dcrat | b08298bb968f9ef0bb09aa6cee9b608b9a4882b72301de0aa82fc45dd8d6a10c

Resubmissions

18-05-2024 10:42

240518-mrwaasfe7z 10

18-05-2024 10:31

240518-mkq21afb36 10

Analysis

max time kernel
383s
max time network
385s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 10:31

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

navalny pass - 2000.exe
Size

6.1MB
MD5

558ff65486960f523a1eb17ed0f87bf8
SHA1

bc6acc37eb0472a0bb23967f62cc4469ca1deb13
SHA256

b08298bb968f9ef0bb09aa6cee9b608b9a4882b72301de0aa82fc45dd8d6a10c
SHA512

19f066bd6adf650d7dbfb6412f7506139520eaeb8989852dd9f074622f13fc2c50a826eb35df38197ebd5cfaf34c1a1087e7cd9d8b60f50b10191c631f3121fc
SSDEEP

98304:8SiU7uSQsmMB5dklNKoJKMCi4HCwk22SbLOlwv+hLnlfnxVA+9DMj5995sB3:8JVSQsZBHklN3JzCi45KJhLlfXnMP63

Score

10^/10

dcrat neshta evasion infostealer persistence rat spyware stealer upx

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeNVIDIA Container.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1892	schtasks.exe
2840	schtasks.exe
4972	schtasks.exe
2080	schtasks.exe
File created	C:\Program Files (x86)\Microsoft\9e8d7a4ca61bd9	NVIDIA Container.exe
3264	schtasks.exe
2568	schtasks.exe
3688	schtasks.exe
4596	schtasks.exe
3040	schtasks.exe
1560	schtasks.exe
3700	schtasks.exe
5084	schtasks.exe
4628	schtasks.exe
3324	schtasks.exe
2212	schtasks.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\e1ef82546f0b02	NVIDIA Container.exe
3424	schtasks.exe
2740	schtasks.exe
3608	schtasks.exe
3868	schtasks.exe
164	schtasks.exe
1932	schtasks.exe
4968	schtasks.exe
3508	schtasks.exe
4664	schtasks.exe
File created	C:\Windows\INF\MSDTC Bridge 3.0.0.0\0000\ebf1f9fa8afd6d	NVIDIA Container.exe
4668	schtasks.exe
3652	schtasks.exe
4840	schtasks.exe
5028	schtasks.exe
3020	schtasks.exe
4068	schtasks.exe
1280	schtasks.exe
4056	schtasks.exe
2596	schtasks.exe
2652	schtasks.exe
1288	schtasks.exe
4840	schtasks.exe
2856	schtasks.exe
4280	schtasks.exe
2248	schtasks.exe
688	schtasks.exe
1604	schtasks.exe
800	schtasks.exe
3420	schtasks.exe
3892	schtasks.exe
3928	schtasks.exe
1860	schtasks.exe
3920	schtasks.exe
2516	schtasks.exe
3148	schtasks.exe
3036	schtasks.exe
File created	C:\Windows\uk-UA\0a1fd5f707cd16	NVIDIA Container.exe
2704	schtasks.exe
4812	schtasks.exe
3984	schtasks.exe
4068	schtasks.exe
692	schtasks.exe
3860	schtasks.exe
2492	schtasks.exe
4512	schtasks.exe
4080	schtasks.exe
5008	schtasks.exe

Detect Neshta payload 40 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe	family_neshta
C:\NVIDIA\DISPLA~1\535.21\sppsvc.exe	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral1/memory/4916-199-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	family_neshta
behavioral1/memory/1420-316-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1700-318-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2096-319-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1700-324-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2096-325-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1700-329-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2096-330-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1700-333-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2096-332-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	2436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	2436	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe	dcrat
C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe	dcrat
behavioral1/memory/1856-26-0x0000000000500000-0x000000000066A000-memory.dmp	dcrat
C:\NVIDIA\DISPLA~1\535.21\sppsvc.exe	dcrat

Disables Task Manager via registry modification
evasion

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\squall.dll	acprotect

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NVIDIA Container.exeWScript.exenavalny pass - 2000.exeNVIDIA Container.exeNVIDIA~1.EXEsppsvc.exenavalny pass - 2000.exeNVIDIA Container.exenavalny pass - 2000.exesppsvc.exeNVIDIA Container.exenavalny pass - 2000.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	navalny pass - 2000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	NVIDIA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	navalny pass - 2000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	navalny pass - 2000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	navalny pass - 2000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 17 IoCs

Processes:

NVIDIA Container.exeNVIDIA Container.exewinlogon.exeNVIDIA Container.exenavalny pass - 2000.exenavalny pass - 2000.exeNVIDIA Container.exesvchost.comWINLOC~1.EXEsvchost.comNVIDIA~1.EXEdllhost.exedwm.exesppsvc.exesvchost.comsppsvc.exefontdrvhost.exe

pid	process
4728	NVIDIA Container.exe
1856	NVIDIA Container.exe
1600	winlogon.exe
1568	NVIDIA Container.exe
1700	navalny pass - 2000.exe
3888	navalny pass - 2000.exe
2096	NVIDIA Container.exe
1420	svchost.com
1548	WINLOC~1.EXE
4916	svchost.com
2788	NVIDIA~1.EXE
3884	dllhost.exe
4364	dwm.exe
2424	sppsvc.exe
548	svchost.com
4404	sppsvc.exe
2556	fontdrvhost.exe

Loads dropped DLL 5 IoCs

Processes:

WINLOC~1.EXE

pid process

1548 WINLOC~1.EXE
1548 WINLOC~1.EXE
1548 WINLOC~1.EXE
1548 WINLOC~1.EXE
1548 WINLOC~1.EXE

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

navalny pass - 2000.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	navalny pass - 2000.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\winlocker.exe	upx
behavioral1/memory/1548-138-0x0000000000400000-0x0000000000AAB000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\squall.dll	upx
behavioral1/memory/1548-184-0x00000000044D0000-0x0000000004552000-memory.dmp	upx
behavioral1/memory/1548-183-0x00000000044D0000-0x0000000004552000-memory.dmp	upx
behavioral1/memory/1548-322-0x00000000044D0000-0x0000000004552000-memory.dmp	upx
behavioral1/memory/1548-320-0x0000000000400000-0x0000000000AAB000-memory.dmp	upx
behavioral1/memory/1548-334-0x0000000000400000-0x0000000000AAB000-memory.dmp	upx
behavioral1/memory/1548-487-0x0000000000400000-0x0000000000AAB000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

NVIDIA Container.exeNVIDIA Container.exenavalny pass - 2000.exesppsvc.exeNVIDIA~1.EXE

description	ioc	process
File created	C:\Program Files (x86)\Windows Multimedia Platform\55b276f4edf653	NVIDIA Container.exe
File created	C:\Program Files\7-Zip\Lang\dwm.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\WI7A8C~1\STARTM~1.EXE	NVIDIA Container.exe
File created	C:\Program Files (x86)\Windows Portable Devices\sihost.exe	sppsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe	sppsvc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	NVIDIA Container.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	navalny pass - 2000.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe	NVIDIA~1.EXE
File created	C:\Program Files (x86)\Microsoft\RuntimeBroker.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	NVIDIA Container.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\27d1bcfc3c54e0	sppsvc.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	NVIDIA Container.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\ea9f0e6c9e2dcd	NVIDIA~1.EXE
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\sihost.exe	sppsvc.exe
File created	C:\Program Files\Uninstall Information\sihost.exe	sppsvc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	navalny pass - 2000.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\886983d96e3d3e	sppsvc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	NVIDIA Container.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	navalny pass - 2000.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\35158c38368e73	NVIDIA~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	NVIDIA Container.exe
File created	C:\Program Files (x86)\Windows Portable Devices\66fc9ff0ee96c2	sppsvc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\WindowsPowerShell\Configuration\Registration\smss.exe	navalny pass - 2000.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\5b884080fd4f94	sppsvc.exe
File created	C:\Program Files\7-Zip\Lang\6cb0b6c459d5d3	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	navalny pass - 2000.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe	sppsvc.exe

Drops file in Windows directory 29 IoCs

Processes:

NVIDIA Container.exesvchost.comNVIDIA Container.exesppsvc.exesvchost.comsppsvc.exesvchost.comNVIDIA~1.EXEnavalny pass - 2000.exe

description	ioc	process
File opened for modification	C:\Windows\Offline Web Pages\winlogon.exe	NVIDIA Container.exe
File created	C:\Windows\Offline Web Pages\cc11b995f2a76d	NVIDIA Container.exe
File created	C:\Windows\uk-UA\0a1fd5f707cd16	NVIDIA Container.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	NVIDIA Container.exe
File created	C:\Windows\PrintDialog\pris\sppsvc.exe	sppsvc.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe	sppsvc.exe
File created	C:\Windows\INF\MSDTC Bridge 3.0.0.0\0000\cmd.exe	NVIDIA Container.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	sppsvc.exe
File opened for modification	C:\Windows\svchost.com	sppsvc.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\eb603fa6eb1f1fdefda6ce5d5c1c889a\spoolsv.exe	NVIDIA~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File created	C:\Windows\PrintDialog\pris\0a1fd5f707cd16	sppsvc.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\0a1fd5f707cd16	sppsvc.exe
File created	C:\Windows\servicing\SQM\unsecapp.exe	NVIDIA Container.exe
File created	C:\Windows\Offline Web Pages\winlogon.exe	NVIDIA Container.exe
File created	C:\Windows\uk-UA\sppsvc.exe	NVIDIA Container.exe
File created	C:\Windows\addins\5b884080fd4f94	NVIDIA Container.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File created	C:\Windows\it-IT\fontdrvhost.exe	sppsvc.exe
File created	C:\Windows\addins\fontdrvhost.exe	NVIDIA Container.exe
File opened for modification	C:\Windows\svchost.com	NVIDIA Container.exe
File created	C:\Windows\INF\MSDTC Bridge 3.0.0.0\0000\ebf1f9fa8afd6d	NVIDIA Container.exe
File opened for modification	C:\Windows\svchost.com	navalny pass - 2000.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\eb603fa6eb1f1fdefda6ce5d5c1c889a\f3b6ecef712a24	NVIDIA~1.EXE
File created	C:\Windows\it-IT\5b884080fd4f94	sppsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
3288	schtasks.exe
1280	schtasks.exe
4068	schtasks.exe
4628	schtasks.exe
3920	schtasks.exe
116	schtasks.exe
2480	schtasks.exe
1560	schtasks.exe
3700	schtasks.exe
688	schtasks.exe
3284	schtasks.exe
1720	schtasks.exe
2028	schtasks.exe
3688	schtasks.exe
3128	schtasks.exe
3424	schtasks.exe
2568	schtasks.exe
4968	schtasks.exe
4344	schtasks.exe
3860	schtasks.exe
4276	schtasks.exe
4592	schtasks.exe
5028	schtasks.exe
2772	schtasks.exe
4056	schtasks.exe
1860	schtasks.exe
100	schtasks.exe
828	schtasks.exe
4280	schtasks.exe
2652	schtasks.exe
3672	schtasks.exe
4512	schtasks.exe
232	schtasks.exe
2704	schtasks.exe
1976	schtasks.exe
2840	schtasks.exe
4600	schtasks.exe
3264	schtasks.exe
3016	schtasks.exe
4068	schtasks.exe
876	schtasks.exe
3020	schtasks.exe
3420	schtasks.exe
2516	schtasks.exe
5084	schtasks.exe
3412	schtasks.exe
1972	schtasks.exe
2960	schtasks.exe
2956	schtasks.exe
3424	schtasks.exe
2080	schtasks.exe
4972	schtasks.exe
3652	schtasks.exe
2032	schtasks.exe
4384	schtasks.exe
2020	schtasks.exe
1604	schtasks.exe
4568	schtasks.exe
4600	schtasks.exe
3984	schtasks.exe
1376	schtasks.exe
3340	schtasks.exe
1696	schtasks.exe
4936	schtasks.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1732 taskkill.exe

pid	process
1732	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

Modifies registry class 9 IoCs

Processes:

NVIDIA Container.exenavalny pass - 2000.exenavalny pass - 2000.exeNVIDIA Container.exeNVIDIA~1.EXENVIDIA Container.exeNVIDIA Container.exesppsvc.exesppsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	NVIDIA Container.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	navalny pass - 2000.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	navalny pass - 2000.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	NVIDIA Container.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	NVIDIA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	NVIDIA Container.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	NVIDIA Container.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

NVIDIA Container.exewinlogon.exeNVIDIA~1.EXEdllhost.exedwm.exesppsvc.exefontdrvhost.exe

pid	process
1856	NVIDIA Container.exe
1856	NVIDIA Container.exe
1856	NVIDIA Container.exe
1856	NVIDIA Container.exe
1856	NVIDIA Container.exe
1856	NVIDIA Container.exe
1856	NVIDIA Container.exe
1856	NVIDIA Container.exe
1856	NVIDIA Container.exe
1856	NVIDIA Container.exe
1856	NVIDIA Container.exe
1600	winlogon.exe
2788	NVIDIA~1.EXE
2788	NVIDIA~1.EXE
2788	NVIDIA~1.EXE
2788	NVIDIA~1.EXE
2788	NVIDIA~1.EXE
2788	NVIDIA~1.EXE
2788	NVIDIA~1.EXE
2788	NVIDIA~1.EXE
2788	NVIDIA~1.EXE
2788	NVIDIA~1.EXE
2788	NVIDIA~1.EXE
3884	dllhost.exe
4364	dwm.exe
4404	sppsvc.exe
4404	sppsvc.exe
4404	sppsvc.exe
4404	sppsvc.exe
4404	sppsvc.exe
4404	sppsvc.exe
4404	sppsvc.exe
4404	sppsvc.exe
4404	sppsvc.exe
4404	sppsvc.exe
4404	sppsvc.exe
4404	sppsvc.exe
4404	sppsvc.exe
2556	fontdrvhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WINLOC~1.EXE

pid process

1548 WINLOC~1.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

NVIDIA Container.exewinlogon.exeNVIDIA~1.EXEAUDIODG.EXEtaskkill.exedllhost.exedwm.exesppsvc.exefontdrvhost.exeWINLOC~1.EXE

description	pid	process
Token: SeDebugPrivilege	1856	NVIDIA Container.exe
Token: SeDebugPrivilege	1600	winlogon.exe
Token: SeDebugPrivilege	2788	NVIDIA~1.EXE
Token: 33	4912	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4912	AUDIODG.EXE
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	3884	dllhost.exe
Token: SeDebugPrivilege	4364	dwm.exe
Token: SeDebugPrivilege	4404	sppsvc.exe
Token: SeDebugPrivilege	2556	fontdrvhost.exe
Token: SeShutdownPrivilege	1548	WINLOC~1.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

