Analysis
-
max time kernel
1322s -
max time network
1324s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-uk -
resource tags
arch:x64arch:x86image:win10v2004-20240426-uklocale:uk-uaos:windows10-2004-x64systemwindows -
submitted
18-05-2024 10:45
Static task
static1
Behavioral task
behavioral1
Sample
navalny pass - 2000.exe
Resource
win10v2004-20240426-uk
Errors
General
-
Target
navalny pass - 2000.exe
-
Size
6.1MB
-
MD5
558ff65486960f523a1eb17ed0f87bf8
-
SHA1
bc6acc37eb0472a0bb23967f62cc4469ca1deb13
-
SHA256
b08298bb968f9ef0bb09aa6cee9b608b9a4882b72301de0aa82fc45dd8d6a10c
-
SHA512
19f066bd6adf650d7dbfb6412f7506139520eaeb8989852dd9f074622f13fc2c50a826eb35df38197ebd5cfaf34c1a1087e7cd9d8b60f50b10191c631f3121fc
-
SSDEEP
98304:8SiU7uSQsmMB5dklNKoJKMCi4HCwk22SbLOlwv+hLnlfnxVA+9DMj5995sB3:8JVSQsZBHklN3JzCi45KJhLlfXnMP63
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exenavalny pass - 2000.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeNVIDIA Container.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1804 schtasks.exe 1788 schtasks.exe 5316 schtasks.exe 1404 schtasks.exe 5468 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation navalny pass - 2000.exe 5096 schtasks.exe 4956 schtasks.exe 5728 schtasks.exe 3616 schtasks.exe 1412 schtasks.exe 3552 schtasks.exe 5684 schtasks.exe 368 schtasks.exe 4652 schtasks.exe 1316 schtasks.exe 4632 schtasks.exe 872 schtasks.exe 4844 schtasks.exe 1816 schtasks.exe 2316 schtasks.exe 5884 schtasks.exe 5716 schtasks.exe 432 schtasks.exe 4772 schtasks.exe 5040 schtasks.exe 4012 schtasks.exe 5432 schtasks.exe 208 schtasks.exe File created C:\Windows\twain_32\121e5b5079f7c0 NVIDIA Container.exe 2012 schtasks.exe 6028 schtasks.exe 5764 schtasks.exe 5804 schtasks.exe 2024 schtasks.exe 5456 schtasks.exe 5092 schtasks.exe 6040 schtasks.exe 4808 schtasks.exe 4288 schtasks.exe 2700 schtasks.exe 992 schtasks.exe 5376 schtasks.exe 5344 schtasks.exe 1336 schtasks.exe 3576 schtasks.exe 3616 schtasks.exe 3876 schtasks.exe 5100 schtasks.exe 3836 schtasks.exe 540 schtasks.exe 1512 schtasks.exe 1652 schtasks.exe 4624 schtasks.exe 1512 schtasks.exe 3576 schtasks.exe 6100 schtasks.exe 5840 schtasks.exe 3552 schtasks.exe 4808 schtasks.exe 1968 schtasks.exe 4288 schtasks.exe 1832 schtasks.exe 1364 schtasks.exe -
Detect Neshta payload 11 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe family_neshta C:\NVIDIA\DISPLA~1\535.21\explorer.exe family_neshta C:\Windows\svchost.com family_neshta behavioral1/memory/2216-693-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/4552-724-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3192-742-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1800-744-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3192-749-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1800-750-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3192-756-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1800-755-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3576 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3836 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 540 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4772 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4844 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3616 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3552 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4288 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4624 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4652 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5096 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5040 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5856 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6028 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6040 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4320 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4012 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3876 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5684 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5884 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 920 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3744 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5316 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5764 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5716 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5728 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3576 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4288 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4632 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5804 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6100 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 432 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5352 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5332 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 992 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 5064 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe dcrat C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe dcrat behavioral1/memory/2676-26-0x0000000000C80000-0x0000000000DEA000-memory.dmp dcrat C:\NVIDIA\DISPLA~1\535.21\explorer.exe dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
navalny pass - 2000.exeNVIDIA Container.exeexplorer.exeexplorer.exeWScript.exenavalny pass - 2000.exefontdrvhost.exeFONTDR~1.EXEWScript.exeNVIDIA Container.exeNVIDIA Container.execsrss.exeNVIDIA Container.exeNVIDIA Container.exenavalny pass - 2000.exenavalny pass - 2000.exeNVIDIA~1.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation navalny pass - 2000.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation NVIDIA Container.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation navalny pass - 2000.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation FONTDR~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation NVIDIA Container.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation NVIDIA Container.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation NVIDIA Container.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation NVIDIA Container.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation navalny pass - 2000.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation navalny pass - 2000.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation NVIDIA~1.EXE -
Executes dropped EXE 55 IoCs
Processes:
NVIDIA Container.exeNVIDIA Container.exeNVIDIA Container.exeRuntimeBroker.exeRuntimeBroker.exeNVIDIA Container.exenavalny pass - 2000.exenavalny pass - 2000.exeNVIDIA Container.exesvchost.comWINLOC~1.EXEsvchost.comNVIDIA~1.EXEunsecapp.exesysmon.exeIdle.exeMoUsoCoreWorker.exeunsecapp.exenavalny pass - 2000.exefontdrvhost.exesvchost.comFONTDR~1.EXEunsecapp.exeexplorer.exeOfficeClickToRun.exesvchost.comStartMenuExperienceHost.exeexplorer.exeSearchApp.exeRuntimeBroker.exesysmon.exeIdle.exeMoUsoCoreWorker.exewinlogon.exeRegistry.exenavalny pass - 2000.execsrss.exesvchost.comcsrss.exesmss.execmd.exelsass.exeIdle.exeMoUsoCoreWorker.exeOfficeClickToRun.exeStartMenuExperienceHost.exesysmon.exeSearchApp.exeRuntimeBroker.exeexplorer.exesvchost.comexplorer.exenavalny pass - 2000.exeunsecapp.exefontdrvhost.exepid process 2020 NVIDIA Container.exe 2676 NVIDIA Container.exe 3608 NVIDIA Container.exe 1572 RuntimeBroker.exe 5844 RuntimeBroker.exe 5436 NVIDIA Container.exe 3192 navalny pass - 2000.exe 760 navalny pass - 2000.exe 1800 NVIDIA Container.exe 4552 svchost.com 996 WINLOC~1.EXE 2216 svchost.com 6020 NVIDIA~1.EXE 4516 unsecapp.exe 2616 sysmon.exe 4056 Idle.exe 5936 MoUsoCoreWorker.exe 4340 unsecapp.exe 5808 navalny pass - 2000.exe 3620 fontdrvhost.exe 5516 svchost.com 2376 FONTDR~1.EXE 5264 unsecapp.exe 1376 explorer.exe 5488 OfficeClickToRun.exe 5284 svchost.com 5156 StartMenuExperienceHost.exe 3980 explorer.exe 1528 SearchApp.exe 2896 RuntimeBroker.exe 3028 sysmon.exe 5848 Idle.exe 1324 MoUsoCoreWorker.exe 5328 winlogon.exe 1264 Registry.exe 6040 navalny pass - 2000.exe 4064 csrss.exe 4800 svchost.com 5680 csrss.exe 3940 smss.exe 3740 cmd.exe 3460 lsass.exe 4948 Idle.exe 3932 MoUsoCoreWorker.exe 5172 OfficeClickToRun.exe 3720 StartMenuExperienceHost.exe 5052 sysmon.exe 5028 SearchApp.exe 1328 RuntimeBroker.exe 3976 explorer.exe 4756 svchost.com 2224 explorer.exe 2416 navalny pass - 2000.exe 3452 unsecapp.exe 5020 fontdrvhost.exe -
Loads dropped DLL 5 IoCs
Processes:
WINLOC~1.EXEpid process 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
navalny pass - 2000.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" navalny pass - 2000.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\winlocker.exe upx behavioral1/memory/996-627-0x0000000000400000-0x0000000000AAB000-memory.dmp upx behavioral1/memory/996-683-0x0000000004380000-0x0000000004402000-memory.dmp upx behavioral1/memory/996-747-0x0000000004380000-0x0000000004402000-memory.dmp upx behavioral1/memory/996-745-0x0000000000400000-0x0000000000AAB000-memory.dmp upx behavioral1/memory/996-763-0x0000000000400000-0x0000000000AAB000-memory.dmp upx behavioral1/memory/996-1198-0x0000000000400000-0x0000000000AAB000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
Processes:
navalny pass - 2000.exeNVIDIA Container.exeNVIDIA~1.EXEFONTDR~1.EXENVIDIA Container.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe NVIDIA Container.exe File created C:\Program Files (x86)\Windows Defender\es-ES\29c1c3cc0f7685 NVIDIA~1.EXE File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~4.EXE navalny pass - 2000.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe NVIDIA~1.EXE File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe FONTDR~1.EXE File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe NVIDIA Container.exe File created C:\Program Files\Internet Explorer\winlogon.exe NVIDIA~1.EXE File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\unsecapp.exe FONTDR~1.EXE File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\fontdrvhost.exe NVIDIA Container.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe navalny pass - 2000.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe navalny pass - 2000.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe navalny pass - 2000.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe navalny pass - 2000.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe navalny pass - 2000.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe navalny pass - 2000.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe NVIDIA Container.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe NVIDIA Container.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe navalny pass - 2000.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe navalny pass - 2000.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe NVIDIA Container.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe NVIDIA Container.exe File created C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe NVIDIA~1.EXE File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.29\FONTDR~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe NVIDIA Container.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\5b884080fd4f94 FONTDR~1.EXE File created C:\Program Files\Windows Defender\es-ES\55b276f4edf653 NVIDIA~1.EXE File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe NVIDIA Container.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ebf1f9fa8afd6d NVIDIA~1.EXE File opened for modification C:\Program Files\Uninstall Information\navalny pass - 2000.exe NVIDIA~1.EXE File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe NVIDIA Container.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~3.EXE navalny pass - 2000.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\29c1c3cc0f7685 FONTDR~1.EXE File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe navalny pass - 2000.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe navalny pass - 2000.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe NVIDIA Container.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI9C33~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe navalny pass - 2000.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE navalny pass - 2000.exe File created C:\Program Files (x86)\Windows NT\TableTextService\9e8d7a4ca61bd9 NVIDIA~1.EXE File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE navalny pass - 2000.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~1.EXE navalny pass - 2000.exe File created C:\Program Files\Uninstall Information\navalny pass - 2000.exe NVIDIA~1.EXE File created C:\Program Files\MSBuild\69ddcba757bf72 NVIDIA~1.EXE File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe navalny pass - 2000.exe -
Drops file in Windows directory 30 IoCs
Processes:
csrss.exesvchost.comNVIDIA Container.exeNVIDIA~1.EXEfontdrvhost.exesvchost.comsvchost.comsvchost.comexplorer.exesvchost.comFONTDR~1.EXEexplorer.exesvchost.comnavalny pass - 2000.exeNVIDIA Container.exedescription ioc process File opened for modification C:\Windows\svchost.com csrss.exe File opened for modification C:\Windows\svchost.com svchost.com File created C:\Windows\twain_32\121e5b5079f7c0 NVIDIA Container.exe File created C:\Windows\L2Schemas\6203df4a6bafc7 NVIDIA~1.EXE File opened for modification C:\Windows\svchost.com fontdrvhost.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File created C:\Windows\Provisioning\Autopilot\e6c9b481da804f NVIDIA~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com explorer.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys explorer.exe File created C:\Windows\twain_32\sysmon.exe NVIDIA Container.exe File created C:\Windows\ServiceState\EventLog\Data\csrss.exe FONTDR~1.EXE File opened for modification C:\Windows\svchost.com explorer.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys explorer.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com navalny pass - 2000.exe File opened for modification C:\Windows\svchost.com NVIDIA Container.exe File opened for modification C:\Windows\svchost.com svchost.com File created C:\Windows\L2Schemas\lsass.exe NVIDIA~1.EXE File created C:\Windows\Provisioning\Autopilot\OfficeClickToRun.exe NVIDIA~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys NVIDIA Container.exe File opened for modification C:\Windows\directx.sys fontdrvhost.exe File opened for modification C:\Windows\directx.sys csrss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4844 schtasks.exe 5684 schtasks.exe 872 schtasks.exe 1336 schtasks.exe 2448 schtasks.exe 1404 schtasks.exe 2024 schtasks.exe 5856 schtasks.exe 548 schtasks.exe 5100 schtasks.exe 5316 schtasks.exe 3576 schtasks.exe 3616 schtasks.exe 3576 schtasks.exe 540 schtasks.exe 5040 schtasks.exe 5884 schtasks.exe 2532 schtasks.exe 4012 schtasks.exe 5728 schtasks.exe 3552 schtasks.exe 1652 schtasks.exe 5068 schtasks.exe 3836 schtasks.exe 5468 schtasks.exe 4772 schtasks.exe 3616 schtasks.exe 5092 schtasks.exe 4632 schtasks.exe 5840 schtasks.exe 6100 schtasks.exe 5628 schtasks.exe 208 schtasks.exe 1804 schtasks.exe 2012 schtasks.exe 1968 schtasks.exe 4956 schtasks.exe 920 schtasks.exe 6028 schtasks.exe 3876 schtasks.exe 5344 schtasks.exe 4808 schtasks.exe 1264 schtasks.exe 5716 schtasks.exe 5804 schtasks.exe 5432 schtasks.exe 368 schtasks.exe 916 schtasks.exe 4652 schtasks.exe 6040 schtasks.exe 3744 schtasks.exe 432 schtasks.exe 5096 schtasks.exe 2316 schtasks.exe 5332 schtasks.exe 5444 schtasks.exe 5764 schtasks.exe 1512 schtasks.exe 4288 schtasks.exe 4624 schtasks.exe 1316 schtasks.exe 1816 schtasks.exe 4320 schtasks.exe 2116 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4300 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe -
Modifies registry class 13 IoCs
Processes:
navalny pass - 2000.exefontdrvhost.exemsedge.exeNVIDIA Container.exeexplorer.exeNVIDIA Container.exenavalny pass - 2000.exeNVIDIA Container.exeNVIDIA Container.exeNVIDIA~1.EXEFONTDR~1.EXEcsrss.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" navalny pass - 2000.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018855536-2201274732-320770143-1000\{A7BA7B3F-0514-48E5-B8AE-AE0398E39322} msedge.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings NVIDIA Container.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings NVIDIA Container.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings navalny pass - 2000.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings NVIDIA Container.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings NVIDIA Container.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings NVIDIA~1.EXE Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings FONTDR~1.EXE Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
NVIDIA Container.exeNVIDIA Container.exemsedge.exemsedge.exeRuntimeBroker.exeidentity_helper.exemsedge.exeRuntimeBroker.exeNVIDIA~1.EXEunsecapp.exesysmon.exeIdle.exeunsecapp.exeFONTDR~1.EXEunsecapp.exeOfficeClickToRun.exeRuntimeBroker.exesysmon.exeRegistry.exenavalny pass - 2000.execmd.exeIdle.exeOfficeClickToRun.exeRuntimeBroker.exefontdrvhost.exepid process 2676 NVIDIA Container.exe 2676 NVIDIA Container.exe 2676 NVIDIA Container.exe 3608 NVIDIA Container.exe 3608 NVIDIA Container.exe 3608 NVIDIA Container.exe 1808 msedge.exe 1808 msedge.exe 4728 msedge.exe 4728 msedge.exe 1572 RuntimeBroker.exe 1572 RuntimeBroker.exe 1124 identity_helper.exe 1124 identity_helper.exe 6080 msedge.exe 6080 msedge.exe 5844 RuntimeBroker.exe 5844 RuntimeBroker.exe 6020 NVIDIA~1.EXE 6020 NVIDIA~1.EXE 6020 NVIDIA~1.EXE 6020 NVIDIA~1.EXE 6020 NVIDIA~1.EXE 4516 unsecapp.exe 2616 sysmon.exe 4056 Idle.exe 4340 unsecapp.exe 2376 FONTDR~1.EXE 5264 unsecapp.exe 5488 OfficeClickToRun.exe 2896 RuntimeBroker.exe 3028 sysmon.exe 1264 Registry.exe 6040 navalny pass - 2000.exe 3740 cmd.exe 4948 Idle.exe 5172 OfficeClickToRun.exe 1328 RuntimeBroker.exe 5020 fontdrvhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WINLOC~1.EXEpid process 996 WINLOC~1.EXE -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
Processes:
msedge.exepid process 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
NVIDIA Container.exeNVIDIA Container.exeRuntimeBroker.exeRuntimeBroker.exeNVIDIA~1.EXEAUDIODG.EXEtaskkill.exeunsecapp.exesysmon.exeIdle.exeMoUsoCoreWorker.exeunsecapp.exenavalny pass - 2000.exeFONTDR~1.EXEunsecapp.exeOfficeClickToRun.exeexplorer.exeStartMenuExperienceHost.exeSearchApp.exeRuntimeBroker.exesysmon.exeIdle.exeMoUsoCoreWorker.exewinlogon.exeRegistry.exenavalny pass - 2000.execsrss.exesmss.execmd.exelsass.exeIdle.exeMoUsoCoreWorker.exeOfficeClickToRun.exeStartMenuExperienceHost.exesysmon.exeSearchApp.exeRuntimeBroker.exeexplorer.exenavalny pass - 2000.exeunsecapp.exefontdrvhost.exeWINLOC~1.EXEdescription pid process Token: SeDebugPrivilege 2676 NVIDIA Container.exe Token: SeDebugPrivilege 3608 NVIDIA Container.exe Token: SeDebugPrivilege 1572 RuntimeBroker.exe Token: SeDebugPrivilege 5844 RuntimeBroker.exe Token: SeDebugPrivilege 6020 NVIDIA~1.EXE Token: 33 840 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 840 AUDIODG.EXE Token: SeDebugPrivilege 4300 taskkill.exe Token: SeDebugPrivilege 4516 unsecapp.exe Token: SeDebugPrivilege 2616 sysmon.exe Token: SeDebugPrivilege 4056 Idle.exe Token: SeDebugPrivilege 5936 MoUsoCoreWorker.exe Token: SeDebugPrivilege 4340 unsecapp.exe Token: SeDebugPrivilege 5808 navalny pass - 2000.exe Token: SeDebugPrivilege 2376 FONTDR~1.EXE Token: SeDebugPrivilege 5264 unsecapp.exe Token: SeDebugPrivilege 5488 OfficeClickToRun.exe Token: SeDebugPrivilege 3980 explorer.exe Token: SeDebugPrivilege 5156 StartMenuExperienceHost.exe Token: SeDebugPrivilege 1528 SearchApp.exe Token: SeDebugPrivilege 2896 RuntimeBroker.exe Token: SeDebugPrivilege 3028 sysmon.exe Token: SeDebugPrivilege 5848 Idle.exe Token: SeDebugPrivilege 1324 MoUsoCoreWorker.exe Token: SeDebugPrivilege 5328 winlogon.exe Token: SeDebugPrivilege 1264 Registry.exe Token: SeDebugPrivilege 6040 navalny pass - 2000.exe Token: SeDebugPrivilege 5680 csrss.exe Token: SeDebugPrivilege 3940 smss.exe Token: SeDebugPrivilege 3740 cmd.exe Token: SeDebugPrivilege 3460 lsass.exe Token: SeDebugPrivilege 4948 Idle.exe Token: SeDebugPrivilege 3932 MoUsoCoreWorker.exe Token: SeDebugPrivilege 5172 OfficeClickToRun.exe Token: SeDebugPrivilege 3720 StartMenuExperienceHost.exe Token: SeDebugPrivilege 5052 sysmon.exe Token: SeDebugPrivilege 5028 SearchApp.exe Token: SeDebugPrivilege 1328 RuntimeBroker.exe Token: SeDebugPrivilege 2224 explorer.exe Token: SeDebugPrivilege 2416 navalny pass - 2000.exe Token: SeDebugPrivilege 3452 unsecapp.exe Token: SeDebugPrivilege 5020 fontdrvhost.exe Token: SeShutdownPrivilege 996 WINLOC~1.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exeWINLOC~1.EXEpid process 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE 996 WINLOC~1.EXE -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe 4728 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 5044 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
navalny pass - 2000.exeNVIDIA Container.exeWScript.execmd.exeNVIDIA Container.exemsedge.exedescription pid process target process PID 3512 wrote to memory of 2020 3512 navalny pass - 2000.exe NVIDIA Container.exe PID 3512 wrote to memory of 2020 3512 navalny pass - 2000.exe NVIDIA Container.exe PID 3512 wrote to memory of 2020 3512 navalny pass - 2000.exe NVIDIA Container.exe PID 2020 wrote to memory of 3168 2020 NVIDIA Container.exe WScript.exe PID 2020 wrote to memory of 3168 2020 NVIDIA Container.exe WScript.exe PID 2020 wrote to memory of 3168 2020 NVIDIA Container.exe WScript.exe PID 3168 wrote to memory of 440 3168 WScript.exe cmd.exe PID 3168 wrote to memory of 440 3168 WScript.exe cmd.exe PID 3168 wrote to memory of 440 3168 WScript.exe cmd.exe PID 440 wrote to memory of 2676 440 cmd.exe NVIDIA Container.exe PID 440 wrote to memory of 2676 440 cmd.exe NVIDIA Container.exe PID 2676 wrote to memory of 3608 2676 NVIDIA Container.exe NVIDIA Container.exe PID 2676 wrote to memory of 3608 2676 NVIDIA Container.exe NVIDIA Container.exe PID 4728 wrote to memory of 2144 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 2144 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1844 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1808 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 1808 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 5052 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 5052 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 5052 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 5052 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 5052 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 5052 4728 msedge.exe msedge.exe PID 4728 wrote to memory of 5052 4728 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe"C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe"1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"5⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XNBxlhQhQP.bat"7⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
C:\Users\Public\Desktop\RuntimeBroker.exe"C:\Users\Public\Desktop\RuntimeBroker.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\NVIDIA\DisplayDriver\sysmon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\NVIDIA\DisplayDriver\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Windows\twain_32\sysmon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\twain_32\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca1e646f8,0x7ffca1e64708,0x7ffca1e647182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2296 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --service-sandbox-type=audio --mojo-platform-channel-handle=5420 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --service-sandbox-type=video_capture --mojo-platform-channel-handle=5724 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2280,3606449071366420161,8796575762526554312,131072 --lang=uk --service-sandbox-type=collections --mojo-platform-channel-handle=6476 /prefetch:82⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\NVIDIA\DisplayDriver\535.21\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\NVIDIA\DisplayDriver\535.21\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Public\Desktop\RuntimeBroker.exe"C:\Users\Public\Desktop\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\navalny pass - 2000.exe"C:\Users\Admin\Desktop\navalny pass - 2000.exe"1⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"3⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "4⤵
-
C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE"6⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\NVIDIA~1.EXE7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7mvkDr5O57.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
C:\NVIDIA\DisplayDriver\535.21\unsecapp.exe"C:\NVIDIA\DisplayDriver\535.21\unsecapp.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe"C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\3582-490\navalny pass - 2000.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\navalny pass - 2000.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE"4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXEC:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "TASKKILL /F /IM "explorer.exe""6⤵
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM "explorer.exe"7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "navalny pass - 2000n" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\navalny pass - 2000.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "navalny pass - 2000" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\navalny pass - 2000.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "navalny pass - 2000n" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\navalny pass - 2000.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\NVIDIA\DisplayDriver\535.21\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\NVIDIA\DisplayDriver\535.21\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4cc 0x4081⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\535.21\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\NVIDIA\DisplayDriver\535.21\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\NVIDIA\DisplayDriver\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\MoUsoCoreWorker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Desktop\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Desktop\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\Provisioning\Autopilot\OfficeClickToRun.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Provisioning\Autopilot\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\Autopilot\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\es-ES\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\es-ES\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\Install\Registry.exe'" /f1⤵
- DcRat
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\Install\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\twain_32\sysmon.exeC:\Windows\twain_32\sysmon.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\NVIDIA\DisplayDriver\Idle.exeC:\NVIDIA\DisplayDriver\Idle.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Portable Devices\MoUsoCoreWorker.exe"C:\Program Files\Windows Portable Devices\MoUsoCoreWorker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe"C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Uninstall Information\navalny pass - 2000.exe"C:\Program Files\Uninstall Information\navalny pass - 2000.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\fontdrvhost.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\fontdrvhost.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FONTDR~1.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\FONTDR~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\FONTDR~1.EXE3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pjh9saPLSW.bat"4⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
-
C:\Program Files (x86)\Windows Photo Viewer\de-DE\unsecapp.exe"C:\Program Files (x86)\Windows Photo Viewer\de-DE\unsecapp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\unsecapp.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe'" /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WINLOC~1W" /sc MINUTE /mo 10 /tr "'C:\NVIDIA\DisplayDriver\535.21\WINLOC~1.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WINLOC~1" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\WINLOC~1.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WINLOC~1W" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\535.21\WINLOC~1.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
-
C:\NVIDIA\DisplayDriver\535.21\explorer.exeC:\NVIDIA\DisplayDriver\535.21\explorer.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\explorer.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\explorer.exeC:\Users\Admin\AppData\Local\Temp\3582-490\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Provisioning\Autopilot\OfficeClickToRun.exeC:\Windows\Provisioning\Autopilot\OfficeClickToRun.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Defender\es-ES\StartMenuExperienceHost.exe"C:\Program Files\Windows Defender\es-ES\StartMenuExperienceHost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\NVIDIA\DisplayDriver\535.21\SearchApp.exeC:\NVIDIA\DisplayDriver\535.21\SearchApp.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe"C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\twain_32\sysmon.exeC:\Windows\twain_32\sysmon.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\NVIDIA\DisplayDriver\Idle.exeC:\NVIDIA\DisplayDriver\Idle.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Portable Devices\MoUsoCoreWorker.exe"C:\Program Files\Windows Portable Devices\MoUsoCoreWorker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\winlogon.exe"C:\Program Files\Internet Explorer\winlogon.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\Install\Registry.exe"C:\Program Files (x86)\Google\Update\Install\Registry.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Uninstall Information\navalny pass - 2000.exe"C:\Program Files\Uninstall Information\navalny pass - 2000.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\Pictures\csrss.exeC:\Users\Public\Pictures\csrss.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\csrss.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\csrss.exeC:\Users\Admin\AppData\Local\Temp\3582-490\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\MSBuild\smss.exe"C:\Program Files\MSBuild\smss.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\L2Schemas\lsass.exeC:\Windows\L2Schemas\lsass.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\NVIDIA\DisplayDriver\Idle.exeC:\NVIDIA\DisplayDriver\Idle.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Portable Devices\MoUsoCoreWorker.exe"C:\Program Files\Windows Portable Devices\MoUsoCoreWorker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Provisioning\Autopilot\OfficeClickToRun.exeC:\Windows\Provisioning\Autopilot\OfficeClickToRun.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Defender\es-ES\StartMenuExperienceHost.exe"C:\Program Files\Windows Defender\es-ES\StartMenuExperienceHost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\twain_32\sysmon.exeC:\Windows\twain_32\sysmon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\NVIDIA\DisplayDriver\535.21\SearchApp.exeC:\NVIDIA\DisplayDriver\535.21\SearchApp.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe"C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\NVIDIA\DisplayDriver\535.21\explorer.exeC:\NVIDIA\DisplayDriver\535.21\explorer.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\explorer.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\explorer.exeC:\Users\Admin\AppData\Local\Temp\3582-490\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Uninstall Information\navalny pass - 2000.exe"C:\Program Files\Uninstall Information\navalny pass - 2000.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Windows Photo Viewer\de-DE\unsecapp.exe"C:\Program Files (x86)\Windows Photo Viewer\de-DE\unsecapp.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe"C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3812855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\NVIDIA\DISPLA~1\535.21\explorer.exeFilesize
1.4MB
MD59d8aacb18ee747b336908b0730ed4054
SHA1164eb0c67bca24d8b992a3380921ed3dbe279ba8
SHA256fdbc8c80e04c2e5cbdbb3f44058820b9eb99a9270ad013d60f56821d899c8d60
SHA5121d1276eafe2a81ac1e60acef7608c9edb7337a5da8e8e5599cc8aed7d65cdd2ebd38d78924e7bec43c11f6a0972536e4b599ecfba60c270e6e4e28b241bb5068
-
C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exeFilesize
1.4MB
MD54a591f46c87b49a7de93f5ac771cd4ab
SHA1e0992350818e5c56d3f2e3a6db340d1f5b8f3314
SHA256b495e22042b08f27b690da18986ec74d5054a65d05d5cf41fdecd5751482ccbd
SHA512b498445d1e427853690250aebff35cbd7e28e85a89ad868e3483930b16ec13198357cfcd5feb45567b1bc8f3d9f97c5ecf2d242c8a5e9d758a536d0498ba7955
-
C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.batFilesize
53B
MD57784d810f5ff3afa8df50e360eb90e7d
SHA1f04802a991ff6461aa1c35b7c0f68e43d5a114c6
SHA2560385dbf94fc27705560cf0b6b04e9a37181db486ee8f7573c5ad2217d18f4ca0
SHA51280038ae2bfd5f8ca3f4812ab5c342878f98978007125c9dca5edb915701a5383916131cdc3082c054c49c508cd210aff70319ac0fc498cbdd6cee776df672cac
-
C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbeFilesize
225B
MD5d7df2670ad0c6c7b9cc48122f20f086c
SHA1e69bf8c214d8c4b768125ca03e402e1c871cc233
SHA256d3bf5c54de984dd2d1d779494deb8a995cc062eb5f25c465d0de78d99b8cc52b
SHA51205ed88410790bf74dc7ab880f893e555c4859c133e79a89f28b5e1a68c36f4a4f28d3b7b6532953c04b6d23a21faf53e60107efde9e6acb492a9235d48943f03
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NVIDIA Container.exe.logFilesize
1KB
MD57800fca2323a4130444c572374a030f4
SHA140c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa
SHA25629f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e
SHA512c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.logFilesize
1KB
MD53690a1c3b695227a38625dcf27bd6dac
SHA1c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA2562ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA51215ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\navalny pass - 2000.exe.logFilesize
859B
MD5e204f3d12abd1691ce1f149399441188
SHA1798042095539abfe857e456fca4e1035f67d29bf
SHA256685f70bf685f654651dcd0acc495b6f52f02f73cc3ca8b3d2c8433aac9ba144d
SHA512804c5ea57a59f86fd0c34479be4c479230bff79093548e8461758829928969da565c211ccc9cb9befa0fef15f0400a5b1f17d5ddf88aef6ff01b67a191176b9f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.logFilesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ea98e583ad99df195d29aa066204ab56
SHA1f89398664af0179641aa0138b337097b617cb2db
SHA256a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54f7152bc5a1a715ef481e37d1c791959
SHA1c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA5122e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\84ff8f14-720b-409f-bdf4-086248172f02.tmpFilesize
1KB
MD5b00d212c5942d637dc93e01c9edfe5e8
SHA1056514426a30b7b051fd826999b57ebc55d1401b
SHA256794bda55866c8c5e244dfcbaa99b14a7458117f35c0c0258e3ac2bac47fb2a5d
SHA512bdf1e59e8de11c0a83d679bdc842d66de89e28b746dcf011ac8d3bc85ffc9b2a7b768cf515476019dd88816665242404a0538cd818f3f421d2e7797281b8a7a9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5b0a35186a6e0cd01d550f67e7ad8d172
SHA1f545e4e408de56cbc8bca470572c8772cc21c2c1
SHA25633d479f34e30dbce06104ee3302bf5c443f91db5dc61a4a65e129b48f6708577
SHA5127f7e5ba52dadabed801d1044473d68890adf0eef2f6ac52b86e00f7892bdd7991e7edce6341a028e223512a69b63faa9cd3752602d0bf17267feace428c9794a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\001\t\Paths\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
4KB
MD502f44303a8da3d188824ba3094405045
SHA18c27cebbb500ca2ad62e424057c4abe519ffe6c0
SHA25687c2d7f436289bf8050821ad7ac5f6eb693d848fb39dd0df10043d06b1083e30
SHA5124e1efbbd8d5170f28542d805ffa503d45aff1572150992e577178fb8e8f23be736d507b9ca0755fd2416d530157209d27d1c2eed9a0ce933edd1fb142c71418c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD57c1668fa90021534f3579a85c8d42b33
SHA19db4d90b9f3e25cd4e48b8511f9ff45cfbe112d9
SHA2560fe10f5c3b4aa08768dbd437c3f74fffec2141d49d134ef51b2bc44bc637b744
SHA51276f8391dc8c91e5a7d81dc125b806afe2eacfcd8e844eae2767f3328879d1755e3bc691600cfd6e1f6106af134434967b832b077c29901dd52f6c0dc3ed0c9c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD58d1b80a8ded024129dc908379a0c6a11
SHA110b1495d9a7e4b5dbe5784cdc668dfed0f343bbe
SHA2562835aecc07748a21556c64ebb4c71487adfc566bbea49cf1ba4acffb2914b4a1
SHA5128ef4810d2240488b738eede34d678e796fee04c9e92ef9897b99f778694393a3e884235e42611884546390e0d39cc8f50c370908c17c13d592b07617464c7e3c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5b71db9f0633811c274b1817f7709d404
SHA182cf1e31a7b6ecda8d4adbcf145de45f31fb9a67
SHA2567879386f59a5aa7f098c6d009b4c1f893d8a0baf9c8a8f0eb58ccb8ff6de8bc6
SHA512b9132c5f662652c6452ad77dad8fc8a2c72e3187995404805d8a6c7438324dde88952ae415035068466881ae756e42f91f63088bc4ba76bc5ae36cfecdfad397
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD53f92493499f8875fbd9f319591ebdb33
SHA116ba2fe35f9ee8c2eaf29584870a7981b9b7eeb2
SHA25685e72c06f9bb5bd687a2d9eced9d2b56efb6fc2dc1cdf477db9ec02b0ebfa833
SHA512041bf0cdcf65e2299bc3cc713d660f630be24cf59f527a25d2e093cfc2a6ba048815534879fa609ea2f42976d483b773e62e273a7b8baadf37ccae72be0704b9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f299ba065ba334886a395cc90b6555c0
SHA13cd8fa2e54867b4e7f5f5151ff5b7f580316c106
SHA25616dc35c4f80af13741df6bd237d7aa6b6be74afab03bc55a25f0f7c67233a83c
SHA5121f4b710b0d569dd82bc36e8034249c6750185ad95d74e68dcde227272951e448619bacafde4a510772abef3a502e9b84a165f1f9b768d9f89bcfe4763ae16c2c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5104761aea1ee5efac542391cca26eb9c
SHA18e1de60335442f3c790bd7c116e8c3aa8596da93
SHA256acda7fd0baca2ceeec87aa641f656cec9a76dda4e7ebcd4deb255f119671a203
SHA512f457f3b3d9fee7f6515e21112586df119df4cef527313ba39b236301529f03e4f8d7c791b19f8576daf27659ab1a6719d45f1eb1f78ccc6f17adb0a8c3e354ec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cc87.TMPFilesize
1KB
MD5a63a410ac986c48c97a1e258d3f29623
SHA193dcd52490af91001e3aafd39adf1f9a0c60ed6d
SHA256597721d8a2ca2c018b2dda3a7199abef220cfa9c6b08a63a5d806c7560de1a95
SHA512545163087005dcc7cb5169019397659eeba7b5f6b8f70a76ff0832902043343bb9de86d48a6bb13c00d0b0aff0bd338f9da982f6bcf566fd2e3438e3397b121f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD51f167155bd1dbb1b8b3c47ee37a5f096
SHA11838260a3cc36aa4e22d27dc076449752bf055ee
SHA2561af9ab55e04205d7604a1fb3607172a5e3babef2d717bbf507ac825f7c658544
SHA512a507ef7be34cb248a258cd2019bcb340de846ef1c34b741eb453a5e2606deaabdace79f1ac24e551c08f049bd76a8fcd621c25c5a8578df9cad17f860d533d8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD52c053b690519808cfa431349507d34ed
SHA1fb3664f040530832906e890f23746e0f6fb3744f
SHA25651269d2fe11501dc6893e9ce86eaa56d41c4fea85a3749757b40006f0707f6c0
SHA51262abb123c4e4f774c7ee02d35ee215fd6dd40d43195af77ba024897d1607eced7b98d60610231f72e9525de668226d98a069d06c81cd3b06fd7231387c134da2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5f8baa82d6793f7a323a19a9069d6df79
SHA17e2ada687e50690f82282e3d49cf25be70089f8b
SHA256215658259a0880db62f1f574c6e709c1a651cd15cb99c8424f10a57d26878235
SHA51267db369b14ae964cf0d99a31b1df3b85ec88c3594f409a1ce5278dd28fb26d33e81d094f93d9094df3863ec150d9927902cb36d2e7899ac619e07ba1d3020bed
-
C:\Users\Admin\AppData\Local\Temp\3582-490\navalny pass - 2000.exeFilesize
5.1MB
MD586a1cbee2b7dc5d64051c83c82c8d02b
SHA155d82d17f7f10d088909d0cb7116969d12308974
SHA256d3f47cd85c525a0c3ed855949bf27023c27b24c51d388166d72d4fa8cae4c2f5
SHA5126720ecb2799185bf2a03259766e3dd38aeaec674a3a28e657bd55131b1e9fb18fab118afc3aa7881de56d7af36d60bf8b29449065ba32c5cf0dea38fb892ecbb
-
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exeFilesize
1.8MB
MD5531bf67134a7c1fb4096113ca58cc648
SHA199e0fc1fb7a07c0685e426b327921d3e6c34498c
SHA25667942630366d114efa35f3f4a79741a4a4eb2c3b0c8ffaac07af527f84d4489a
SHA5128facae8335a4f33f54e48c64814946eb8b480800b4453612fffcef64117946a35d493f433d4e27186ee864603da756319f816e70c3bfc08b8bb1861fc7030ff4
-
C:\Users\Admin\AppData\Local\Temp\XNBxlhQhQP.batFilesize
206B
MD59345e68a18ac6dc69242bf3df2b06cab
SHA19fc0c7b963f84fee52014a2e665733644c62d645
SHA256bcec32184501074fab51cd17a766624f3f9633897b409a9f2d3f44f11e5e7d78
SHA51274e3efd20cabfa738e6c3b2fa0aea59af89c34db88eac8c6787ead402716ec5183c6902e3babef1f4f1c4272f0adda5e24700853f47ed98b1f0604339190df3e
-
C:\Users\Admin\AppData\Local\Temp\ext\php_squall.dllFilesize
126KB
MD56ff84bc8812b8c079fa6de68cf36ab59
SHA1ca8789bbd7b0193221f9518e6b2f5b319c32b717
SHA2567587e29919a56b6f94675e49208e1ae908bcab09363734d846502c3b4ad54326
SHA5125ef9d9c1038b055186147cbfcfbedf54d6ecc235468ef4968630eb03368cf2c3f39dd600f1ebf9ecfe9b7cc134235b01a983a4fe9b6f292775244f837ec2e81f
-
C:\Users\Admin\AppData\Local\Temp\navalny pass - 2000.exeFilesize
5.2MB
MD5d5f38176aa233dc3a85f2c3e7c6cf1f7
SHA1022ea6d320067d2429b26cc424145610fa0ad28e
SHA256db307d31bbb3d282685bf28e0abf464a931fa749633d784e39adbe7d8d8ead31
SHA512f58f855e3a102b6ccb4197b38323149342c23c2182b6309074d5720c2b2f20d764c33b10013834e85f73e22c0b7ab95ec4171ff251523b598821ad632af5a893
-
C:\Users\Admin\AppData\Local\Temp\php5ts.dllFilesize
6.5MB
MD5c9aff68f6673fae7580527e8c76805b6
SHA1bb62cc1db82cfe07a8c08a36446569dfc9c76d10
SHA2569b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4
SHA512c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56
-
C:\Users\Admin\AppData\Local\Temp\winlocker.exeFilesize
3.1MB
MD59f93492e155d1bf27b8077e991e6a5a0
SHA1159d72ad8074b56562b1014393be24b402c3af39
SHA25643eef3b68ebaab3efbe15eb3046281e380aa78003a0eda8757a9e44f6a59ec7f
SHA512270bc608ac79ca92c8db6a1455a26f24d80844badc514d5db29acade5748513d8378e3d6d803e9cfb7bdab6482a992b7c6a60845b255f3be5cbf92a0a69db918
-
C:\Windows\directx.sysFilesize
57B
MD5cbdcfbc8ff1e26995d116b503d81368d
SHA16b5037db4b946b9783c4e6ead5402c89ee9be17c
SHA25619c722c1b0ad3b95c0c7527b8b10c5bc9539d8c2409528b3769cb238146e6128
SHA51256004fe75f5ede42c61faff11858cf320768caa2d8cc77c54b21a570009a8dd0d09903bb11b5aaabdc4a12918b0b1778a10685f8f96a818b957a3dfc6a96bcb1
-
C:\Windows\directx.sysFilesize
57B
MD5f19364ecf16c403571c7899d5f032d79
SHA17a47a1ac60cd7c5ae3b8e38a8630a9cbdf127c53
SHA25658489b6ff4fffc35d069b12500a282d9e84d1a82eeb3ca44332eb51107e3d424
SHA5126cd129e9d4ee7b868d0712932b3498b425ae7fe5145a49081d45829bf1aa29ff0b6e413ec24cfa28b1f5c9d1a9947788ccd53e142d157cb451efa7ce4f8f9e95
-
C:\Windows\svchost.comFilesize
40KB
MD5594d6120159f25621034a2b9e42aaf88
SHA1bb981a4ae042d506ea0403cac880c2b759d40699
SHA256db937f1cc5add635677135f175db53bd13ddd68751f43a11283ffc99f2e05842
SHA5126545d41ebcbe34d09b46e9a7ac5245709de20ed15a8107efdfe1900a5b633f9114d364e464da28ebd5af5c5382d1078fb1567d94fc34b19d09835241597ad1aa
-
\??\pipe\LOCAL\crashpad_4728_ZZSACJHSDENXAMDOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/996-746-0x0000000002910000-0x000000000293A000-memory.dmpFilesize
168KB
-
memory/996-1198-0x0000000000400000-0x0000000000AAB000-memory.dmpFilesize
6.7MB
-
memory/996-747-0x0000000004380000-0x0000000004402000-memory.dmpFilesize
520KB
-
memory/996-763-0x0000000000400000-0x0000000000AAB000-memory.dmpFilesize
6.7MB
-
memory/996-745-0x0000000000400000-0x0000000000AAB000-memory.dmpFilesize
6.7MB
-
memory/996-627-0x0000000000400000-0x0000000000AAB000-memory.dmpFilesize
6.7MB
-
memory/996-681-0x0000000002910000-0x000000000293A000-memory.dmpFilesize
168KB
-
memory/996-683-0x0000000004380000-0x0000000004402000-memory.dmpFilesize
520KB
-
memory/1800-744-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1800-750-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1800-755-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2216-693-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2676-29-0x000000001BF20000-0x000000001BF36000-memory.dmpFilesize
88KB
-
memory/2676-33-0x000000001BFC0000-0x000000001BFCC000-memory.dmpFilesize
48KB
-
memory/2676-31-0x000000001BF50000-0x000000001BF5E000-memory.dmpFilesize
56KB
-
memory/2676-32-0x000000001BF60000-0x000000001BF6E000-memory.dmpFilesize
56KB
-
memory/2676-26-0x0000000000C80000-0x0000000000DEA000-memory.dmpFilesize
1.4MB
-
memory/2676-27-0x0000000002FE0000-0x0000000002FFC000-memory.dmpFilesize
112KB
-
memory/2676-28-0x000000001BF70000-0x000000001BFC0000-memory.dmpFilesize
320KB
-
memory/2676-30-0x000000001BF40000-0x000000001BF50000-memory.dmpFilesize
64KB
-
memory/3192-742-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3192-749-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3192-756-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3512-17-0x00007FFCA7DA0000-0x00007FFCA8861000-memory.dmpFilesize
10.8MB
-
memory/3512-0-0x00007FFCA7DA3000-0x00007FFCA7DA5000-memory.dmpFilesize
8KB
-
memory/3512-1-0x0000000000220000-0x0000000000846000-memory.dmpFilesize
6.1MB
-
memory/3512-4-0x00007FFCA7DA0000-0x00007FFCA8861000-memory.dmpFilesize
10.8MB
-
memory/4552-724-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB