Analysis Overview
SHA256
b08298bb968f9ef0bb09aa6cee9b608b9a4882b72301de0aa82fc45dd8d6a10c
Threat Level: Known bad
The file navalny pass - 2000.exe was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Detect Neshta payload
Neshta
DcRat
DCRat payload
Disables Task Manager via registry modification
Modifies system executable filetype association
ACProtect 1.3x - 1.4x DLL software
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
UPX packed file
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Kills process with taskkill
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-18 10:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-18 10:31
Reported
2024-05-18 10:38
Platform
win10v2004-20240508-en
Max time kernel
383s
Max time network
385s
Command Line
Signatures
DcRat
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables Task Manager via registry modification
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\navalny pass - 2000.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\NVIDIA\DisplayDriver\535.21\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\navalny pass - 2000.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\55b276f4edf653 | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\dwm.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\setup_wm.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI7A8C~1\STARTM~1.EXE | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\sihost.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmpshare.exe | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmplayer.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE | N/A |
| File created | C:\Program Files (x86)\Microsoft\RuntimeBroker.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmlaunch.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmprph.exe | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\27d1bcfc3c54e0 | C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\DISABL~1.EXE | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI8A19~1\ImagingDevices.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\ea9f0e6c9e2dcd | C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Portable Devices\sihost.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe | N/A |
| File created | C:\Program Files\Uninstall Information\sihost.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wab.exe | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File created | C:\Program Files\Microsoft Office 15\ClientX64\886983d96e3d3e | C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\it-IT\35158c38368e73 | C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wab.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmpconfig.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\66fc9ff0ee96c2 | C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\WindowsPowerShell\Configuration\Registration\smss.exe | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\Accessories\en-US\5b884080fd4f94 | C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\6cb0b6c459d5d3 | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ieinstal.exe | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmprph.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmlaunch.exe | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Offline Web Pages\winlogon.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Windows\Offline Web Pages\cc11b995f2a76d | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Windows\uk-UA\0a1fd5f707cd16 | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Windows\PrintDialog\pris\sppsvc.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe | N/A |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe | N/A |
| File created | C:\Windows\INF\MSDTC Bridge 3.0.0.0\0000\cmd.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\NVIDIA\DisplayDriver\535.21\sppsvc.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\NVIDIA\DisplayDriver\535.21\sppsvc.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\eb603fa6eb1f1fdefda6ce5d5c1c889a\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File created | C:\Windows\PrintDialog\pris\0a1fd5f707cd16 | C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe | N/A |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\0a1fd5f707cd16 | C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe | N/A |