WINLOC~1.EXE

pid	process
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE
1548	WINLOC~1.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2356 LogonUI.exe

pid	process
2356	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

navalny pass - 2000.exeNVIDIA Container.exeWScript.execmd.exeNVIDIA Container.execmd.exenavalny pass - 2000.exeNVIDIA Container.exenavalny pass - 2000.exeWScript.execmd.exenavalny pass - 2000.exesvchost.comNVIDIA Container.exesvchost.comWINLOC~1.EXEcmd.exeNVIDIA~1.EXEcmd.exesppsvc.exesvchost.comsppsvc.exe

description	pid	process	target process
PID 4220 wrote to memory of 4728	4220	navalny pass - 2000.exe	NVIDIA Container.exe
PID 4220 wrote to memory of 4728	4220	navalny pass - 2000.exe	NVIDIA Container.exe
PID 4220 wrote to memory of 4728	4220	navalny pass - 2000.exe	NVIDIA Container.exe
PID 4728 wrote to memory of 1184	4728	NVIDIA Container.exe	WScript.exe
PID 4728 wrote to memory of 1184	4728	NVIDIA Container.exe	WScript.exe
PID 4728 wrote to memory of 1184	4728	NVIDIA Container.exe	WScript.exe
PID 1184 wrote to memory of 2232	1184	WScript.exe	cmd.exe
PID 1184 wrote to memory of 2232	1184	WScript.exe	cmd.exe
PID 1184 wrote to memory of 2232	1184	WScript.exe	cmd.exe
PID 2232 wrote to memory of 1856	2232	cmd.exe	NVIDIA Container.exe
PID 2232 wrote to memory of 1856	2232	cmd.exe	NVIDIA Container.exe
PID 1856 wrote to memory of 2488	1856	NVIDIA Container.exe	cmd.exe
PID 1856 wrote to memory of 2488	1856	NVIDIA Container.exe	cmd.exe
PID 2488 wrote to memory of 2408	2488	cmd.exe	w32tm.exe
PID 2488 wrote to memory of 2408	2488	cmd.exe	w32tm.exe
PID 2488 wrote to memory of 1600	2488	cmd.exe	winlogon.exe
PID 2488 wrote to memory of 1600	2488	cmd.exe	winlogon.exe
PID 3012 wrote to memory of 1568	3012	navalny pass - 2000.exe	NVIDIA Container.exe
PID 3012 wrote to memory of 1568	3012	navalny pass - 2000.exe	NVIDIA Container.exe
PID 3012 wrote to memory of 1568	3012	navalny pass - 2000.exe	NVIDIA Container.exe
PID 1568 wrote to memory of 4628	1568	NVIDIA Container.exe	WScript.exe
PID 1568 wrote to memory of 4628	1568	NVIDIA Container.exe	WScript.exe
PID 1568 wrote to memory of 4628	1568	NVIDIA Container.exe	WScript.exe
PID 3012 wrote to memory of 1700	3012	navalny pass - 2000.exe	navalny pass - 2000.exe
PID 3012 wrote to memory of 1700	3012	navalny pass - 2000.exe	navalny pass - 2000.exe
PID 3012 wrote to memory of 1700	3012	navalny pass - 2000.exe	navalny pass - 2000.exe
PID 1700 wrote to memory of 3888	1700	navalny pass - 2000.exe	navalny pass - 2000.exe
PID 1700 wrote to memory of 3888	1700	navalny pass - 2000.exe	navalny pass - 2000.exe
PID 1700 wrote to memory of 3888	1700	navalny pass - 2000.exe	navalny pass - 2000.exe
PID 4628 wrote to memory of 2968	4628	WScript.exe	cmd.exe
PID 4628 wrote to memory of 2968	4628	WScript.exe	cmd.exe
PID 4628 wrote to memory of 2968	4628	WScript.exe	cmd.exe
PID 2968 wrote to memory of 2096	2968	cmd.exe	NVIDIA Container.exe
PID 2968 wrote to memory of 2096	2968	cmd.exe	NVIDIA Container.exe
PID 2968 wrote to memory of 2096	2968	cmd.exe	NVIDIA Container.exe
PID 3888 wrote to memory of 1420	3888	navalny pass - 2000.exe	svchost.com
PID 3888 wrote to memory of 1420	3888	navalny pass - 2000.exe	svchost.com
PID 3888 wrote to memory of 1420	3888	navalny pass - 2000.exe	svchost.com
PID 1420 wrote to memory of 1548	1420	svchost.com	WINLOC~1.EXE
PID 1420 wrote to memory of 1548	1420	svchost.com	WINLOC~1.EXE
PID 1420 wrote to memory of 1548	1420	svchost.com	WINLOC~1.EXE
PID 2096 wrote to memory of 4916	2096	NVIDIA Container.exe	svchost.com
PID 2096 wrote to memory of 4916	2096	NVIDIA Container.exe	svchost.com
PID 2096 wrote to memory of 4916	2096	NVIDIA Container.exe	svchost.com
PID 4916 wrote to memory of 2788	4916	svchost.com	NVIDIA~1.EXE
PID 4916 wrote to memory of 2788	4916	svchost.com	NVIDIA~1.EXE
PID 1548 wrote to memory of 2192	1548	WINLOC~1.EXE	cmd.exe
PID 1548 wrote to memory of 2192	1548	WINLOC~1.EXE	cmd.exe
PID 1548 wrote to memory of 2192	1548	WINLOC~1.EXE	cmd.exe
PID 2192 wrote to memory of 1732	2192	cmd.exe	taskkill.exe
PID 2192 wrote to memory of 1732	2192	cmd.exe	taskkill.exe
PID 2192 wrote to memory of 1732	2192	cmd.exe	taskkill.exe
PID 2788 wrote to memory of 4384	2788	NVIDIA~1.EXE	cmd.exe
PID 2788 wrote to memory of 4384	2788	NVIDIA~1.EXE	cmd.exe
PID 4384 wrote to memory of 3544	4384	cmd.exe	w32tm.exe
PID 4384 wrote to memory of 3544	4384	cmd.exe	w32tm.exe
PID 4384 wrote to memory of 3884	4384	cmd.exe	dllhost.exe
PID 4384 wrote to memory of 3884	4384	cmd.exe	dllhost.exe
PID 2424 wrote to memory of 548	2424	sppsvc.exe	svchost.com
PID 2424 wrote to memory of 548	2424	sppsvc.exe	svchost.com
PID 2424 wrote to memory of 548	2424	sppsvc.exe	svchost.com
PID 548 wrote to memory of 4404	548	svchost.com	sppsvc.exe
PID 548 wrote to memory of 4404	548	svchost.com	sppsvc.exe
PID 4404 wrote to memory of 2436	4404	sppsvc.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe
"C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4220

