: 3132)
- 10efa4395373062c24f47ab22520d4de.exe (PID: 3044)
- 4fb70c00b8120ac4a10e5e6495c5be77.exe (PID: 600)
- budha.exe (PID: 3200)
- 4e61623c584b552ebf702c98ffa56e66.exe (PID: 2820)
- Unicorn-2543.exe (PID: 3640)
- wmpnscfg.exe (PID: 5552)
- IEMontior.exe (PID: 5716)
Creates files in the program directory
- 0ea0d741b1d8d8d8f7cc13e0bddd3c72.exe (PID: 3428)
Reads the machine GUID from the registry
- 10efa4395373062c24f47ab22520d4de.exe (PID: 3044)
- 1b3551d3d26b8ccdf47fa5f3907b9c2a.exe (PID: 3756)
- 19f2b925c23f25e8b1ef3b632bc6d051.exe (PID: 3564)
- 1d3e2b2e4d0ab4c1acb0a687b64943e5.exe (PID: 3516)
- 41b3bac994107f1387e41ecfce5b2cf6.exe (PID: 1616)
- 435d1ad1b5517baf8ad78f89d441e76a.exe (PID: 1752)
- 4167f1d1828a149544e695544b00be91.exe (PID: 2488)
- 4fb70c00b8120ac4a10e5e6495c5be77.exe (PID: 600)
- 4e61623c584b552ebf702c98ffa56e66.exe (PID: 2820)
- budha.exe (PID: 3200)
- IEMontior.exe (PID: 5716)
Create files in a temporary directory
- 19f2b925c23f25e8b1ef3b632bc6d051.exe (PID: 3564)
- 1beed9f3366247d8c6386931141fe34a.exe (PID: 3384)
- 10efa4395373062c24f47ab22520d4de.exe (PID: 3044)
- 1d3e2b2e4d0ab4c1acb0a687b64943e5.exe (PID: 3516)
- 30bb32a0f3ab57854990cca5831dbb28.exe (PID: 3124)
- 41b3bac994107f1387e41ecfce5b2cf6.exe (PID: 1616)
- 435d1ad1b5517baf8ad78f89d441e76a.exe (PID: 1752)
- 4fb70c00b8120ac4a10e5e6495c5be77.exe (PID: 600)
- 4e6f1eb13cee8ce32332fe0b1b71a987.exe (PID: 2928)
- explorer.exe (PID: 1388)
- 32ce4b3733014440d770a8d3b81544d2.exe (PID: 3132)
Checks proxy server information
- 1b3551d3d26b8ccdf47fa5f3907b9c2a.exe (PID: 3756)
- 1d3e2b2e4d0ab4c1acb0a687b64943e5.exe (PID: 3516)
- 30bb32a0f3ab57854990cca5831dbb28.exe (PID: 3124)
- budha.exe (PID: 3200)
- 4e61623c584b552ebf702c98ffa56e66.exe (PID: 2820)
Reads Environment values
- 1beed9f3366247d8c6386931141fe34a.exe (PID: 3384)
- edurss.exe (PID: 3608)
- 1d3e2b2e4d0ab4c1acb0a687b64943e5.exe (PID: 3516)
- 4e61623c584b552ebf702c98ffa56e66.exe (PID: 2820)
Reads mouse settings
- 10efa4395373062c24f47ab22520d4de.exe (PID: 3044)
Reads Microsoft Office registry keys
- 10efa4395373062c24f47ab22520d4de.exe (PID: 3044)
Reads product name
- 1d3e2b2e4d0ab4c1acb0a687b64943e5.exe (PID: 3516)
- 4e61623c584b552ebf702c98ffa56e66.exe (PID: 2820)
Creates files or folders in the user directory
- 4167f1d1828a149544e695544b00be91.exe (PID: 2488)
- 4e61623c584b552ebf702c98ffa56e66.exe (PID: 2820)
- explorer.exe (PID: 1388)
- 32ce4b3733014440d770a8d3b81544d2.exe (PID: 3132)
- budha.exe (PID: 3200)
Reads CPU info
- 4e61623c584b552ebf702c98ffa56e66.exe (PID: 2820)
Reads security settings of Internet Explorer
- explorer.exe (PID: 1388)
Reads settings of System Certificates
- explorer.exe (PID: 1388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2023:11:30 11:27:44 |
| ZipCRC: | 0x8232f6c7 |
| ZipCompressedSize: | 162548 |
| ZipUncompressedSize: | 307712 |
| ZipFileName: | 57f263a93fdc43468494e7fcfb092886.exe |
Total processes
738
Monitored processes
641
Malicious processes
134
Suspicious processes
23
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 128 | nslookup ransomware.bit ns2.corp-servers.ru | C:\Windows\System32\nslookup.exe | 4e61623c584b552ebf702c98ffa56e66.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 272 | C:\Users\admin\Desktop\Unicorn-21956.exe | C:\Users\admin\Desktop\Unicorn-21956.exe | — | Unicorn-61500.exe | |||||||||||
User: admin Company: aaaa Integrity Level: MEDIUM Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
| 284 | "37dc2b37075ac8b7d7b0d7a64ce93cb1.exe" | C:\Users\admin\Desktop\37dc2b37075ac8b7d7b0d7a64ce93cb1.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 288 | taskeng.exe {713157D0-CA13-42EB-B692-3B7270C875D1} | C:\Windows\System32\taskeng.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Engine Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 528 | C:\Users\admin\Desktop\Unicorn-63704.exe | C:\Users\admin\Desktop\Unicorn-63704.exe | — | Unicorn-37214.exe | |||||||||||
User: admin Company: aaaa Integrity Level: MEDIUM Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
| 552 | "47e131c1cd0e819ff5f5c7943797925b.exe" | C:\Users\admin\Desktop\47e131c1cd0e819ff5f5c7943797925b.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 600 | "4fb70c00b8120ac4a10e5e6495c5be77.exe" | C:\Users\admin\Desktop\4fb70c00b8120ac4a10e5e6495c5be77.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Integrity Level: MEDIUM Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
| 600 | C:\Users\admin\Desktop\Unicorn-59418.exe | C:\Users\admin\Desktop\Unicorn-59418.exe | — | Unicorn-43986.exe | |||||||||||
User: admin Company: aaaa Integrity Level: MEDIUM Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
| 644 | "07d447798672ed80abae7b2c2fc2af90.exe" | C:\Users\admin\Desktop\07d447798672ed80abae7b2c2fc2af90.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 644 | C:\Users\admin\Desktop\Unicorn-46871.exe | C:\Users\admin\Desktop\Unicorn-46871.exe | — | Unicorn-37214.exe | |||||||||||
User: admin Company: aaaa Integrity Level: MEDIUM Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
Total events
44 070
Read events
43 326
Write events
741
Delete events
3
Modification events
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1388) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
| Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000F6D6788197A75D498472ACE88906AC8D000000000200000000001066000000010000200000007F0C5AFCF1AE7F71286A81A9B86E67A7BE47980777E154AD953E683E2064784E000000000E8000000002000020000000C547D0854BEA52CCDED7859B79990A863903B335001ED826D40C3D8E323F237F30000000DF0FBC24E15CFF4FE438F74D8486DFB808CBF3EC9160BD0CF16731298F2800053F0DC9D2737FB85ABF81EDB882A089A94000000011BAC043EAAF96F8497DEE93A36C7829C97427DA018BC7750377DAC2CC3CE4D64139784732F789D57202D54D80C3AAC2B4B5EE990B65AEF23416199647916AD4 | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (1388) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList |
| Operation: | write | Name: | MRUList |
Value: a | |||
Executable files
903
Suspicious files
26
Text files
49
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2644 | WinRAR.exe | C:\Users\admin\Desktop\57f263a93fdc43468494e7fcfb092886.exe | executable | |
MD5:57F263A93FDC43468494E7FCFB092886 | SHA256:32B320DF9DC1D0F2F1520E4854F56C1455466E586A2D5AB7EEF4F4D5999A08C0 | |||
| 2644 | WinRAR.exe | C:\Users\admin\Desktop\1d3e2b2e4d0ab4c1acb0a687b64943e5.exe | executable | |
MD5:1D3E2B2E4D0AB4C1ACB0A687B64943E5 | SHA256:2F582B021B5CCEBA1C7C25A7DC3B9C9300CD22BAAEAC56C78442AF35DDAD697A | |||
| 2644 | WinRAR.exe | C:\Users\admin\Desktop\58e68e72b0c38587654c4877413dd6d0.exe | executable | |
MD5:58E68E72B0C38587654C4877413DD6D0 | SHA256:AD35E8CC30B80076BFF93EFCD8DDC84A18A6CB9EFF913C6084C3F4C0D893B2BD | |||
| 1388 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\1.zip.lnk | binary | |
MD5:852B43604F2ED8D043A9CE81185ECEA7 | SHA256:EA727A53435B3D685D9D61B6214706C2BE9267A12123F4EA0095C572E6E4424B | |||
| 2644 | WinRAR.exe | C:\Users\admin\Desktop\00c6bb56bd5037deb24159a6873a05b6.exe | executable | |
MD5:00C6BB56BD5037DEB24159A6873A05B6 | SHA256:8B91BFEBF5D2A438F788BA7A8F70A27757275324ECE1D3CB8022102987CC3B13 | |||
| 2644 | WinRAR.exe | C:\Users\admin\Desktop\962e989b5e7d18d9de1ed8c8434b8eff.exe | executable | |
MD5:962E989B5E7D18D9DE1ED8C8434B8EFF | SHA256:08E4086232A7C7EB871A13CC185C11A6E182A339319A073991A910002947C026 | |||
| 2644 | WinRAR.exe | C:\Users\admin\Desktop\344491bfb811ee82b644bc02e3287893.exe | executable | |
MD5:344491BFB811EE82B644BC02E3287893 | SHA256:5D600457B91E2C4720A8A755685068CE2DE615089E65BB14AAE37FBB56C0497F | |||
| 2644 | WinRAR.exe | C:\Users\admin\Desktop\71504509122a94767aa35d8fa5cd63bb.exe | executable | |
MD5:71504509122A94767AA35D8FA5CD63BB | SHA256:E61B47F38D6A42B621CDC0BAE06ABD7C6242D229A9C97044F767E272D991A967 | |||
| 2644 | WinRAR.exe | C:\Users\admin\Desktop\98f34c24392acb67fb35b0ef87ed140d.exe | executable | |
MD5:98F34C24392ACB67FB35B0EF87ED140D | SHA256:CB8401221BFD74667E139D821005E1B5EEDD2D10002D35123484A0783F4D2135 | |||
| 1388 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | binary | |
MD5:20A7D6F841D004E15B463FB9C0A6DAE9 | SHA256:6E0958E5C427C7FC5FBD442897D730D0EEA2C1C9E52242F436D7E11780CB32C1 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
79
DNS requests
507
Threats
220
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1388 | explorer.exe | GET | 200 | 95.211.117.215:80 | http://lysyfyj.com/login.php | unknown | html | 481 b | unknown |
1388 | explorer.exe | GET | 200 | 34.174.206.7:80 | http://lymyxid.com/login.php | unknown | — | — | unknown |
1388 | explorer.exe | GET | 301 | 188.114.96.3:80 | http://qegyhig.com/login.php | unknown | html | 162 b | unknown |
1388 | explorer.exe | GET | 302 | 162.255.119.102:80 | http://gahyqah.com/login.php | unknown | html | 55 b | unknown |
1388 | explorer.exe | GET | 404 | 208.100.26.245:80 | http://lyvyxor.com/login.php | unknown | html | 580 b | unknown |
1388 | explorer.exe | GET | — | 199.191.50.83:80 | http://galyqaz.com/login.php | unknown | — | — | unknown |
1388 | explorer.exe | GET | 302 | 172.234.25.151:80 | http://vojyqem.com/login.php | unknown | — | — | unknown |
1388 | explorer.exe | GET | 404 | 208.100.26.245:80 | http://lyvyxor.com/login.php | unknown | html | 580 b | unknown |
1388 | explorer.exe | GET | 200 | 34.174.61.199:80 | http://vocyzit.com/login.php | unknown | — | — | unknown |
1388 | explorer.exe | GET | 200 | 76.223.26.96:80 | http://ww12.vojyqem.com/login.php | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
868 | svchost.exe | 23.35.228.137:80 | armmf.adobe.com | AKAMAI-AS | DE | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2728 | WwanSvc.exe | 158.69.115.115:443 | — | OVH SAS | CA | unknown |
3756 | 1b3551d3d26b8ccdf47fa5f3907b9c2a.exe | 103.39.109.67:21 | — | Cloudie Limited | HK | unknown |
— | — | 192.168.100.242:49216 | — | — | — | unknown |
1388 | explorer.exe | 92.123.104.64:80 | www.bing.com | Akamai International B.V. | DE | unknown |
3516 | 1d3e2b2e4d0ab4c1acb0a687b64943e5.exe | 3.130.204.160:80 | torntvz.com | AMAZON-02 | US | unknown |
3200 | budha.exe | 38.239.174.194:443 | ax100.net | DXTL Tseung Kwan O Service | US | unknown |
— | — | 192.168.100.242:49222 | — | — | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
armmf.adobe.com |
| whitelisted |
www.bing.com |
| whitelisted |
torntvz.com |
| shared |
ax100.net |
| unknown |
ipv4bot.whatismyipaddress.com |
| unknown |
ns1.corp-servers.ru |
| unknown |
2.100.168.192.in-addr.arpa |
| unknown |
zonealarm.bit |
| unknown |
ns2.corp-servers.ru |
| unknown |
ransomware.bit |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2640 | nslookup.exe | A Network Trojan was detected | ET MALWARE Observed GandCrab Ransomware Domain (zonealarm .bit in DNS Lookup) |
2640 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
2640 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
2640 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
2640 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
2888 | nslookup.exe | A Network Trojan was detected | ET MALWARE Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup) |
2888 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
2888 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
2888 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
2888 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
50 ETPRO signatures available at the full report