| File created | C:\Windows\servicing\SQM\unsecapp.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Windows\Offline Web Pages\winlogon.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Windows\uk-UA\sppsvc.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Windows\addins\5b884080fd4f94 | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File created | C:\Windows\it-IT\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe | N/A |
| File created | C:\Windows\addins\fontdrvhost.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Windows\INF\MSDTC Bridge 3.0.0.0\0000\ebf1f9fa8afd6d | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\eb603fa6eb1f1fdefda6ce5d5c1c889a\f3b6ecef712a24 | C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE | N/A |
| File created | C:\Windows\it-IT\5b884080fd4f94 | C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\navalny pass - 2000.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\NVIDIA\DisplayDriver\535.21\sppsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Offline Web Pages\winlogon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\7-Zip\Lang\dwm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\NVIDIA\DisplayDriver\535.21\fontdrvhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe
"C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe"
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\uk-UA\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\uk-UA\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\uk-UA\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\addins\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\NVIDIA Container.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA Container" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\NVIDIA Container.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\NVIDIA Container.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Libraries\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\535.21\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\NVIDIA\DisplayDriver\535.21\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Local Settings\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Application Data\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\INF\MSDTC Bridge 3.0.0.0\0000\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\INF\MSDTC Bridge 3.0.0.0\0000\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\INF\MSDTC Bridge 3.0.0.0\0000\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Links\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yVdxKe7Q8j.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Offline Web Pages\winlogon.exe
"C:\Windows\Offline Web Pages\winlogon.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\navalny pass - 2000.exe
"C:\Users\Admin\Desktop\navalny pass - 2000.exe"
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe
"C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
C:\Users\Admin\AppData\Local\Temp\3582-490\navalny pass - 2000.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\navalny pass - 2000.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "svchost.coms" /sc MINUTE /mo 10 /tr "'C:\NVIDIA\DisplayDriver\svchost.com.exe'" /f
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x348 0x424
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "svchost.com" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\svchost.com.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "svchost.coms" /sc MINUTE /mo 6 /tr "'C:\NVIDIA\DisplayDriver\svchost.com.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\eb603fa6eb1f1fdefda6ce5d5c1c889a\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\eb603fa6eb1f1fdefda6ce5d5c1c889a\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\eb603fa6eb1f1fdefda6ce5d5c1c889a\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WINLOC~1W" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\WINLOC~1.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WINLOC~1" /sc ONLOGON /tr "'C:\Users\Public\Downloads\WINLOC~1.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WINLOC~1W" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\WINLOC~1.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\NVIDIA Container.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA Container" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\NVIDIA Container.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\NVIDIA Container.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\535.21\taskhostw.exe'" /f
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "TASKKILL /F /IM "explorer.exe""
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\NVIDIA\DisplayDriver\535.21\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA~1N" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\NVIDIA~1.exe'" /f
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM "explorer.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA~1" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\NVIDIA~1.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA~1N" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\NVIDIA~1.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tAjNuoNvyW.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe"
C:\Program Files\7-Zip\Lang\dwm.exe
"C:\Program Files\7-Zip\Lang\dwm.exe"
C:\NVIDIA\DisplayDriver\535.21\sppsvc.exe
C:\NVIDIA\DisplayDriver\535.21\sppsvc.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\sppsvc.exe
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\PrintDialog\pris\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PrintDialog\pris\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\PrintDialog\pris\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\NVIDIA\DisplayDriver\535.21\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\NVIDIA\DisplayDriver\535.21\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\it-IT\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Saved Games\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\NVIDIA\DisplayDriver\535.21\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\NVIDIA\DisplayDriver\535.21\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wghfv84Vew.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\NVIDIA\DisplayDriver\535.21\fontdrvhost.exe
"C:\NVIDIA\DisplayDriver\535.21\fontdrvhost.exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38fe055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | narzieo9.beget.tech | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | narzieo9.beget.tech | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | narzieo9.beget.tech | udp |
| US | 8.8.8.8:53 | narzieo9.beget.tech | udp |
Files
memory/4220-0-0x00007FF9F8C03000-0x00007FF9F8C05000-memory.dmp
memory/4220-1-0x0000000000F90000-0x00000000015B6000-memory.dmp
memory/4220-4-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
| MD5 | 531bf67134a7c1fb4096113ca58cc648 |
| SHA1 | 99e0fc1fb7a07c0685e426b327921d3e6c34498c |
| SHA256 | 67942630366d114efa35f3f4a79741a4a4eb2c3b0c8ffaac07af527f84d4489a |
| SHA512 | 8facae8335a4f33f54e48c64814946eb8b480800b4453612fffcef64117946a35d493f433d4e27186ee864603da756319f816e70c3bfc08b8bb1861fc7030ff4 |
memory/4220-12-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp
C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe
| MD5 | d7df2670ad0c6c7b9cc48122f20f086c |
| SHA1 | e69bf8c214d8c4b768125ca03e402e1c871cc233 |
| SHA256 | d3bf5c54de984dd2d1d779494deb8a995cc062eb5f25c465d0de78d99b8cc52b |
| SHA512 | 05ed88410790bf74dc7ab880f893e555c4859c133e79a89f28b5e1a68c36f4a4f28d3b7b6532953c04b6d23a21faf53e60107efde9e6acb492a9235d48943f03 |
C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat
| MD5 | 7784d810f5ff3afa8df50e360eb90e7d |
| SHA1 | f04802a991ff6461aa1c35b7c0f68e43d5a114c6 |
| SHA256 | 0385dbf94fc27705560cf0b6b04e9a37181db486ee8f7573c5ad2217d18f4ca0 |
| SHA512 | 80038ae2bfd5f8ca3f4812ab5c342878f98978007125c9dca5edb915701a5383916131cdc3082c054c49c508cd210aff70319ac0fc498cbdd6cee776df672cac |
C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
| MD5 | 4a591f46c87b49a7de93f5ac771cd4ab |
| SHA1 | e0992350818e5c56d3f2e3a6db340d1f5b8f3314 |
| SHA256 | b495e22042b08f27b690da18986ec74d5054a65d05d5cf41fdecd5751482ccbd |
| SHA512 | b498445d1e427853690250aebff35cbd7e28e85a89ad868e3483930b16ec13198357cfcd5feb45567b1bc8f3d9f97c5ecf2d242c8a5e9d758a536d0498ba7955 |
memory/1856-26-0x0000000000500000-0x000000000066A000-memory.dmp
memory/1856-27-0x0000000002910000-0x000000000292C000-memory.dmp
memory/1856-28-0x000000001B820000-0x000000001B870000-memory.dmp
memory/1856-30-0x00000000027E0000-0x00000000027F0000-memory.dmp
memory/1856-29-0x000000001B1B0000-0x000000001B1C6000-memory.dmp
memory/1856-31-0x0000000002930000-0x000000000293E000-memory.dmp
memory/1856-32-0x000000001B1D0000-0x000000001B1DE000-memory.dmp
memory/1856-33-0x000000001B1E0000-0x000000001B1EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yVdxKe7Q8j.bat
| MD5 | e485668af0455ad2147899bb08bfb7d6 |
| SHA1 | 6c15d248465d95a931e1a03f407380a032e6cf5e |
| SHA256 | b5fa868d10aafbd728a24e44c9a00a1e14cc911d5b6943a079c6df984b27b542 |
| SHA512 | 754ddb544ec6fc9e1a0f317def10eaa8f6ee387ab7a988c1906b172b5cd929854bdca4f284dbfde13433d98517e98efa370d2da50c5e0e96627637df387aa991 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\navalny pass - 2000.exe.log
| MD5 | e204f3d12abd1691ce1f149399441188 |
| SHA1 | 798042095539abfe857e456fca4e1035f67d29bf |
| SHA256 | 685f70bf685f654651dcd0acc495b6f52f02f73cc3ca8b3d2c8433aac9ba144d |
| SHA512 | 804c5ea57a59f86fd0c34479be4c479230bff79093548e8461758829928969da565c211ccc9cb9befa0fef15f0400a5b1f17d5ddf88aef6ff01b67a191176b9f |
C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe
| MD5 | d5f38176aa233dc3a85f2c3e7c6cf1f7 |
| SHA1 | 022ea6d320067d2429b26cc424145610fa0ad28e |
| SHA256 | db307d31bbb3d282685bf28e0abf464a931fa749633d784e39adbe7d8d8ead31 |
| SHA512 | f58f855e3a102b6ccb4197b38323149342c23c2182b6309074d5720c2b2f20d764c33b10013834e85f73e22c0b7ab95ec4171ff251523b598821ad632af5a893 |
C:\Users\Admin\AppData\Local\Temp\3582-490\navalny pass - 2000.exe
| MD5 | 86a1cbee2b7dc5d64051c83c82c8d02b |
| SHA1 | 55d82d17f7f10d088909d0cb7116969d12308974 |
| SHA256 | d3f47cd85c525a0c3ed855949bf27023c27b24c51d388166d72d4fa8cae4c2f5 |
| SHA512 | 6720ecb2799185bf2a03259766e3dd38aeaec674a3a28e657bd55131b1e9fb18fab118afc3aa7881de56d7af36d60bf8b29449065ba32c5cf0dea38fb892ecbb |
C:\NVIDIA\DISPLA~1\535.21\sppsvc.exe
| MD5 | 9d8aacb18ee747b336908b0730ed4054 |
| SHA1 | 164eb0c67bca24d8b992a3380921ed3dbe279ba8 |
| SHA256 | fdbc8c80e04c2e5cbdbb3f44058820b9eb99a9270ad013d60f56821d899c8d60 |
| SHA512 | 1d1276eafe2a81ac1e60acef7608c9edb7337a5da8e8e5599cc8aed7d65cdd2ebd38d78924e7bec43c11f6a0972536e4b599ecfba60c270e6e4e28b241bb5068 |
C:\Users\Admin\AppData\Local\Temp\winlocker.exe
| MD5 | 9f93492e155d1bf27b8077e991e6a5a0 |
| SHA1 | 159d72ad8074b56562b1014393be24b402c3af39 |
| SHA256 | 43eef3b68ebaab3efbe15eb3046281e380aa78003a0eda8757a9e44f6a59ec7f |
| SHA512 | 270bc608ac79ca92c8db6a1455a26f24d80844badc514d5db29acade5748513d8378e3d6d803e9cfb7bdab6482a992b7c6a60845b255f3be5cbf92a0a69db918 |
C:\Windows\svchost.com
| MD5 | 594d6120159f25621034a2b9e42aaf88 |
| SHA1 | bb981a4ae042d506ea0403cac880c2b759d40699 |
| SHA256 | db937f1cc5add635677135f175db53bd13ddd68751f43a11283ffc99f2e05842 |
| SHA512 | 6545d41ebcbe34d09b46e9a7ac5245709de20ed15a8107efdfe1900a5b633f9114d364e464da28ebd5af5c5382d1078fb1567d94fc34b19d09835241597ad1aa |
memory/1548-138-0x0000000000400000-0x0000000000AAB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\php5ts.dll
| MD5 | c9aff68f6673fae7580527e8c76805b6 |
| SHA1 | bb62cc1db82cfe07a8c08a36446569dfc9c76d10 |
| SHA256 | 9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4 |
| SHA512 | c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56 |
C:\Users\Admin\AppData\Local\Temp\ext\php_squall.dll
| MD5 | 6ff84bc8812b8c079fa6de68cf36ab59 |
| SHA1 | ca8789bbd7b0193221f9518e6b2f5b319c32b717 |
| SHA256 | 7587e29919a56b6f94675e49208e1ae908bcab09363734d846502c3b4ad54326 |
| SHA512 | 5ef9d9c1038b055186147cbfcfbedf54d6ecc235468ef4968630eb03368cf2c3f39dd600f1ebf9ecfe9b7cc134235b01a983a4fe9b6f292775244f837ec2e81f |
C:\Users\Admin\AppData\Local\Temp\squall.dll
| MD5 | b971f35ffcbbb307761eb89a21df12a7 |
| SHA1 | 70de69bc3a53603eab2d83eae1363ce2448207cc |
| SHA256 | 05a30beb390ea86ca143a7e8f03c0a7aab7ddaf63229ee0d76366a217db9d864 |
| SHA512 | ea01509f808daeb4d5404c86162191f8f43a8fb009dc2be45b6d32e730b457c16c07d0ca56f56eb5f2f212507b7fa25da86dd1676ae480b147e633cacbc2b2c8 |
memory/1548-184-0x00000000044D0000-0x0000000004552000-memory.dmp
memory/1548-183-0x00000000044D0000-0x0000000004552000-memory.dmp
memory/1548-175-0x0000000002A00000-0x0000000002A2A000-memory.dmp
memory/4916-199-0x0000000000400000-0x000000000041B000-memory.dmp
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
| MD5 | 176436d406fd1aabebae353963b3ebcf |
| SHA1 | 9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a |
| SHA256 | 2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f |
| SHA512 | a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
| MD5 | 12c29dd57aa69f45ddd2e47620e0a8d9 |
| SHA1 | ba297aa3fe237ca916257bc46370b360a2db2223 |
| SHA256 | 22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880 |
| SHA512 | 255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE
| MD5 | 92dc0a5b61c98ac6ca3c9e09711e0a5d |
| SHA1 | f809f50cfdfbc469561bced921d0bad343a0d7b4 |
| SHA256 | 3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc |
| SHA512 | d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE
| MD5 | 8c753d6448183dea5269445738486e01 |
| SHA1 | ebbbdc0022ca7487cd6294714cd3fbcb70923af9 |
| SHA256 | 473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997 |
| SHA512 | 4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
| MD5 | 4ddc609ae13a777493f3eeda70a81d40 |
| SHA1 | 8957c390f9b2c136d37190e32bccae3ae671c80a |
| SHA256 | 16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950 |
| SHA512 | 9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
| MD5 | 5791075058b526842f4601c46abd59f5 |
| SHA1 | b2748f7542e2eebcd0353c3720d92bbffad8678f |
| SHA256 | 5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394 |
| SHA512 | 83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
| MD5 | 9dfcdd1ab508b26917bb2461488d8605 |
| SHA1 | 4ba6342bcf4942ade05fb12db83da89dc8c56a21 |
| SHA256 | ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5 |
| SHA512 | 1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137 |
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe
| MD5 | 15f4411f1b14234b5bed948ed78fa86e |
| SHA1 | f9775a3d87efb22702d934322ffcda3511b79c17 |
| SHA256 | cd6c08078343089d299a30f7bf16555ab349e946892dca1c49c6c0336d27ff0e |
| SHA512 | c44d2e96d6d0264075379066fd5d11ba30a675bb6f6b6279c4ac0d12066975c30c33b69b52457cbed4e35852e8b15b3daad9274d6f957ae0681fb7a6c48a33cb |
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE
| MD5 | 3b0e91f9bb6c1f38f7b058c91300e582 |
| SHA1 | 6e2e650941b1a96bb0bb19ff26a5d304bb09df5f |
| SHA256 | 57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d |
| SHA512 | a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f |
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE
| MD5 | 400836f307cf7dbfb469cefd3b0391e7 |
| SHA1 | 7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10 |
| SHA256 | cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a |
| SHA512 | aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8 |
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE
| MD5 | 5da33a7b7941c4e76208ee7cddec8e0b |
| SHA1 | cdd2e7b9b0e4be68417d4618e20a8283887c489c |
| SHA256 | 531e735e4e8940dfe21e30be0d4179ceaecb57ce431cf63c5044e07048ac1751 |
| SHA512 | 977aeecfbc693c9d5746fedf08b99e0b0f6fd7b0c7b41ac2b34a832e68a2e6f3c68f38af2e65c87075fcf00c1c6103e34324df45d7da9412cbbeea7e410794b6 |
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe
| MD5 | de69c005b0bbb513e946389227183eeb |
| SHA1 | 2a64efdcdc71654356f77a5b77da8b840dcc6674 |
| SHA256 | ad7b167ab599b6dad7e7f0ad47368643d91885253f95fadf0fadd1f8eb6ee9c7 |
| SHA512 | 6ca8cec0cf20ee9b8dfe263e48f211b6f1e19e3b4fc0f6e89807f39d3f4e862f0139eb5b35e3133ef60555589ad54406fb11d95845568a5538602f287863b7d7 |
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe
| MD5 | 6f87ccb8ab73b21c9b8288b812de8efa |
| SHA1 | a709254f843a4cb50eec3bb0a4170ad3e74ea9b3 |
| SHA256 | 14e7a1f2f930380903ae3c912b4a70fd0a59916315c46874805020fe41215c22 |
| SHA512 | 619b45b9728880691a88fbfc396c9d34b41d5e349e04d2eb2d18c535fffc079395835af2af7ca69319954a98852d2f9b7891eff91864d63bf25759c156e192ee |
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe
| MD5 | 0511abca39ed6d36fff86a8b6f2266cd |
| SHA1 | bfe55ac898d7a570ec535328b6283a1cdfa33b00 |
| SHA256 | 76ae68fc7c6c552c4a98c5df640cd96cf27b62e7e1536b7f7d08eff56fcde8b8 |
| SHA512 | 6608412e3ed0057f387bafcddcb07bfe7da4f207c7300c460e5acc4bd234cec3362191800789eb465eb120ec069e3ed49eabb6bd7db30d9e9245a89bb20e4346 |
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
| MD5 | cbd96ba6abe7564cb5980502eec0b5f6 |
| SHA1 | 74e1fe1429cec3e91f55364e5cb8385a64bb0006 |
| SHA256 | 405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa |
| SHA512 | a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc |
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe
| MD5 | e7a27a45efa530c657f58fda9f3b9f4a |
| SHA1 | 6c0d29a8b75574e904ab1c39fc76b39ca8f8e461 |
| SHA256 | d6f11401f57293922fb36cd7542ae811ab567a512449e566f83ce0dcef5ff8e5 |
| SHA512 | 0c37b41f3c075cd89a764d81f751c3a704a19240ad8e4ebab591f399b9b168b920575749e9d24c2a8f0400b9f340ab9fea4db76ff7060d8af00e2b36ac0c4a54 |
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
| MD5 | e316c67c785d3e39e90341b0bbaac705 |
| SHA1 | 7ffd89492438a97ad848068cfdaab30c66afca35 |
| SHA256 | 4fc8b9433b45c2607cbdf3d1c042c3918b854c9db3ade13b5bb2761d28f1c478 |
| SHA512 | 25ec433c10adc69305de97107463be74d7b4768acca27886498485e8bc2c8b099994e6c1c6c09a7e603816203d6b18e509fb79f24992915eb802f59bcb790090 |
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
| MD5 | bcd0f32f28d3c2ba8f53d1052d05252d |
| SHA1 | c29b4591df930dabc1a4bd0fa2c0ad91500eafb2 |
| SHA256 | bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb |
| SHA512 | 79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10 |
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
| MD5 | d47ed8961782d9e27f359447fa86c266 |
| SHA1 | d37d3f962c8d302b18ec468b4abe94f792f72a3b |
| SHA256 | b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a |
| SHA512 | 3e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE
| MD5 | 3b35b268659965ab93b6ee42f8193395 |
| SHA1 | 8faefc346e99c9b2488f2414234c9e4740b96d88 |
| SHA256 | 750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb |
| SHA512 | 035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
| MD5 | cce8964848413b49f18a44da9cb0a79b |
| SHA1 | 0b7452100d400acebb1c1887542f322a92cbd7ae |
| SHA256 | fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5 |
| SHA512 | bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE
| MD5 | 09acdc5bbec5a47e8ae47f4a348541e2 |
| SHA1 | 658f64967b2a9372c1c0bdd59c6fb2a18301d891 |
| SHA256 | 1b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403 |
| SHA512 | 3867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe
| MD5 | 576410de51e63c3b5442540c8fdacbee |
| SHA1 | 8de673b679e0fee6e460cbf4f21ab728e41e0973 |
| SHA256 | 3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe |
| SHA512 | f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
| MD5 | 3b73078a714bf61d1c19ebc3afc0e454 |
| SHA1 | 9abeabd74613a2f533e2244c9ee6f967188e4e7e |
| SHA256 | ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29 |
| SHA512 | 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
| MD5 | 8ffc3bdf4a1903d9e28b99d1643fc9c7 |
| SHA1 | 919ba8594db0ae245a8abd80f9f3698826fc6fe5 |
| SHA256 | 8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6 |
| SHA512 | 0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe
| MD5 | 322302633e36360a24252f6291cdfc91 |
| SHA1 | 238ed62353776c646957efefc0174c545c2afa3d |
| SHA256 | 31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c |
| SHA512 | 5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
| MD5 | 39c8a4c2c3984b64b701b85cb724533b |
| SHA1 | c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00 |
| SHA256 | 888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d |
| SHA512 | f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2 |
C:\Windows\directx.sys
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1420-316-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1700-318-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2096-319-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1548-322-0x00000000044D0000-0x0000000004552000-memory.dmp
memory/1548-321-0x0000000002A00000-0x0000000002A2A000-memory.dmp
memory/1548-320-0x0000000000400000-0x0000000000AAB000-memory.dmp
memory/1700-324-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2096-325-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1700-329-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2096-330-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1700-333-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2096-332-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1548-334-0x0000000000400000-0x0000000000AAB000-memory.dmp
memory/1548-487-0x0000000000400000-0x0000000000AAB000-memory.dmp