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
5⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yVdxKe7Q8j.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:2408

C:\Windows\Offline Web Pages\winlogon.exe
"C:\Windows\Offline Web Pages\winlogon.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\uk-UA\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\uk-UA\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\uk-UA\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\addins\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\NVIDIA Container.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA Container" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\NVIDIA Container.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\NVIDIA Container.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Libraries\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\535.21\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\NVIDIA\DisplayDriver\535.21\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Local Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Application Data\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\INF\MSDTC Bridge 3.0.0.0\0000\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\INF\MSDTC Bridge 3.0.0.0\0000\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\INF\MSDTC Bridge 3.0.0.0\0000\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Links\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1644

C:\Users\Admin\Desktop\navalny pass - 2000.exe
"C:\Users\Admin\Desktop\navalny pass - 2000.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2968

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE"
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE
7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tAjNuoNvyW.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:3544

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe"
9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe
"C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\3582-490\navalny pass - 2000.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\navalny pass - 2000.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "TASKKILL /F /IM "explorer.exe""
6⤵
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM "explorer.exe"
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "svchost.coms" /sc MINUTE /mo 10 /tr "'C:\NVIDIA\DisplayDriver\svchost.com.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4240

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x348 0x424
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "svchost.com" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\svchost.com.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "svchost.coms" /sc MINUTE /mo 6 /tr "'C:\NVIDIA\DisplayDriver\svchost.com.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\eb603fa6eb1f1fdefda6ce5d5c1c889a\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\eb603fa6eb1f1fdefda6ce5d5c1c889a\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\eb603fa6eb1f1fdefda6ce5d5c1c889a\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WINLOC~1W" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\WINLOC~1.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WINLOC~1" /sc ONLOGON /tr "'C:\Users\Public\Downloads\WINLOC~1.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WINLOC~1W" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\WINLOC~1.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\NVIDIA Container.exe'" /f
1⤵
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA Container" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\NVIDIA Container.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\NVIDIA Container.exe'" /rl HIGHEST /f
1⤵
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\535.21\taskhostw.exe'" /f
1⤵
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\NVIDIA\DisplayDriver\535.21\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA~1N" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\NVIDIA~1.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA~1" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\NVIDIA~1.exe'" /rl HIGHEST /f
1⤵
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA~1N" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\NVIDIA~1.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3928

C:\Program Files\7-Zip\Lang\dwm.exe
"C:\Program Files\7-Zip\Lang\dwm.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\NVIDIA\DisplayDriver\535.21\sppsvc.exe
C:\NVIDIA\DisplayDriver\535.21\sppsvc.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wghfv84Vew.bat"
4⤵
PID:2436

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:4356

C:\NVIDIA\DisplayDriver\535.21\fontdrvhost.exe
"C:\NVIDIA\DisplayDriver\535.21\fontdrvhost.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /f
1⤵
- DcRat
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /f
1⤵
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\PrintDialog\pris\sppsvc.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PrintDialog\pris\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\PrintDialog\pris\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\NVIDIA\DisplayDriver\535.21\fontdrvhost.exe'" /f
1⤵
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\NVIDIA\DisplayDriver\535.21\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\fontdrvhost.exe'" /f
1⤵
- DcRat
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\it-IT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /f
1⤵
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\dllhost.exe'" /f
1⤵
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\sysmon.exe'" /f
1⤵
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Saved Games\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\winlogon.exe'" /f
1⤵
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\NVIDIA\DisplayDriver\535.21\fontdrvhost.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\NVIDIA\DisplayDriver\535.21\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe'" /f
1⤵
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3412

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38fe055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2356

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\NVIDIA\DISPLA~1\535.21\sppsvc.exe
Filesize
1.4MB

