dcrat | b08298bb968f9ef0bb09aa6cee9b608b9a4882b72301de0aa82fc45dd8d6a10c

Analysis

max time kernel
1322s
max time network
1324s
platform
windows10-2004_x64
resource
win10v2004-20240426-uk
resource tags

arch:x64arch:x86image:win10v2004-20240426-uklocale:uk-uaos:windows10-2004-x64systemwindows
submitted
18-05-2024 10:45

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

navalny pass - 2000.exe
Size

6.1MB
MD5

558ff65486960f523a1eb17ed0f87bf8
SHA1

bc6acc37eb0472a0bb23967f62cc4469ca1deb13
SHA256

b08298bb968f9ef0bb09aa6cee9b608b9a4882b72301de0aa82fc45dd8d6a10c
SHA512

19f066bd6adf650d7dbfb6412f7506139520eaeb8989852dd9f074622f13fc2c50a826eb35df38197ebd5cfaf34c1a1087e7cd9d8b60f50b10191c631f3121fc
SSDEEP

98304:8SiU7uSQsmMB5dklNKoJKMCi4HCwk22SbLOlwv+hLnlfnxVA+9DMj5995sB3:8JVSQsZBHklN3JzCi45KJhLlfXnMP63

Score

10^/10

dcrat neshta evasion infostealer persistence rat spyware stealer upx

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exenavalny pass - 2000.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeNVIDIA Container.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1804	schtasks.exe
1788	schtasks.exe
5316	schtasks.exe
1404	schtasks.exe
5468	schtasks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	navalny pass - 2000.exe
5096	schtasks.exe
4956	schtasks.exe
5728	schtasks.exe
3616	schtasks.exe
1412	schtasks.exe
3552	schtasks.exe
5684	schtasks.exe
368	schtasks.exe
4652	schtasks.exe
1316	schtasks.exe
4632	schtasks.exe
872	schtasks.exe
4844	schtasks.exe
1816	schtasks.exe
2316	schtasks.exe
5884	schtasks.exe
5716	schtasks.exe
432	schtasks.exe
4772	schtasks.exe
5040	schtasks.exe
4012	schtasks.exe
5432	schtasks.exe
208	schtasks.exe
File created	C:\Windows\twain_32\121e5b5079f7c0	NVIDIA Container.exe
2012	schtasks.exe
6028	schtasks.exe
5764	schtasks.exe
5804	schtasks.exe
2024	schtasks.exe
5456	schtasks.exe
5092	schtasks.exe
6040	schtasks.exe
4808	schtasks.exe
4288	schtasks.exe
2700	schtasks.exe
992	schtasks.exe
5376	schtasks.exe
5344	schtasks.exe
1336	schtasks.exe
3576	schtasks.exe
3616	schtasks.exe
3876	schtasks.exe
5100	schtasks.exe
3836	schtasks.exe
540	schtasks.exe
1512	schtasks.exe
1652	schtasks.exe
4624	schtasks.exe
1512	schtasks.exe
3576	schtasks.exe
6100	schtasks.exe
5840	schtasks.exe
3552	schtasks.exe
4808	schtasks.exe
1968	schtasks.exe
4288	schtasks.exe
1832	schtasks.exe
1364	schtasks.exe

Detect Neshta payload 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe	family_neshta
C:\NVIDIA\DISPLA~1\535.21\explorer.exe	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral1/memory/2216-693-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/4552-724-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3192-742-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1800-744-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3192-749-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1800-750-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3192-756-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1800-755-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5856	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6028	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6040	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5684	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5884	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5316	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5764	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5716	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5728	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5804	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6100	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5352	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5332	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	5064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	5064	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe	dcrat
C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe	dcrat
behavioral1/memory/2676-26-0x0000000000C80000-0x0000000000DEA000-memory.dmp	dcrat
C:\NVIDIA\DISPLA~1\535.21\explorer.exe	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

navalny pass - 2000.exeNVIDIA Container.exeexplorer.exeexplorer.exeWScript.exenavalny pass - 2000.exefontdrvhost.exeFONTDR~1.EXEWScript.exeNVIDIA Container.exeNVIDIA Container.execsrss.exeNVIDIA Container.exeNVIDIA Container.exenavalny pass - 2000.exenavalny pass - 2000.exeNVIDIA~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	navalny pass - 2000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	navalny pass - 2000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	FONTDR~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	navalny pass - 2000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	navalny pass - 2000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	NVIDIA~1.EXE

Executes dropped EXE 55 IoCs

Processes:

NVIDIA Container.exeNVIDIA Container.exeNVIDIA Container.exeRuntimeBroker.exeRuntimeBroker.exeNVIDIA Container.exenavalny pass - 2000.exenavalny pass - 2000.exeNVIDIA Container.exesvchost.comWINLOC~1.EXEsvchost.comNVIDIA~1.EXEunsecapp.exesysmon.exeIdle.exeMoUsoCoreWorker.exeunsecapp.exenavalny pass - 2000.exefontdrvhost.exesvchost.comFONTDR~1.EXEunsecapp.exeexplorer.exeOfficeClickToRun.exesvchost.comStartMenuExperienceHost.exeexplorer.exeSearchApp.exeRuntimeBroker.exesysmon.exeIdle.exeMoUsoCoreWorker.exewinlogon.exeRegistry.exenavalny pass - 2000.execsrss.exesvchost.comcsrss.exesmss.execmd.exelsass.exeIdle.exeMoUsoCoreWorker.exeOfficeClickToRun.exeStartMenuExperienceHost.exesysmon.exeSearchApp.exeRuntimeBroker.exeexplorer.exesvchost.comexplorer.exenavalny pass - 2000.exeunsecapp.exefontdrvhost.exe

pid	process
2020	NVIDIA Container.exe
2676	NVIDIA Container.exe
3608	NVIDIA Container.exe
1572	RuntimeBroker.exe
5844	RuntimeBroker.exe
5436	NVIDIA Container.exe
3192	navalny pass - 2000.exe
760	navalny pass - 2000.exe
1800	NVIDIA Container.exe
4552	svchost.com
996	WINLOC~1.EXE
2216	svchost.com
6020	NVIDIA~1.EXE
4516	unsecapp.exe
2616	sysmon.exe
4056	Idle.exe
5936	MoUsoCoreWorker.exe
4340	unsecapp.exe
5808	navalny pass - 2000.exe
3620	fontdrvhost.exe
5516	svchost.com
2376	FONTDR~1.EXE
5264	unsecapp.exe
1376	explorer.exe
5488	OfficeClickToRun.exe
5284	svchost.com
5156	StartMenuExperienceHost.exe
3980	explorer.exe
1528	SearchApp.exe
2896	RuntimeBroker.exe
3028	sysmon.exe
5848	Idle.exe
1324	MoUsoCoreWorker.exe
5328	winlogon.exe
1264	Registry.exe
6040	navalny pass - 2000.exe
4064	csrss.exe
4800	svchost.com
5680	csrss.exe
3940	smss.exe
3740	cmd.exe
3460	lsass.exe
4948	Idle.exe
3932	MoUsoCoreWorker.exe
5172	OfficeClickToRun.exe
3720	StartMenuExperienceHost.exe
5052	sysmon.exe
5028	SearchApp.exe
1328	RuntimeBroker.exe
3976	explorer.exe
4756	svchost.com
2224	explorer.exe
2416	navalny pass - 2000.exe
3452	unsecapp.exe
5020	fontdrvhost.exe

Loads dropped DLL 5 IoCs

Processes:

WINLOC~1.EXE

pid process

996 WINLOC~1.EXE
996 WINLOC~1.EXE
996 WINLOC~1.EXE
996 WINLOC~1.EXE
996 WINLOC~1.EXE

pid	process
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

navalny pass - 2000.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	navalny pass - 2000.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\winlocker.exe	upx
behavioral1/memory/996-627-0x0000000000400000-0x0000000000AAB000-memory.dmp	upx
behavioral1/memory/996-683-0x0000000004380000-0x0000000004402000-memory.dmp	upx
behavioral1/memory/996-747-0x0000000004380000-0x0000000004402000-memory.dmp	upx
behavioral1/memory/996-745-0x0000000000400000-0x0000000000AAB000-memory.dmp	upx
behavioral1/memory/996-763-0x0000000000400000-0x0000000000AAB000-memory.dmp	upx
behavioral1/memory/996-1198-0x0000000000400000-0x0000000000AAB000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

navalny pass - 2000.exeNVIDIA Container.exeNVIDIA~1.EXEFONTDR~1.EXENVIDIA Container.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	NVIDIA Container.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\29c1c3cc0f7685	NVIDIA~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~4.EXE	navalny pass - 2000.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe	NVIDIA~1.EXE
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe	FONTDR~1.EXE
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	NVIDIA Container.exe
File created	C:\Program Files\Internet Explorer\winlogon.exe	NVIDIA~1.EXE
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\unsecapp.exe	FONTDR~1.EXE
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\fontdrvhost.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	NVIDIA Container.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe	NVIDIA~1.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.29\FONTDR~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	NVIDIA Container.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\5b884080fd4f94	FONTDR~1.EXE
File created	C:\Program Files\Windows Defender\es-ES\55b276f4edf653	NVIDIA~1.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	NVIDIA Container.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ebf1f9fa8afd6d	NVIDIA~1.EXE
File opened for modification	C:\Program Files\Uninstall Information\navalny pass - 2000.exe	NVIDIA~1.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~3.EXE	navalny pass - 2000.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\29c1c3cc0f7685	FONTDR~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	NVIDIA Container.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI9C33~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	navalny pass - 2000.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\9e8d7a4ca61bd9	NVIDIA~1.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	navalny pass - 2000.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~1.EXE	navalny pass - 2000.exe
File created	C:\Program Files\Uninstall Information\navalny pass - 2000.exe	NVIDIA~1.EXE
File created	C:\Program Files\MSBuild\69ddcba757bf72	NVIDIA~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	navalny pass - 2000.exe

Drops file in Windows directory 30 IoCs

Processes:

csrss.exesvchost.comNVIDIA Container.exeNVIDIA~1.EXEfontdrvhost.exesvchost.comsvchost.comsvchost.comexplorer.exesvchost.comFONTDR~1.EXEexplorer.exesvchost.comnavalny pass - 2000.exeNVIDIA Container.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	csrss.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File created	C:\Windows\twain_32\121e5b5079f7c0	NVIDIA Container.exe
File created	C:\Windows\L2Schemas\6203df4a6bafc7	NVIDIA~1.EXE
File opened for modification	C:\Windows\svchost.com	fontdrvhost.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File created	C:\Windows\Provisioning\Autopilot\e6c9b481da804f	NVIDIA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	explorer.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	explorer.exe
File created	C:\Windows\twain_32\sysmon.exe	NVIDIA Container.exe
File created	C:\Windows\ServiceState\EventLog\Data\csrss.exe	FONTDR~1.EXE
File opened for modification	C:\Windows\svchost.com	explorer.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	explorer.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	navalny pass - 2000.exe
File opened for modification	C:\Windows\svchost.com	NVIDIA Container.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File created	C:\Windows\L2Schemas\lsass.exe	NVIDIA~1.EXE
File created	C:\Windows\Provisioning\Autopilot\OfficeClickToRun.exe	NVIDIA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	NVIDIA Container.exe
File opened for modification	C:\Windows\directx.sys	fontdrvhost.exe
File opened for modification	C:\Windows\directx.sys	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
4844	schtasks.exe
5684	schtasks.exe
872	schtasks.exe
1336	schtasks.exe
2448	schtasks.exe
1404	schtasks.exe
2024	schtasks.exe
5856	schtasks.exe
548	schtasks.exe
5100	schtasks.exe
5316	schtasks.exe
3576	schtasks.exe
3616	schtasks.exe
3576	schtasks.exe
540	schtasks.exe
5040	schtasks.exe
5884	schtasks.exe
2532	schtasks.exe
4012	schtasks.exe
5728	schtasks.exe
3552	schtasks.exe
1652	schtasks.exe
5068	schtasks.exe
3836	schtasks.exe
5468	schtasks.exe
4772	schtasks.exe
3616	schtasks.exe
5092	schtasks.exe
4632	schtasks.exe
5840	schtasks.exe
6100	schtasks.exe
5628	schtasks.exe
208	schtasks.exe
1804	schtasks.exe
2012	schtasks.exe
1968	schtasks.exe
4956	schtasks.exe
920	schtasks.exe
6028	schtasks.exe
3876	schtasks.exe
5344	schtasks.exe
4808	schtasks.exe
1264	schtasks.exe
5716	schtasks.exe
5804	schtasks.exe
5432	schtasks.exe
368	schtasks.exe
916	schtasks.exe
4652	schtasks.exe
6040	schtasks.exe
3744	schtasks.exe
432	schtasks.exe
5096	schtasks.exe
2316	schtasks.exe
5332	schtasks.exe
5444	schtasks.exe
5764	schtasks.exe
1512	schtasks.exe
4288	schtasks.exe
4624	schtasks.exe
1316	schtasks.exe
1816	schtasks.exe
4320	schtasks.exe
2116	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4300 taskkill.exe

pid	process
4300	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Modifies registry class 13 IoCs

Processes:

navalny pass - 2000.exefontdrvhost.exemsedge.exeNVIDIA Container.exeexplorer.exeNVIDIA Container.exenavalny pass - 2000.exeNVIDIA Container.exeNVIDIA Container.exeNVIDIA~1.EXEFONTDR~1.EXEcsrss.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	navalny pass - 2000.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018855536-2201274732-320770143-1000\{A7BA7B3F-0514-48E5-B8AE-AE0398E39322}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	NVIDIA Container.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	NVIDIA Container.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	navalny pass - 2000.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	NVIDIA Container.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	NVIDIA Container.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	NVIDIA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	FONTDR~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

NVIDIA Container.exeNVIDIA Container.exemsedge.exemsedge.exeRuntimeBroker.exeidentity_helper.exemsedge.exeRuntimeBroker.exeNVIDIA~1.EXEunsecapp.exesysmon.exeIdle.exeunsecapp.exeFONTDR~1.EXEunsecapp.exeOfficeClickToRun.exeRuntimeBroker.exesysmon.exeRegistry.exenavalny pass - 2000.execmd.exeIdle.exeOfficeClickToRun.exeRuntimeBroker.exefontdrvhost.exe

pid	process
2676	NVIDIA Container.exe
2676	NVIDIA Container.exe
2676	NVIDIA Container.exe
3608	NVIDIA Container.exe
3608	NVIDIA Container.exe
3608	NVIDIA Container.exe
1808	msedge.exe
1808	msedge.exe
4728	msedge.exe
4728	msedge.exe
1572	RuntimeBroker.exe
1572	RuntimeBroker.exe
1124	identity_helper.exe
1124	identity_helper.exe
6080	msedge.exe
6080	msedge.exe
5844	RuntimeBroker.exe
5844	RuntimeBroker.exe
6020	NVIDIA~1.EXE
6020	NVIDIA~1.EXE
6020	NVIDIA~1.EXE
6020	NVIDIA~1.EXE
6020	NVIDIA~1.EXE
4516	unsecapp.exe
2616	sysmon.exe
4056	Idle.exe
4340	unsecapp.exe
2376	FONTDR~1.EXE
5264	unsecapp.exe
5488	OfficeClickToRun.exe
2896	RuntimeBroker.exe
3028	sysmon.exe
1264	Registry.exe
6040	navalny pass - 2000.exe
3740	cmd.exe
4948	Idle.exe
5172	OfficeClickToRun.exe
1328	RuntimeBroker.exe
5020	fontdrvhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WINLOC~1.EXE

pid process

996 WINLOC~1.EXE

pid	process
996	WINLOC~1.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	process
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

NVIDIA Container.exeNVIDIA Container.exeRuntimeBroker.exeRuntimeBroker.exeNVIDIA~1.EXEAUDIODG.EXEtaskkill.exeunsecapp.exesysmon.exeIdle.exeMoUsoCoreWorker.exeunsecapp.exenavalny pass - 2000.exeFONTDR~1.EXEunsecapp.exeOfficeClickToRun.exeexplorer.exeStartMenuExperienceHost.exeSearchApp.exeRuntimeBroker.exesysmon.exeIdle.exeMoUsoCoreWorker.exewinlogon.exeRegistry.exenavalny pass - 2000.execsrss.exesmss.execmd.exelsass.exeIdle.exeMoUsoCoreWorker.exeOfficeClickToRun.exeStartMenuExperienceHost.exesysmon.exeSearchApp.exeRuntimeBroker.exeexplorer.exenavalny pass - 2000.exeunsecapp.exefontdrvhost.exeWINLOC~1.EXE

description	pid	process
Token: SeDebugPrivilege	2676	NVIDIA Container.exe
Token: SeDebugPrivilege	3608	NVIDIA Container.exe
Token: SeDebugPrivilege	1572	RuntimeBroker.exe
Token: SeDebugPrivilege	5844	RuntimeBroker.exe
Token: SeDebugPrivilege	6020	NVIDIA~1.EXE
Token: 33	840	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	840	AUDIODG.EXE
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	4516	unsecapp.exe
Token: SeDebugPrivilege	2616	sysmon.exe
Token: SeDebugPrivilege	4056	Idle.exe
Token: SeDebugPrivilege	5936	MoUsoCoreWorker.exe
Token: SeDebugPrivilege	4340	unsecapp.exe
Token: SeDebugPrivilege	5808	navalny pass - 2000.exe
Token: SeDebugPrivilege	2376	FONTDR~1.EXE
Token: SeDebugPrivilege	5264	unsecapp.exe
Token: SeDebugPrivilege	5488	OfficeClickToRun.exe
Token: SeDebugPrivilege	3980	explorer.exe
Token: SeDebugPrivilege	5156	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1528	SearchApp.exe
Token: SeDebugPrivilege	2896	RuntimeBroker.exe
Token: SeDebugPrivilege	3028	sysmon.exe
Token: SeDebugPrivilege	5848	Idle.exe
Token: SeDebugPrivilege	1324	MoUsoCoreWorker.exe
Token: SeDebugPrivilege	5328	winlogon.exe
Token: SeDebugPrivilege	1264	Registry.exe
Token: SeDebugPrivilege	6040	navalny pass - 2000.exe
Token: SeDebugPrivilege	5680	csrss.exe
Token: SeDebugPrivilege	3940	smss.exe
Token: SeDebugPrivilege	3740	cmd.exe
Token: SeDebugPrivilege	3460	lsass.exe
Token: SeDebugPrivilege	4948	Idle.exe
Token: SeDebugPrivilege	3932	MoUsoCoreWorker.exe
Token: SeDebugPrivilege	5172	OfficeClickToRun.exe
Token: SeDebugPrivilege	3720	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5052	sysmon.exe
Token: SeDebugPrivilege	5028	SearchApp.exe
Token: SeDebugPrivilege	1328	RuntimeBroker.exe
Token: SeDebugPrivilege	2224	explorer.exe
Token: SeDebugPrivilege	2416	navalny pass - 2000.exe
Token: SeDebugPrivilege	3452	unsecapp.exe
Token: SeDebugPrivilege	5020	fontdrvhost.exe
Token: SeShutdownPrivilege	996	WINLOC~1.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeWINLOC~1.EXE

pid	process
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE
996	WINLOC~1.EXE

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

5044 LogonUI.exe

pid	process
5044	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

navalny pass - 2000.exeNVIDIA Container.exeWScript.execmd.exeNVIDIA Container.exemsedge.exe

description	pid	process	target process
PID 3512 wrote to memory of 2020	3512	navalny pass - 2000.exe	NVIDIA Container.exe
PID 3512 wrote to memory of 2020	3512	navalny pass - 2000.exe	NVIDIA Container.exe
PID 3512 wrote to memory of 2020	3512	navalny pass - 2000.exe	NVIDIA Container.exe
PID 2020 wrote to memory of 3168	2020	NVIDIA Container.exe	WScript.exe
PID 2020 wrote to memory of 3168	2020	NVIDIA Container.exe	WScript.exe
PID 2020 wrote to memory of 3168	2020	NVIDIA Container.exe	WScript.exe
PID 3168 wrote to memory of 440	3168	WScript.exe	cmd.exe
PID 3168 wrote to memory of 440	3168	WScript.exe	cmd.exe
PID 3168 wrote to memory of 440	3168	WScript.exe	cmd.exe
PID 440 wrote to memory of 2676	440	cmd.exe	NVIDIA Container.exe
PID 440 wrote to memory of 2676	440	cmd.exe	NVIDIA Container.exe
PID 2676 wrote to memory of 3608	2676	NVIDIA Container.exe	NVIDIA Container.exe
PID 2676 wrote to memory of 3608	2676	NVIDIA Container.exe	NVIDIA Container.exe
PID 4728 wrote to memory of 2144	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 2144	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1844	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1808	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 1808	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 5052	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 5052	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 5052	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 5052	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 5052	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 5052	4728	msedge.exe	msedge.exe
PID 4728 wrote to memory of 5052	4728	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe
"C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe"
1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3512

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:440

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
5⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XNBxlhQhQP.bat"
7⤵
PID:1680

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:4056

C:\Users\Public\Desktop\RuntimeBroker.exe
"C:\Users\Public\Desktop\RuntimeBroker.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\NVIDIA\DisplayDriver\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\NVIDIA\DisplayDriver\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Windows\twain_32\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\twain_32\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca1e646f8,0x7ffca1e64708,0x7ffca1e64718
2⤵
PID:2144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2296 /prefetch:2
2⤵
PID:1844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
2⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
2⤵
PID:2896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
2⤵
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
2⤵
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
2⤵
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:8
2⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
2⤵
PID:452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
2⤵
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
2⤵
PID:5324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
2⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
2⤵
PID:5816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --service-sandbox-type=audio --mojo-platform-channel-handle=5420 /prefetch:8
2⤵
PID:6072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --service-sandbox-type=video_capture --mojo-platform-channel-handle=5724 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
2⤵
PID:5148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
2⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
2⤵
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
2⤵
PID:5856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
2⤵
PID:5460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
2⤵
PID:5960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
2⤵
PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --service-sandbox-type=collections --mojo-platform-channel-handle=6476 /prefetch:8
2⤵
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\NVIDIA\DisplayDriver\535.21\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\NVIDIA\DisplayDriver\535.21\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2288

C:\Users\Public\Desktop\RuntimeBroker.exe
"C:\Users\Public\Desktop\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5844

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4788

C:\Users\Admin\Desktop\navalny pass - 2000.exe
"C:\Users\Admin\Desktop\navalny pass - 2000.exe"
1⤵
- Checks computer location settings
PID:1504

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5436

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
3⤵
- Checks computer location settings
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
4⤵
PID:948

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE"
6⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2216

C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE
7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7mvkDr5O57.bat"
8⤵
PID:5636

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:5444

C:\NVIDIA\DisplayDriver\535.21\unsecapp.exe
"C:\NVIDIA\DisplayDriver\535.21\unsecapp.exe"
9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe
"C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3192

C:\Users\Admin\AppData\Local\Temp\3582-490\navalny pass - 2000.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\navalny pass - 2000.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:760

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4552

C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:996

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "TASKKILL /F /IM "explorer.exe""
6⤵
PID:3996

C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM "explorer.exe"
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "navalny pass - 2000n" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\navalny pass - 2000.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "navalny pass - 2000" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\navalny pass - 2000.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "navalny pass - 2000n" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\navalny pass - 2000.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\NVIDIA\DisplayDriver\535.21\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\NVIDIA\DisplayDriver\535.21\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4cc 0x408
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\535.21\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\NVIDIA\DisplayDriver\535.21\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\NVIDIA\DisplayDriver\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\MoUsoCoreWorker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Desktop\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Desktop\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\Provisioning\Autopilot\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Provisioning\Autopilot\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\Autopilot\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\es-ES\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\es-ES\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:5432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:5456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\Install\Registry.exe'" /f
1⤵
- DcRat
PID:5376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:5468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\Install\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:5344

C:\Windows\twain_32\sysmon.exe
C:\Windows\twain_32\sysmon.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\NVIDIA\DisplayDriver\Idle.exe
C:\NVIDIA\DisplayDriver\Idle.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Program Files\Windows Portable Devices\MoUsoCoreWorker.exe
"C:\Program Files\Windows Portable Devices\MoUsoCoreWorker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5936

C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe
"C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Program Files\Uninstall Information\navalny pass - 2000.exe
"C:\Program Files\Uninstall Information\navalny pass - 2000.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5808

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\fontdrvhost.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\fontdrvhost.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:3620

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FONTDR~1.EXE"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5516

C:\Users\Admin\AppData\Local\Temp\3582-490\FONTDR~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FONTDR~1.EXE
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pjh9saPLSW.bat"
4⤵
PID:1168

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:2984

C:\Program Files (x86)\Windows Photo Viewer\de-DE\unsecapp.exe
"C:\Program Files (x86)\Windows Photo Viewer\de-DE\unsecapp.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\unsecapp.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:5840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WINLOC~1W" /sc MINUTE /mo 10 /tr "'C:\NVIDIA\DisplayDriver\535.21\WINLOC~1.exe'" /f
1⤵
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WINLOC~1" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\WINLOC~1.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WINLOC~1W" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\535.21\WINLOC~1.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:208

C:\NVIDIA\DisplayDriver\535.21\explorer.exe
C:\NVIDIA\DisplayDriver\535.21\explorer.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:1376

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\explorer.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5284

C:\Users\Admin\AppData\Local\Temp\3582-490\explorer.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\Provisioning\Autopilot\OfficeClickToRun.exe
C:\Windows\Provisioning\Autopilot\OfficeClickToRun.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5488

C:\Program Files\Windows Defender\es-ES\StartMenuExperienceHost.exe
"C:\Program Files\Windows Defender\es-ES\StartMenuExperienceHost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5156

C:\NVIDIA\DisplayDriver\535.21\SearchApp.exe
C:\NVIDIA\DisplayDriver\535.21\SearchApp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe
"C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\twain_32\sysmon.exe
C:\Windows\twain_32\sysmon.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\NVIDIA\DisplayDriver\Idle.exe
C:\NVIDIA\DisplayDriver\Idle.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5848

C:\Program Files\Windows Portable Devices\MoUsoCoreWorker.exe
"C:\Program Files\Windows Portable Devices\MoUsoCoreWorker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Program Files\Internet Explorer\winlogon.exe
"C:\Program Files\Internet Explorer\winlogon.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5328

C:\Program Files (x86)\Google\Update\Install\Registry.exe
"C:\Program Files (x86)\Google\Update\Install\Registry.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Program Files\Uninstall Information\navalny pass - 2000.exe
"C:\Program Files\Uninstall Information\navalny pass - 2000.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6040

C:\Users\Public\Pictures\csrss.exe
C:\Users\Public\Pictures\csrss.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:4064

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\csrss.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4800

C:\Users\Admin\AppData\Local\Temp\3582-490\csrss.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\csrss.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5680

C:\Program Files\MSBuild\smss.exe
"C:\Program Files\MSBuild\smss.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe
"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\L2Schemas\lsass.exe
C:\Windows\L2Schemas\lsass.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\NVIDIA\DisplayDriver\Idle.exe
C:\NVIDIA\DisplayDriver\Idle.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Program Files\Windows Portable Devices\MoUsoCoreWorker.exe
"C:\Program Files\Windows Portable Devices\MoUsoCoreWorker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\Provisioning\Autopilot\OfficeClickToRun.exe
C:\Windows\Provisioning\Autopilot\OfficeClickToRun.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5172

C:\Program Files\Windows Defender\es-ES\StartMenuExperienceHost.exe
"C:\Program Files\Windows Defender\es-ES\StartMenuExperienceHost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\twain_32\sysmon.exe
C:\Windows\twain_32\sysmon.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\NVIDIA\DisplayDriver\535.21\SearchApp.exe
C:\NVIDIA\DisplayDriver\535.21\SearchApp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe
"C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\NVIDIA\DisplayDriver\535.21\explorer.exe
C:\NVIDIA\DisplayDriver\535.21\explorer.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:3976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\explorer.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4756

C:\Users\Admin\AppData\Local\Temp\3582-490\explorer.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Program Files\Uninstall Information\navalny pass - 2000.exe
"C:\Program Files\Uninstall Information\navalny pass - 2000.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Program Files (x86)\Windows Photo Viewer\de-DE\unsecapp.exe
"C:\Program Files (x86)\Windows Photo Viewer\de-DE\unsecapp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3812855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\NVIDIA\DISPLA~1\535.21\explorer.exe
Filesize
1.4MB

MD5
9d8aacb18ee747b336908b0730ed4054

SHA1
164eb0c67bca24d8b992a3380921ed3dbe279ba8

SHA256
fdbc8c80e04c2e5cbdbb3f44058820b9eb99a9270ad013d60f56821d899c8d60

SHA512
1d1276eafe2a81ac1e60acef7608c9edb7337a5da8e8e5599cc8aed7d65cdd2ebd38d78924e7bec43c11f6a0972536e4b599ecfba60c270e6e4e28b241bb5068

Download Submit
C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
Filesize
1.4MB

MD5
4a591f46c87b49a7de93f5ac771cd4ab

SHA1
e0992350818e5c56d3f2e3a6db340d1f5b8f3314

SHA256
b495e22042b08f27b690da18986ec74d5054a65d05d5cf41fdecd5751482ccbd

SHA512
b498445d1e427853690250aebff35cbd7e28e85a89ad868e3483930b16ec13198357cfcd5feb45567b1bc8f3d9f97c5ecf2d242c8a5e9d758a536d0498ba7955

Download Submit
C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat
Filesize
53B

MD5
7784d810f5ff3afa8df50e360eb90e7d

SHA1
f04802a991ff6461aa1c35b7c0f68e43d5a114c6

SHA256
0385dbf94fc27705560cf0b6b04e9a37181db486ee8f7573c5ad2217d18f4ca0

SHA512
80038ae2bfd5f8ca3f4812ab5c342878f98978007125c9dca5edb915701a5383916131cdc3082c054c49c508cd210aff70319ac0fc498cbdd6cee776df672cac

Download Submit
C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe
Filesize
225B

MD5
d7df2670ad0c6c7b9cc48122f20f086c

SHA1
e69bf8c214d8c4b768125ca03e402e1c871cc233

SHA256
d3bf5c54de984dd2d1d779494deb8a995cc062eb5f25c465d0de78d99b8cc52b

SHA512
05ed88410790bf74dc7ab880f893e555c4859c133e79a89f28b5e1a68c36f4a4f28d3b7b6532953c04b6d23a21faf53e60107efde9e6acb492a9235d48943f03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NVIDIA Container.exe.log
Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\navalny pass - 2000.exe.log
Filesize
859B

MD5
e204f3d12abd1691ce1f149399441188

SHA1
798042095539abfe857e456fca4e1035f67d29bf

SHA256
685f70bf685f654651dcd0acc495b6f52f02f73cc3ca8b3d2c8433aac9ba144d

SHA512
804c5ea57a59f86fd0c34479be4c479230bff79093548e8461758829928969da565c211ccc9cb9befa0fef15f0400a5b1f17d5ddf88aef6ff01b67a191176b9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\84ff8f14-720b-409f-bdf4-086248172f02.tmp
Filesize
1KB

MD5
b00d212c5942d637dc93e01c9edfe5e8

SHA1
056514426a30b7b051fd826999b57ebc55d1401b

SHA256
794bda55866c8c5e244dfcbaa99b14a7458117f35c0c0258e3ac2bac47fb2a5d

SHA512
bdf1e59e8de11c0a83d679bdc842d66de89e28b746dcf011ac8d3bc85ffc9b2a7b768cf515476019dd88816665242404a0538cd818f3f421d2e7797281b8a7a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
b0a35186a6e0cd01d550f67e7ad8d172

SHA1
f545e4e408de56cbc8bca470572c8772cc21c2c1

SHA256
33d479f34e30dbce06104ee3302bf5c443f91db5dc61a4a65e129b48f6708577

SHA512
7f7e5ba52dadabed801d1044473d68890adf0eef2f6ac52b86e00f7892bdd7991e7edce6341a028e223512a69b63faa9cd3752602d0bf17267feace428c9794a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\001\t\Paths\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
02f44303a8da3d188824ba3094405045

SHA1
8c27cebbb500ca2ad62e424057c4abe519ffe6c0

SHA256
87c2d7f436289bf8050821ad7ac5f6eb693d848fb39dd0df10043d06b1083e30

SHA512
4e1efbbd8d5170f28542d805ffa503d45aff1572150992e577178fb8e8f23be736d507b9ca0755fd2416d530157209d27d1c2eed9a0ce933edd1fb142c71418c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
7c1668fa90021534f3579a85c8d42b33

SHA1
9db4d90b9f3e25cd4e48b8511f9ff45cfbe112d9

SHA256
0fe10f5c3b4aa08768dbd437c3f74fffec2141d49d134ef51b2bc44bc637b744

SHA512
76f8391dc8c91e5a7d81dc125b806afe2eacfcd8e844eae2767f3328879d1755e3bc691600cfd6e1f6106af134434967b832b077c29901dd52f6c0dc3ed0c9c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
8d1b80a8ded024129dc908379a0c6a11

SHA1
10b1495d9a7e4b5dbe5784cdc668dfed0f343bbe

SHA256
2835aecc07748a21556c64ebb4c71487adfc566bbea49cf1ba4acffb2914b4a1

SHA512
8ef4810d2240488b738eede34d678e796fee04c9e92ef9897b99f778694393a3e884235e42611884546390e0d39cc8f50c370908c17c13d592b07617464c7e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
b71db9f0633811c274b1817f7709d404

SHA1
82cf1e31a7b6ecda8d4adbcf145de45f31fb9a67

SHA256
7879386f59a5aa7f098c6d009b4c1f893d8a0baf9c8a8f0eb58ccb8ff6de8bc6

SHA512
b9132c5f662652c6452ad77dad8fc8a2c72e3187995404805d8a6c7438324dde88952ae415035068466881ae756e42f91f63088bc4ba76bc5ae36cfecdfad397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
3f92493499f8875fbd9f319591ebdb33

SHA1
16ba2fe35f9ee8c2eaf29584870a7981b9b7eeb2

SHA256
85e72c06f9bb5bd687a2d9eced9d2b56efb6fc2dc1cdf477db9ec02b0ebfa833

SHA512
041bf0cdcf65e2299bc3cc713d660f630be24cf59f527a25d2e093cfc2a6ba048815534879fa609ea2f42976d483b773e62e273a7b8baadf37ccae72be0704b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f299ba065ba334886a395cc90b6555c0

SHA1
3cd8fa2e54867b4e7f5f5151ff5b7f580316c106

SHA256
16dc35c4f80af13741df6bd237d7aa6b6be74afab03bc55a25f0f7c67233a83c

SHA512
1f4b710b0d569dd82bc36e8034249c6750185ad95d74e68dcde227272951e448619bacafde4a510772abef3a502e9b84a165f1f9b768d9f89bcfe4763ae16c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
104761aea1ee5efac542391cca26eb9c

SHA1
8e1de60335442f3c790bd7c116e8c3aa8596da93

SHA256
acda7fd0baca2ceeec87aa641f656cec9a76dda4e7ebcd4deb255f119671a203

SHA512
f457f3b3d9fee7f6515e21112586df119df4cef527313ba39b236301529f03e4f8d7c791b19f8576daf27659ab1a6719d45f1eb1f78ccc6f17adb0a8c3e354ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cc87.TMP
Filesize
1KB

MD5
a63a410ac986c48c97a1e258d3f29623

SHA1
93dcd52490af91001e3aafd39adf1f9a0c60ed6d

SHA256
597721d8a2ca2c018b2dda3a7199abef220cfa9c6b08a63a5d806c7560de1a95

SHA512
545163087005dcc7cb5169019397659eeba7b5f6b8f70a76ff0832902043343bb9de86d48a6bb13c00d0b0aff0bd338f9da982f6bcf566fd2e3438e3397b121f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
1f167155bd1dbb1b8b3c47ee37a5f096

SHA1
1838260a3cc36aa4e22d27dc076449752bf055ee

SHA256
1af9ab55e04205d7604a1fb3607172a5e3babef2d717bbf507ac825f7c658544

SHA512
a507ef7be34cb248a258cd2019bcb340de846ef1c34b741eb453a5e2606deaabdace79f1ac24e551c08f049bd76a8fcd621c25c5a8578df9cad17f860d533d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
2c053b690519808cfa431349507d34ed

SHA1
fb3664f040530832906e890f23746e0f6fb3744f

SHA256
51269d2fe11501dc6893e9ce86eaa56d41c4fea85a3749757b40006f0707f6c0

SHA512
62abb123c4e4f774c7ee02d35ee215fd6dd40d43195af77ba024897d1607eced7b98d60610231f72e9525de668226d98a069d06c81cd3b06fd7231387c134da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f8baa82d6793f7a323a19a9069d6df79

SHA1
7e2ada687e50690f82282e3d49cf25be70089f8b

SHA256
215658259a0880db62f1f574c6e709c1a651cd15cb99c8424f10a57d26878235

SHA512
67db369b14ae964cf0d99a31b1df3b85ec88c3594f409a1ce5278dd28fb26d33e81d094f93d9094df3863ec150d9927902cb36d2e7899ac619e07ba1d3020bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\navalny pass - 2000.exe
Filesize
5.1MB

MD5
86a1cbee2b7dc5d64051c83c82c8d02b

SHA1
55d82d17f7f10d088909d0cb7116969d12308974

SHA256
d3f47cd85c525a0c3ed855949bf27023c27b24c51d388166d72d4fa8cae4c2f5

SHA512
6720ecb2799185bf2a03259766e3dd38aeaec674a3a28e657bd55131b1e9fb18fab118afc3aa7881de56d7af36d60bf8b29449065ba32c5cf0dea38fb892ecbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
Filesize
1.8MB

MD5
531bf67134a7c1fb4096113ca58cc648

SHA1
99e0fc1fb7a07c0685e426b327921d3e6c34498c

SHA256
67942630366d114efa35f3f4a79741a4a4eb2c3b0c8ffaac07af527f84d4489a

SHA512
8facae8335a4f33f54e48c64814946eb8b480800b4453612fffcef64117946a35d493f433d4e27186ee864603da756319f816e70c3bfc08b8bb1861fc7030ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XNBxlhQhQP.bat
Filesize
206B

MD5
9345e68a18ac6dc69242bf3df2b06cab

SHA1
9fc0c7b963f84fee52014a2e665733644c62d645

SHA256
bcec32184501074fab51cd17a766624f3f9633897b409a9f2d3f44f11e5e7d78

SHA512
74e3efd20cabfa738e6c3b2fa0aea59af89c34db88eac8c6787ead402716ec5183c6902e3babef1f4f1c4272f0adda5e24700853f47ed98b1f0604339190df3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ext\php_squall.dll
Filesize
126KB

MD5
6ff84bc8812b8c079fa6de68cf36ab59

SHA1
ca8789bbd7b0193221f9518e6b2f5b319c32b717

SHA256
7587e29919a56b6f94675e49208e1ae908bcab09363734d846502c3b4ad54326

SHA512
5ef9d9c1038b055186147cbfcfbedf54d6ecc235468ef4968630eb03368cf2c3f39dd600f1ebf9ecfe9b7cc134235b01a983a4fe9b6f292775244f837ec2e81f

Download Submit
C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe
Filesize
5.2MB

MD5
d5f38176aa233dc3a85f2c3e7c6cf1f7

SHA1
022ea6d320067d2429b26cc424145610fa0ad28e

SHA256
db307d31bbb3d282685bf28e0abf464a931fa749633d784e39adbe7d8d8ead31

SHA512
f58f855e3a102b6ccb4197b38323149342c23c2182b6309074d5720c2b2f20d764c33b10013834e85f73e22c0b7ab95ec4171ff251523b598821ad632af5a893

Download Submit
C:\Users\Admin\AppData\Local\Temp\php5ts.dll
Filesize
6.5MB

MD5
c9aff68f6673fae7580527e8c76805b6

SHA1
bb62cc1db82cfe07a8c08a36446569dfc9c76d10

SHA256
9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4

SHA512
c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlocker.exe
Filesize
3.1MB

MD5
9f93492e155d1bf27b8077e991e6a5a0

SHA1
159d72ad8074b56562b1014393be24b402c3af39

SHA256
43eef3b68ebaab3efbe15eb3046281e380aa78003a0eda8757a9e44f6a59ec7f

SHA512
270bc608ac79ca92c8db6a1455a26f24d80844badc514d5db29acade5748513d8378e3d6d803e9cfb7bdab6482a992b7c6a60845b255f3be5cbf92a0a69db918

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
cbdcfbc8ff1e26995d116b503d81368d

SHA1
6b5037db4b946b9783c4e6ead5402c89ee9be17c

SHA256
19c722c1b0ad3b95c0c7527b8b10c5bc9539d8c2409528b3769cb238146e6128

SHA512
56004fe75f5ede42c61faff11858cf320768caa2d8cc77c54b21a570009a8dd0d09903bb11b5aaabdc4a12918b0b1778a10685f8f96a818b957a3dfc6a96bcb1

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
f19364ecf16c403571c7899d5f032d79

SHA1
7a47a1ac60cd7c5ae3b8e38a8630a9cbdf127c53

SHA256
58489b6ff4fffc35d069b12500a282d9e84d1a82eeb3ca44332eb51107e3d424

SHA512
6cd129e9d4ee7b868d0712932b3498b425ae7fe5145a49081d45829bf1aa29ff0b6e413ec24cfa28b1f5c9d1a9947788ccd53e142d157cb451efa7ce4f8f9e95

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
594d6120159f25621034a2b9e42aaf88

SHA1
bb981a4ae042d506ea0403cac880c2b759d40699

SHA256
db937f1cc5add635677135f175db53bd13ddd68751f43a11283ffc99f2e05842

SHA512
6545d41ebcbe34d09b46e9a7ac5245709de20ed15a8107efdfe1900a5b633f9114d364e464da28ebd5af5c5382d1078fb1567d94fc34b19d09835241597ad1aa

Download Submit
\??\pipe\LOCAL\crashpad_4728_ZZSACJHSDENXAMDO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/996-746-0x0000000002910000-0x000000000293A000-memory.dmp

Filesize
168KB

Download
memory/996-1198-0x0000000000400000-0x0000000000AAB000-memory.dmp

Filesize
6.7MB

Download
memory/996-747-0x0000000004380000-0x0000000004402000-memory.dmp

Filesize
520KB

Download
memory/996-763-0x0000000000400000-0x0000000000AAB000-memory.dmp

Filesize
6.7MB

Download
memory/996-745-0x0000000000400000-0x0000000000AAB000-memory.dmp

Filesize
6.7MB

Download
memory/996-627-0x0000000000400000-0x0000000000AAB000-memory.dmp

Filesize
6.7MB

Download
memory/996-681-0x0000000002910000-0x000000000293A000-memory.dmp

Filesize
168KB

Download
memory/996-683-0x0000000004380000-0x0000000004402000-memory.dmp

Filesize
520KB

Download
memory/1800-744-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1800-750-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1800-755-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2216-693-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2676-29-0x000000001BF20000-0x000000001BF36000-memory.dmp

Filesize
88KB

Download
memory/2676-33-0x000000001BFC0000-0x000000001BFCC000-memory.dmp

Filesize
48KB

Download
memory/2676-31-0x000000001BF50000-0x000000001BF5E000-memory.dmp

Filesize
56KB

Download
memory/2676-32-0x000000001BF60000-0x000000001BF6E000-memory.dmp

Filesize
56KB

Download
memory/2676-26-0x0000000000C80000-0x0000000000DEA000-memory.dmp

Filesize
1.4MB

Download
memory/2676-27-0x0000000002FE0000-0x0000000002FFC000-memory.dmp

Filesize
112KB

Download
memory/2676-28-0x000000001BF70000-0x000000001BFC0000-memory.dmp

Filesize
320KB

Download
memory/2676-30-0x000000001BF40000-0x000000001BF50000-memory.dmp

Filesize
64KB

Download
memory/3192-742-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3192-749-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3192-756-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3512-17-0x00007FFCA7DA0000-0x00007FFCA8861000-memory.dmp

Filesize
10.8MB

Download
memory/3512-0-0x00007FFCA7DA3000-0x00007FFCA7DA5000-memory.dmp

Filesize
8KB

Download
memory/3512-1-0x0000000000220000-0x0000000000846000-memory.dmp

Filesize
6.1MB

Download
memory/3512-4-0x00007FFCA7DA0000-0x00007FFCA8861000-memory.dmp

Filesize
10.8MB

Download
memory/4552-724-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads