dcrat | 12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694

Analysis

max time kernel
69s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

хомяк.exe
Size

13.5MB
MD5

a26a308a71c3fd57cd4fad9dc8d55fb1
SHA1

3722d8d2b321f72b2e207a8e1f7e408d35c7d607
SHA256

12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694
SHA512

306868bb537ffae0a7cd4de76b0f52079b2aa5f744f50abe3a866f4bb2f17a829cb91537a30c76240798248a0e9da6d5f92591ed1e7101337e2aa0f78e764e55
SSDEEP

393216:n5BbqQ/ThnhIxo1S/Js7D+xZlwRjMAke5F:5P4xy0ADFRYAj

Score

10^/10

dcrat bootkit infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	448	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	448	schtasks.exe	98

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000023569-53.dat	dcrat
behavioral1/files/0x0007000000023571-83.dat	dcrat
behavioral1/memory/3428-85-0x0000000000760000-0x00000000008CA000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	Ykraine.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	Стоны.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	хомяк.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	hitler.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 11 IoCs

pid	Process
888	hitler.exe
4484	tin.exe
3588	Ykraine.exe
956	Стоны.exe
5068	NVIDIA Container.exe
1424	NVIDIA Container.exe
4244	NVIDIA Container.exe
3016	NVIDIA Container.exe
3428	NVIDIA Container.exe
744	NVIDIA Container.exe
860	SearchApp.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	tin.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\de-DE\ea9f0e6c9e2dcd	NVIDIA Container.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe	NVIDIA Container.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\38384e6a620884	NVIDIA Container.exe
File created	C:\Program Files\MsEdgeCrashpad\attachments\38384e6a620884	NVIDIA Container.exe
File created	C:\Program Files (x86)\Google\Temp\NVIDIA Container.exe	NVIDIA Container.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\9e8d7a4ca61bd9	NVIDIA Container.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\taskhostw.exe	NVIDIA Container.exe
File created	C:\Program Files\Common Files\microsoft shared\cmd.exe	NVIDIA Container.exe
File created	C:\Program Files\Common Files\microsoft shared\ebf1f9fa8afd6d	NVIDIA Container.exe
File created	C:\Program Files\MsEdgeCrashpad\attachments\SearchApp.exe	NVIDIA Container.exe
File created	C:\Program Files (x86)\Google\Temp\35158c38368e73	NVIDIA Container.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe	NVIDIA Container.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Containers\unsecapp.exe	NVIDIA Container.exe
File created	C:\Windows\Containers\29c1c3cc0f7685	NVIDIA Container.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	NVIDIA Container.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	NVIDIA Container.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	NVIDIA Container.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3840	schtasks.exe
3780	schtasks.exe
372	schtasks.exe
1668	schtasks.exe
2864	schtasks.exe
4460	schtasks.exe
2548	schtasks.exe
3588	schtasks.exe
3124	schtasks.exe
2364	schtasks.exe
5116	schtasks.exe
536	schtasks.exe
4884	schtasks.exe
2184	schtasks.exe
3608	schtasks.exe
4228	schtasks.exe
3536	schtasks.exe
2780	schtasks.exe
4432	schtasks.exe
1744	schtasks.exe
2548	schtasks.exe
2472	schtasks.exe
4412	schtasks.exe
2332	schtasks.exe
3008	schtasks.exe
4960	schtasks.exe
4636	schtasks.exe
1232	schtasks.exe
4680	schtasks.exe
748	schtasks.exe
4236	schtasks.exe
3992	schtasks.exe
3320	schtasks.exe
1400	schtasks.exe
1232	schtasks.exe
4380	schtasks.exe
1100	schtasks.exe
4292	schtasks.exe
624	schtasks.exe
2248	schtasks.exe
3680	schtasks.exe
5084	schtasks.exe
4224	schtasks.exe
4544	schtasks.exe
4976	schtasks.exe
1704	schtasks.exe
3024	schtasks.exe
4544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
3016	NVIDIA Container.exe
3016	NVIDIA Container.exe
3016	NVIDIA Container.exe
3016	NVIDIA Container.exe
3016	NVIDIA Container.exe
3016	NVIDIA Container.exe
3016	NVIDIA Container.exe
3016	NVIDIA Container.exe
3016	NVIDIA Container.exe
3016	NVIDIA Container.exe
3016	NVIDIA Container.exe
3016	NVIDIA Container.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	NVIDIA Container.exe
Token: SeDebugPrivilege	3428	NVIDIA Container.exe
Token: SeDebugPrivilege	744	NVIDIA Container.exe
Token: SeDebugPrivilege	860	SearchApp.exe
Token: 33	4800	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4800	AUDIODG.EXE
Token: SeDebugPrivilege	3616	taskmgr.exe
Token: SeSystemProfilePrivilege	3616	taskmgr.exe
Token: SeCreateGlobalPrivilege	3616	taskmgr.exe
Token: 33	3616	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3616	taskmgr.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 888	2152	хомяк.exe	89
PID 2152 wrote to memory of 888	2152	хомяк.exe	89
PID 2152 wrote to memory of 4484	2152	хомяк.exe	90
PID 2152 wrote to memory of 4484	2152	хомяк.exe	90
PID 2152 wrote to memory of 4484	2152	хомяк.exe	90
PID 2152 wrote to memory of 3588	2152	хомяк.exe	119
PID 2152 wrote to memory of 3588	2152	хомяк.exe	119
PID 2152 wrote to memory of 956	2152	хомяк.exe	92
PID 2152 wrote to memory of 956	2152	хомяк.exe	92
PID 3588 wrote to memory of 5068	3588	Ykraine.exe	93
PID 3588 wrote to memory of 5068	3588	Ykraine.exe	93
PID 3588 wrote to memory of 5068	3588	Ykraine.exe	93
PID 956 wrote to memory of 1424	956	Стоны.exe	94
PID 956 wrote to memory of 1424	956	Стоны.exe	94
PID 956 wrote to memory of 1424	956	Стоны.exe	94
PID 1424 wrote to memory of 3000	1424	NVIDIA Container.exe	97
PID 1424 wrote to memory of 3000	1424	NVIDIA Container.exe	97
PID 1424 wrote to memory of 3000	1424	NVIDIA Container.exe	97
PID 5068 wrote to memory of 4976	5068	NVIDIA Container.exe	139
PID 5068 wrote to memory of 4976	5068	NVIDIA Container.exe	139
PID 5068 wrote to memory of 4976	5068	NVIDIA Container.exe	139
PID 888 wrote to memory of 4244	888	hitler.exe	99
PID 888 wrote to memory of 4244	888	hitler.exe	99
PID 888 wrote to memory of 4244	888	hitler.exe	99
PID 4244 wrote to memory of 3876	4244	NVIDIA Container.exe	100
PID 4244 wrote to memory of 3876	4244	NVIDIA Container.exe	100
PID 4244 wrote to memory of 3876	4244	NVIDIA Container.exe	100
PID 4976 wrote to memory of 3188	4976	WScript.exe	101
PID 4976 wrote to memory of 3188	4976	WScript.exe	101
PID 4976 wrote to memory of 3188	4976	WScript.exe	101
PID 3000 wrote to memory of 3388	3000	WScript.exe	103
PID 3000 wrote to memory of 3388	3000	WScript.exe	103
PID 3000 wrote to memory of 3388	3000	WScript.exe	103
PID 3188 wrote to memory of 3016	3188	cmd.exe	105
PID 3188 wrote to memory of 3016	3188	cmd.exe	105
PID 3388 wrote to memory of 3428	3388	cmd.exe	106
PID 3388 wrote to memory of 3428	3388	cmd.exe	106
PID 3876 wrote to memory of 3480	3876	WScript.exe	113
PID 3876 wrote to memory of 3480	3876	WScript.exe	113
PID 3876 wrote to memory of 3480	3876	WScript.exe	113
PID 3480 wrote to memory of 744	3480	cmd.exe	118
PID 3480 wrote to memory of 744	3480	cmd.exe	118
PID 3016 wrote to memory of 860	3016	NVIDIA Container.exe	158
PID 3016 wrote to memory of 860	3016	NVIDIA Container.exe	158

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\хомяк.exe
"C:\Users\Admin\AppData\Local\Temp\хомяк.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\hitler.exe
  "C:\Users\Admin\AppData\Local\Temp\hitler.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
    "C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3480
      - C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
        
        "C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
- C:\Users\Admin\AppData\Local\Temp\tin.exe
  "C:\Users\Admin\AppData\Local\Temp\tin.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  PID:4484
- C:\Users\Admin\AppData\Local\Temp\Ykraine.exe
  "C:\Users\Admin\AppData\Local\Temp\Ykraine.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
    "C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3188
      - C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
        
        "C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\NVIDIA\DisplayDriver\SearchApp.exe
        
        "C:\NVIDIA\DisplayDriver\SearchApp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
- C:\Users\Admin\AppData\Local\Temp\Стоны.exe
  "C:\Users\Admin\AppData\Local\Temp\Стоны.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
    "C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3388
      - C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
        
        "C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\NVIDIA\DisplayDriver\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\NVIDIA\DisplayDriver\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Public\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\NVIDIA\DisplayDriver\535.21\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\NVIDIA\DisplayDriver\535.21\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\microsoft shared\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\MsEdgeCrashpad\attachments\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\attachments\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\MsEdgeCrashpad\attachments\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\NVIDIA Container.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA Container" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\NVIDIA Container.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\NVIDIA Container.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\NVIDIA Container.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA Container" /sc ONLOGON /tr "'C:\Users\Default User\NVIDIA Container.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\NVIDIA Container.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\NVIDIA\DisplayDriver\535.21\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\NVIDIA\DisplayDriver\535.21\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Start Menu\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Start Menu\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\NVIDIA\DisplayDriver\535.21\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\535.21\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\Containers\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Containers\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\Containers\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x244 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe

Filesize
1.4MB

MD5
4a591f46c87b49a7de93f5ac771cd4ab

SHA1
e0992350818e5c56d3f2e3a6db340d1f5b8f3314

SHA256
b495e22042b08f27b690da18986ec74d5054a65d05d5cf41fdecd5751482ccbd

SHA512
b498445d1e427853690250aebff35cbd7e28e85a89ad868e3483930b16ec13198357cfcd5feb45567b1bc8f3d9f97c5ecf2d242c8a5e9d758a536d0498ba7955

Download Submit
C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat

Filesize
53B

MD5
7784d810f5ff3afa8df50e360eb90e7d

SHA1
f04802a991ff6461aa1c35b7c0f68e43d5a114c6

SHA256
0385dbf94fc27705560cf0b6b04e9a37181db486ee8f7573c5ad2217d18f4ca0

SHA512
80038ae2bfd5f8ca3f4812ab5c342878f98978007125c9dca5edb915701a5383916131cdc3082c054c49c508cd210aff70319ac0fc498cbdd6cee776df672cac

Download Submit
C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe

Filesize
225B

MD5
d7df2670ad0c6c7b9cc48122f20f086c

SHA1
e69bf8c214d8c4b768125ca03e402e1c871cc233

SHA256
d3bf5c54de984dd2d1d779494deb8a995cc062eb5f25c465d0de78d99b8cc52b

SHA512
05ed88410790bf74dc7ab880f893e555c4859c133e79a89f28b5e1a68c36f4a4f28d3b7b6532953c04b6d23a21faf53e60107efde9e6acb492a9235d48943f03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NVIDIA Container.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe

Filesize
1.8MB

MD5
531bf67134a7c1fb4096113ca58cc648

SHA1
99e0fc1fb7a07c0685e426b327921d3e6c34498c

SHA256
67942630366d114efa35f3f4a79741a4a4eb2c3b0c8ffaac07af527f84d4489a

SHA512
8facae8335a4f33f54e48c64814946eb8b480800b4453612fffcef64117946a35d493f433d4e27186ee864603da756319f816e70c3bfc08b8bb1861fc7030ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ykraine.exe

Filesize
1.4MB

MD5
da5341ed73474db53c94c38f66e210ae

SHA1
49d8d239ac77cde765c8f516be1e52c3d2d37a2e

SHA256
bae4b959e9f74d9d085067b57a805654c86cc45f8c7cd32b9711874504ae59dd

SHA512
c2c5cf298aa6476b043e9afcd2ca4a2e685b8a96187d69b834f9f3761aa1d525a4b032d19ea03d349ef32a3ba699c3126bc359cb7f117395f5303ebebf310572

Download Submit
C:\Users\Admin\AppData\Local\Temp\hitler.exe

Filesize
10.4MB

MD5
3a1733f19b9ca74fe793df23700c3519

SHA1
31cf4474f0ac00d45c19b7e31e7dc9fde3054091

SHA256
1b2a026beda12eff88e2397931018031e4358de05aa449e3441434e6cf5dad6c

SHA512
0cd23dce1880c0b11d19f7d58102020baba7033e828aee233f8ed6b7d11c622d1dcec38c4a3e6c4691e07f7a1609fe550a30517e662236e164e550e87bea777b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tin.exe

Filesize
439KB

MD5
b3edc0708fb191e2d3016c68585ed31e

SHA1
ab1ce0cb2a819b82206dc1e922e97b284b585d17

SHA256
c9fffa589040d8a6d22285255604948ff3bb3efa7077c776b6b09272bc293b7d

SHA512
77b67f4cf6344f56e20172357831497c6ae4ff57c5a852762437419a7e5819805e10098dc87f90e937cf7603b72a94e6cf66681e1602974355fae8644b2a42dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Стоны.exe

Filesize
1.5MB

MD5
90132dd5e5a65801d56cb0b20c92d724

SHA1
bec1e6ef261f88b0aca2cb0aca2ea1eaf5f9aae7

SHA256
8e9e6d72b2a39b62c7341bdc0f529a070f25b2c33bfefe5b6cc6e5d3c86590e9

SHA512
e8c0bb9a9390558a117bdf5518a136a41b84417b01b835d092202b3e2d644bf997bd344e2a3f2a971aae5b5bcdeb85865250be5fcf86e840d854cbc7791e5f33

Download Submit
C:\Windows\System32\i-ayhx.exe

Filesize
7.2MB

MD5
f6d8913637f1d5d2dc846de70ce02dc5

SHA1
5fc9c6ab334db1f875fbc59a03f5506c478c6c3e

SHA256
4e72ca1baee2c7c0f50a42614d101159a9c653a8d6f7498f7bf9d7026c24c187

SHA512
21217a0a0eca58fc6058101aa69cf30d5dbe419c21fa7a160f44d8ebbcf5f4011203542c8f400a9bb8ee3826706417f2939c402f605817df597b7ff812b43036

Download Submit
memory/888-33-0x0000000000210000-0x0000000000C70000-memory.dmp

Filesize
10.4MB

Download
memory/888-19-0x00007FFCAB900000-0x00007FFCAC3C1000-memory.dmp

Filesize
10.8MB

Download
memory/888-79-0x00007FFCAB900000-0x00007FFCAC3C1000-memory.dmp

Filesize
10.8MB

Download
memory/956-49-0x0000000000BE0000-0x0000000000D68000-memory.dmp

Filesize
1.5MB

Download
memory/2152-50-0x00007FFCAB900000-0x00007FFCAC3C1000-memory.dmp

Filesize
10.8MB

Download
memory/2152-0-0x00007FFCAB903000-0x00007FFCAB905000-memory.dmp

Filesize
8KB

Download
memory/2152-3-0x00007FFCAB900000-0x00007FFCAC3C1000-memory.dmp

Filesize
10.8MB

Download
memory/2152-1-0x00000000005D0000-0x000000000135A000-memory.dmp

Filesize
13.5MB

Download
memory/3016-86-0x000000001B8B0000-0x000000001B8CC000-memory.dmp

Filesize
112KB

Download
memory/3016-89-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3016-88-0x000000001B8D0000-0x000000001B8E6000-memory.dmp

Filesize
88KB

Download
memory/3016-87-0x000000001B920000-0x000000001B970000-memory.dmp

Filesize
320KB

Download
memory/3016-92-0x000000001B910000-0x000000001B91C000-memory.dmp

Filesize
48KB

Download
memory/3016-91-0x000000001B900000-0x000000001B90E000-memory.dmp

Filesize
56KB

Download
memory/3016-90-0x000000001B8F0000-0x000000001B8FE000-memory.dmp

Filesize
56KB

Download
memory/3428-85-0x0000000000760000-0x00000000008CA000-memory.dmp

Filesize
1.4MB

Download
memory/3588-45-0x0000000000F80000-0x00000000010F8000-memory.dmp

Filesize
1.5MB

Download
memory/3616-140-0x00000273CB370000-0x00000273CB371000-memory.dmp

Filesize
4KB

Download
memory/3616-142-0x00000273CB370000-0x00000273CB371000-memory.dmp

Filesize
4KB

Download
memory/3616-141-0x00000273CB370000-0x00000273CB371000-memory.dmp

Filesize
4KB

Download
memory/3616-152-0x00000273CB370000-0x00000273CB371000-memory.dmp

Filesize
4KB

Download
memory/3616-151-0x00000273CB370000-0x00000273CB371000-memory.dmp

Filesize
4KB

Download
memory/3616-150-0x00000273CB370000-0x00000273CB371000-memory.dmp

Filesize
4KB

Download
memory/3616-149-0x00000273CB370000-0x00000273CB371000-memory.dmp

Filesize
4KB

Download
memory/3616-148-0x00000273CB370000-0x00000273CB371000-memory.dmp

Filesize
4KB

Download
memory/3616-147-0x00000273CB370000-0x00000273CB371000-memory.dmp

Filesize
4KB

Download
memory/3616-146-0x00000273CB370000-0x00000273CB371000-memory.dmp

Filesize
4KB

Download
memory/4484-139-0x0000000000BA0000-0x0000000000C3D000-memory.dmp

Filesize
628KB

Download
memory/4484-31-0x0000000000BA0000-0x0000000000C3D000-memory.dmp

Filesize
628KB

Download