MD5
9d8aacb18ee747b336908b0730ed4054

SHA1
164eb0c67bca24d8b992a3380921ed3dbe279ba8

SHA256
fdbc8c80e04c2e5cbdbb3f44058820b9eb99a9270ad013d60f56821d899c8d60

SHA512
1d1276eafe2a81ac1e60acef7608c9edb7337a5da8e8e5599cc8aed7d65cdd2ebd38d78924e7bec43c11f6a0972536e4b599ecfba60c270e6e4e28b241bb5068

Download Submit
C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
Filesize
1.4MB

MD5
4a591f46c87b49a7de93f5ac771cd4ab

SHA1
e0992350818e5c56d3f2e3a6db340d1f5b8f3314

SHA256
b495e22042b08f27b690da18986ec74d5054a65d05d5cf41fdecd5751482ccbd

SHA512
b498445d1e427853690250aebff35cbd7e28e85a89ad868e3483930b16ec13198357cfcd5feb45567b1bc8f3d9f97c5ecf2d242c8a5e9d758a536d0498ba7955

Download Submit
C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat
Filesize
53B

MD5
7784d810f5ff3afa8df50e360eb90e7d

SHA1
f04802a991ff6461aa1c35b7c0f68e43d5a114c6

SHA256
0385dbf94fc27705560cf0b6b04e9a37181db486ee8f7573c5ad2217d18f4ca0

SHA512
80038ae2bfd5f8ca3f4812ab5c342878f98978007125c9dca5edb915701a5383916131cdc3082c054c49c508cd210aff70319ac0fc498cbdd6cee776df672cac

Download Submit
C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe
Filesize
225B

MD5
d7df2670ad0c6c7b9cc48122f20f086c

SHA1
e69bf8c214d8c4b768125ca03e402e1c871cc233

SHA256
d3bf5c54de984dd2d1d779494deb8a995cc062eb5f25c465d0de78d99b8cc52b

SHA512
05ed88410790bf74dc7ab880f893e555c4859c133e79a89f28b5e1a68c36f4a4f28d3b7b6532953c04b6d23a21faf53e60107efde9e6acb492a9235d48943f03

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
Filesize
328KB

MD5
39c8a4c2c3984b64b701b85cb724533b

SHA1
c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00

SHA256
888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d

SHA512
f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE
Filesize
5.7MB

MD5
09acdc5bbec5a47e8ae47f4a348541e2

SHA1
658f64967b2a9372c1c0bdd59c6fb2a18301d891

SHA256
1b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403

SHA512
3867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe
Filesize
175KB

MD5
576410de51e63c3b5442540c8fdacbee

SHA1
8de673b679e0fee6e460cbf4f21ab728e41e0973

SHA256
3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

SHA512
f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe
Filesize
9.4MB

MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
Filesize
183KB

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE
Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
Filesize
92KB

MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE
Filesize
147KB

MD5
3b35b268659965ab93b6ee42f8193395

SHA1
8faefc346e99c9b2488f2414234c9e4740b96d88

SHA256
750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb

SHA512
035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE
Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
Filesize
454KB

MD5
bcd0f32f28d3c2ba8f53d1052d05252d

SHA1
c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

SHA256
bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

SHA512
79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
Filesize
1.2MB

MD5
d47ed8961782d9e27f359447fa86c266

SHA1
d37d3f962c8d302b18ec468b4abe94f792f72a3b

SHA256
b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a

SHA512
3e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe
Filesize
558KB

MD5
15f4411f1b14234b5bed948ed78fa86e

SHA1
f9775a3d87efb22702d934322ffcda3511b79c17

SHA256
cd6c08078343089d299a30f7bf16555ab349e946892dca1c49c6c0336d27ff0e

SHA512
c44d2e96d6d0264075379066fd5d11ba30a675bb6f6b6279c4ac0d12066975c30c33b69b52457cbed4e35852e8b15b3daad9274d6f957ae0681fb7a6c48a33cb

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
Filesize
1.2MB

MD5
e316c67c785d3e39e90341b0bbaac705

SHA1
7ffd89492438a97ad848068cfdaab30c66afca35

SHA256
4fc8b9433b45c2607cbdf3d1c042c3918b854c9db3ade13b5bb2761d28f1c478

SHA512
25ec433c10adc69305de97107463be74d7b4768acca27886498485e8bc2c8b099994e6c1c6c09a7e603816203d6b18e509fb79f24992915eb802f59bcb790090

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe
Filesize
773KB

MD5
e7a27a45efa530c657f58fda9f3b9f4a

SHA1
6c0d29a8b75574e904ab1c39fc76b39ca8f8e461

SHA256
d6f11401f57293922fb36cd7542ae811ab567a512449e566f83ce0dcef5ff8e5

SHA512
0c37b41f3c075cd89a764d81f751c3a704a19240ad8e4ebab591f399b9b168b920575749e9d24c2a8f0400b9f340ab9fea4db76ff7060d8af00e2b36ac0c4a54

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
Filesize
121KB

MD5
cbd96ba6abe7564cb5980502eec0b5f6

SHA1
74e1fe1429cec3e91f55364e5cb8385a64bb0006

SHA256
405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa

SHA512
a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe
Filesize
325KB

MD5
0511abca39ed6d36fff86a8b6f2266cd

SHA1
bfe55ac898d7a570ec535328b6283a1cdfa33b00

SHA256
76ae68fc7c6c552c4a98c5df640cd96cf27b62e7e1536b7f7d08eff56fcde8b8

SHA512
6608412e3ed0057f387bafcddcb07bfe7da4f207c7300c460e5acc4bd234cec3362191800789eb465eb120ec069e3ed49eabb6bd7db30d9e9245a89bb20e4346

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe
Filesize
325KB

MD5
6f87ccb8ab73b21c9b8288b812de8efa

SHA1
a709254f843a4cb50eec3bb0a4170ad3e74ea9b3

SHA256
14e7a1f2f930380903ae3c912b4a70fd0a59916315c46874805020fe41215c22

SHA512
619b45b9728880691a88fbfc396c9d34b41d5e349e04d2eb2d18c535fffc079395835af2af7ca69319954a98852d2f9b7891eff91864d63bf25759c156e192ee

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe
Filesize
505KB

MD5
de69c005b0bbb513e946389227183eeb

SHA1
2a64efdcdc71654356f77a5b77da8b840dcc6674

SHA256
ad7b167ab599b6dad7e7f0ad47368643d91885253f95fadf0fadd1f8eb6ee9c7

SHA512
6ca8cec0cf20ee9b8dfe263e48f211b6f1e19e3b4fc0f6e89807f39d3f4e862f0139eb5b35e3133ef60555589ad54406fb11d95845568a5538602f287863b7d7

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE
Filesize
207KB

MD5
3b0e91f9bb6c1f38f7b058c91300e582

SHA1
6e2e650941b1a96bb0bb19ff26a5d304bb09df5f

SHA256
57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d

SHA512
a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE
Filesize
342KB

MD5
5da33a7b7941c4e76208ee7cddec8e0b

SHA1
cdd2e7b9b0e4be68417d4618e20a8283887c489c

SHA256
531e735e4e8940dfe21e30be0d4179ceaecb57ce431cf63c5044e07048ac1751

SHA512
977aeecfbc693c9d5746fedf08b99e0b0f6fd7b0c7b41ac2b34a832e68a2e6f3c68f38af2e65c87075fcf00c1c6103e34324df45d7da9412cbbeea7e410794b6

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE
Filesize
439KB

MD5
400836f307cf7dbfb469cefd3b0391e7

SHA1
7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10

SHA256
cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a

SHA512
aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\navalny pass - 2000.exe.log
Filesize
859B

MD5
e204f3d12abd1691ce1f149399441188

SHA1
798042095539abfe857e456fca4e1035f67d29bf

SHA256
685f70bf685f654651dcd0acc495b6f52f02f73cc3ca8b3d2c8433aac9ba144d

SHA512
804c5ea57a59f86fd0c34479be4c479230bff79093548e8461758829928969da565c211ccc9cb9befa0fef15f0400a5b1f17d5ddf88aef6ff01b67a191176b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\navalny pass - 2000.exe
Filesize
5.1MB

MD5
86a1cbee2b7dc5d64051c83c82c8d02b

SHA1
55d82d17f7f10d088909d0cb7116969d12308974

SHA256
d3f47cd85c525a0c3ed855949bf27023c27b24c51d388166d72d4fa8cae4c2f5

SHA512
6720ecb2799185bf2a03259766e3dd38aeaec674a3a28e657bd55131b1e9fb18fab118afc3aa7881de56d7af36d60bf8b29449065ba32c5cf0dea38fb892ecbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
Filesize
1.8MB

MD5
531bf67134a7c1fb4096113ca58cc648

SHA1
99e0fc1fb7a07c0685e426b327921d3e6c34498c

SHA256
67942630366d114efa35f3f4a79741a4a4eb2c3b0c8ffaac07af527f84d4489a

SHA512
8facae8335a4f33f54e48c64814946eb8b480800b4453612fffcef64117946a35d493f433d4e27186ee864603da756319f816e70c3bfc08b8bb1861fc7030ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ext\php_squall.dll
Filesize
126KB

MD5
6ff84bc8812b8c079fa6de68cf36ab59

SHA1
ca8789bbd7b0193221f9518e6b2f5b319c32b717

SHA256
7587e29919a56b6f94675e49208e1ae908bcab09363734d846502c3b4ad54326

SHA512
5ef9d9c1038b055186147cbfcfbedf54d6ecc235468ef4968630eb03368cf2c3f39dd600f1ebf9ecfe9b7cc134235b01a983a4fe9b6f292775244f837ec2e81f

Download Submit
C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe
Filesize
5.2MB

MD5
d5f38176aa233dc3a85f2c3e7c6cf1f7

SHA1
022ea6d320067d2429b26cc424145610fa0ad28e

SHA256
db307d31bbb3d282685bf28e0abf464a931fa749633d784e39adbe7d8d8ead31

SHA512
f58f855e3a102b6ccb4197b38323149342c23c2182b6309074d5720c2b2f20d764c33b10013834e85f73e22c0b7ab95ec4171ff251523b598821ad632af5a893

Download Submit
C:\Users\Admin\AppData\Local\Temp\php5ts.dll
Filesize
6.5MB

MD5
c9aff68f6673fae7580527e8c76805b6

SHA1
bb62cc1db82cfe07a8c08a36446569dfc9c76d10

SHA256
9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4

SHA512
c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

Download Submit
C:\Users\Admin\AppData\Local\Temp\squall.dll
Filesize
177KB

MD5
b971f35ffcbbb307761eb89a21df12a7

SHA1
70de69bc3a53603eab2d83eae1363ce2448207cc

SHA256
05a30beb390ea86ca143a7e8f03c0a7aab7ddaf63229ee0d76366a217db9d864

SHA512
ea01509f808daeb4d5404c86162191f8f43a8fb009dc2be45b6d32e730b457c16c07d0ca56f56eb5f2f212507b7fa25da86dd1676ae480b147e633cacbc2b2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlocker.exe
Filesize
3.1MB

MD5
9f93492e155d1bf27b8077e991e6a5a0

SHA1
159d72ad8074b56562b1014393be24b402c3af39

SHA256
43eef3b68ebaab3efbe15eb3046281e380aa78003a0eda8757a9e44f6a59ec7f

SHA512
270bc608ac79ca92c8db6a1455a26f24d80844badc514d5db29acade5748513d8378e3d6d803e9cfb7bdab6482a992b7c6a60845b255f3be5cbf92a0a69db918

Download Submit
C:\Users\Admin\AppData\Local\Temp\yVdxKe7Q8j.bat
Filesize
206B

MD5
e485668af0455ad2147899bb08bfb7d6

SHA1
6c15d248465d95a931e1a03f407380a032e6cf5e

SHA256
b5fa868d10aafbd728a24e44c9a00a1e14cc911d5b6943a079c6df984b27b542

SHA512
754ddb544ec6fc9e1a0f317def10eaa8f6ee387ab7a988c1906b172b5cd929854bdca4f284dbfde13433d98517e98efa370d2da50c5e0e96627637df387aa991

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
594d6120159f25621034a2b9e42aaf88

SHA1
bb981a4ae042d506ea0403cac880c2b759d40699

SHA256
db937f1cc5add635677135f175db53bd13ddd68751f43a11283ffc99f2e05842

SHA512
6545d41ebcbe34d09b46e9a7ac5245709de20ed15a8107efdfe1900a5b633f9114d364e464da28ebd5af5c5382d1078fb1567d94fc34b19d09835241597ad1aa

Download Submit
memory/1420-316-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1548-184-0x00000000044D0000-0x0000000004552000-memory.dmp

Filesize
520KB

Download
memory/1548-487-0x0000000000400000-0x0000000000AAB000-memory.dmp

Filesize
6.7MB

Download
memory/1548-334-0x0000000000400000-0x0000000000AAB000-memory.dmp

Filesize
6.7MB

Download
memory/1548-175-0x0000000002A00000-0x0000000002A2A000-memory.dmp

Filesize
168KB

Download
memory/1548-183-0x00000000044D0000-0x0000000004552000-memory.dmp

Filesize
520KB

Download
memory/1548-138-0x0000000000400000-0x0000000000AAB000-memory.dmp

Filesize
6.7MB

Download
memory/1548-320-0x0000000000400000-0x0000000000AAB000-memory.dmp

Filesize
6.7MB

Download
memory/1548-321-0x0000000002A00000-0x0000000002A2A000-memory.dmp

Filesize
168KB

Download
memory/1548-322-0x00000000044D0000-0x0000000004552000-memory.dmp

Filesize
520KB

Download
memory/1700-318-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1700-333-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1700-329-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1700-324-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1856-30-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/1856-29-0x000000001B1B0000-0x000000001B1C6000-memory.dmp

Filesize
88KB

Download
memory/1856-32-0x000000001B1D0000-0x000000001B1DE000-memory.dmp

Filesize
56KB

Download
memory/1856-31-0x0000000002930000-0x000000000293E000-memory.dmp

Filesize
56KB

Download
memory/1856-28-0x000000001B820000-0x000000001B870000-memory.dmp

Filesize
320KB

Download
memory/1856-27-0x0000000002910000-0x000000000292C000-memory.dmp

Filesize
112KB

Download
memory/1856-33-0x000000001B1E0000-0x000000001B1EC000-memory.dmp

Filesize
48KB

Download
memory/1856-26-0x0000000000500000-0x000000000066A000-memory.dmp

Filesize
1.4MB

Download
memory/2096-319-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2096-325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2096-330-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2096-332-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4220-12-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp

Filesize
10.8MB

Download
memory/4220-4-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp

Filesize
10.8MB

Download
memory/4220-1-0x0000000000F90000-0x00000000015B6000-memory.dmp

Filesize
6.1MB

Download
memory/4220-0-0x00007FF9F8C03000-0x00007FF9F8C05000-memory.dmp

Filesize
8KB

Download
memory/4916-199-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads