dcrat | 12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694

Analysis

max time kernel
133s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe
Size

13.5MB
MD5

a26a308a71c3fd57cd4fad9dc8d55fb1
SHA1

3722d8d2b321f72b2e207a8e1f7e408d35c7d607
SHA256

12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694
SHA512

306868bb537ffae0a7cd4de76b0f52079b2aa5f744f50abe3a866f4bb2f17a829cb91537a30c76240798248a0e9da6d5f92591ed1e7101337e2aa0f78e764e55
SSDEEP

393216:n5BbqQ/ThnhIxo1S/Js7D+xZlwRjMAke5F:5P4xy0ADFRYAj

Score

10^/10

dcrat bootkit infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	1196	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	1196	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe	dcrat
C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe	dcrat
behavioral1/memory/1280-60-0x0000000000EC0000-0x000000000102A000-memory.dmp	dcrat
behavioral1/memory/2880-121-0x00000000013D0000-0x000000000153A000-memory.dmp	dcrat

Executes dropped EXE 12 IoCs

Processes:

hitler.exetin.exeYkraine.exeСтоны.exeNVIDIA Container.exeNVIDIA Container.exeNVIDIA Container.exeNVIDIA Container.exeNVIDIA Container.exeNVIDIA Container.exeNVIDIA Container.exewininit.exe

pid	process
884	hitler.exe
2572	tin.exe
2988	Ykraine.exe
2712	Стоны.exe
2516	NVIDIA Container.exe
2756	NVIDIA Container.exe
1652	NVIDIA Container.exe
1280	NVIDIA Container.exe
1380	NVIDIA Container.exe
2324	NVIDIA Container.exe
2432	NVIDIA Container.exe
2880	wininit.exe

Loads dropped DLL 5 IoCs

Processes:

cmd.execmd.execmd.exe

pid process

1528 cmd.exe
776 cmd.exe
1528 cmd.exe
776 cmd.exe
1376 cmd.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

tin.exe

description ioc process

File opened for modification \??\PhysicalDrive0 tin.exe

pid	process
1528	cmd.exe
776	cmd.exe
1528	cmd.exe
776	cmd.exe
1376	cmd.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	tin.exe

Drops file in Program Files directory 19 IoCs

Processes:

NVIDIA Container.exeNVIDIA Container.exe

description	ioc	process
File created	C:\Program Files\Windows Mail\es-ES\smss.exe	NVIDIA Container.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\smss.exe	NVIDIA Container.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\3f066457d7e5fd	NVIDIA Container.exe
File created	C:\Program Files\Java\jre7\bin\conhost.exe	NVIDIA Container.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\cmd.exe	NVIDIA Container.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\886983d96e3d3e	NVIDIA Container.exe
File created	C:\Program Files\Windows Sidebar\de-DE\3f066457d7e5fd	NVIDIA Container.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\tin.exe	NVIDIA Container.exe
File created	C:\Program Files\Windows Portable Devices\NVIDIA Container.exe	NVIDIA Container.exe
File created	C:\Program Files\Windows Portable Devices\35158c38368e73	NVIDIA Container.exe
File created	C:\Program Files (x86)\Uninstall Information\56085415360792	NVIDIA Container.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\csrss.exe	NVIDIA Container.exe
File created	C:\Program Files\Windows Mail\es-ES\69ddcba757bf72	NVIDIA Container.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\56085415360792	NVIDIA Container.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\ebf1f9fa8afd6d	NVIDIA Container.exe
File created	C:\Program Files\Windows Sidebar\de-DE\tin.exe	NVIDIA Container.exe
File created	C:\Program Files\Java\jre7\bin\088424020bedd6	NVIDIA Container.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe	NVIDIA Container.exe
File created	C:\Program Files (x86)\Uninstall Information\wininit.exe	NVIDIA Container.exe

Drops file in Windows directory 7 IoCs

Processes:

NVIDIA Container.exeNVIDIA Container.exe

description	ioc	process
File opened for modification	C:\Windows\DigitalLocker\en-US\audiodg.exe	NVIDIA Container.exe
File created	C:\Windows\DigitalLocker\en-US\audiodg.exe	NVIDIA Container.exe
File created	C:\Windows\DigitalLocker\en-US\42af1c969fbb7b	NVIDIA Container.exe
File created	C:\Windows\rescache\rc0004\System.exe	NVIDIA Container.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\NVIDIA Container.exe	NVIDIA Container.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\35158c38368e73	NVIDIA Container.exe
File created	C:\Windows\DigitalLocker\en-US\audiodg.exe	NVIDIA Container.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2680	schtasks.exe
1136	schtasks.exe
1476	schtasks.exe
1848	schtasks.exe
2612	schtasks.exe
2716	schtasks.exe
1740	schtasks.exe
616	schtasks.exe
2384	schtasks.exe
2628	schtasks.exe
1560	schtasks.exe
2548	schtasks.exe
108	schtasks.exe
1200	schtasks.exe
972	schtasks.exe
1236	schtasks.exe
2564	schtasks.exe
1484	schtasks.exe
288	schtasks.exe
2372	schtasks.exe
2768	schtasks.exe
1556	schtasks.exe
1796	schtasks.exe
2332	schtasks.exe
388	schtasks.exe
1936	schtasks.exe
988	schtasks.exe
2160	schtasks.exe
2852	schtasks.exe
2804	schtasks.exe
620	schtasks.exe
900	schtasks.exe
1620	schtasks.exe
1732	schtasks.exe
560	schtasks.exe
712	schtasks.exe
2136	schtasks.exe
1732	schtasks.exe
1696	schtasks.exe
1552	schtasks.exe
868	schtasks.exe
700	schtasks.exe
2944	schtasks.exe
1712	schtasks.exe
1540	schtasks.exe
2844	schtasks.exe
2512	schtasks.exe
1624	schtasks.exe
2172	schtasks.exe
2348	schtasks.exe
2320	schtasks.exe
2488	schtasks.exe
2544	schtasks.exe
2600	schtasks.exe
1644	schtasks.exe
2664	schtasks.exe
1776	schtasks.exe
3008	schtasks.exe
1628	schtasks.exe
2104	schtasks.exe
2500	schtasks.exe
1712	schtasks.exe
1568	schtasks.exe
1264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

NVIDIA Container.exeNVIDIA Container.exe

pid	process
1280	NVIDIA Container.exe
1380	NVIDIA Container.exe
1280	NVIDIA Container.exe
1280	NVIDIA Container.exe
1380	NVIDIA Container.exe
1380	NVIDIA Container.exe
1280	NVIDIA Container.exe
1280	NVIDIA Container.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

NVIDIA Container.exeNVIDIA Container.exeNVIDIA Container.exeNVIDIA Container.exewininit.exe

description	pid	process
Token: SeDebugPrivilege	1280	NVIDIA Container.exe
Token: SeDebugPrivilege	1380	NVIDIA Container.exe
Token: SeDebugPrivilege	2324	NVIDIA Container.exe
Token: SeDebugPrivilege	2432	NVIDIA Container.exe
Token: SeDebugPrivilege	2880	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exeYkraine.exeСтоны.exeNVIDIA Container.exeNVIDIA Container.exehitler.exeNVIDIA Container.exeWScript.exeWScript.execmd.execmd.exeWScript.execmd.exeNVIDIA Container.exe

description	pid	process	target process
PID 2564 wrote to memory of 884	2564	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	hitler.exe
PID 2564 wrote to memory of 884	2564	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	hitler.exe
PID 2564 wrote to memory of 884	2564	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	hitler.exe
PID 2564 wrote to memory of 2572	2564	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	tin.exe
PID 2564 wrote to memory of 2572	2564	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	tin.exe
PID 2564 wrote to memory of 2572	2564	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	tin.exe
PID 2564 wrote to memory of 2572	2564	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	tin.exe
PID 2564 wrote to memory of 2988	2564	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	Ykraine.exe
PID 2564 wrote to memory of 2988	2564	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	Ykraine.exe
PID 2564 wrote to memory of 2988	2564	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	Ykraine.exe
PID 2564 wrote to memory of 2712	2564	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	Стоны.exe
PID 2564 wrote to memory of 2712	2564	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	Стоны.exe
PID 2564 wrote to memory of 2712	2564	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	Стоны.exe
PID 2988 wrote to memory of 2516	2988	Ykraine.exe	NVIDIA Container.exe
PID 2988 wrote to memory of 2516	2988	Ykraine.exe	NVIDIA Container.exe
PID 2988 wrote to memory of 2516	2988	Ykraine.exe	NVIDIA Container.exe
PID 2988 wrote to memory of 2516	2988	Ykraine.exe	NVIDIA Container.exe
PID 2712 wrote to memory of 2756	2712	Стоны.exe	NVIDIA Container.exe
PID 2712 wrote to memory of 2756	2712	Стоны.exe	NVIDIA Container.exe
PID 2712 wrote to memory of 2756	2712	Стоны.exe	NVIDIA Container.exe
PID 2712 wrote to memory of 2756	2712	Стоны.exe	NVIDIA Container.exe
PID 2516 wrote to memory of 2900	2516	NVIDIA Container.exe	WScript.exe
PID 2516 wrote to memory of 2900	2516	NVIDIA Container.exe	WScript.exe
PID 2516 wrote to memory of 2900	2516	NVIDIA Container.exe	WScript.exe
PID 2516 wrote to memory of 2900	2516	NVIDIA Container.exe	WScript.exe
PID 2756 wrote to memory of 2972	2756	NVIDIA Container.exe	WScript.exe
PID 2756 wrote to memory of 2972	2756	NVIDIA Container.exe	WScript.exe
PID 2756 wrote to memory of 2972	2756	NVIDIA Container.exe	WScript.exe
PID 2756 wrote to memory of 2972	2756	NVIDIA Container.exe	WScript.exe
PID 884 wrote to memory of 1652	884	hitler.exe	NVIDIA Container.exe
PID 884 wrote to memory of 1652	884	hitler.exe	NVIDIA Container.exe
PID 884 wrote to memory of 1652	884	hitler.exe	NVIDIA Container.exe
PID 884 wrote to memory of 1652	884	hitler.exe	NVIDIA Container.exe
PID 1652 wrote to memory of 2160	1652	NVIDIA Container.exe	schtasks.exe
PID 1652 wrote to memory of 2160	1652	NVIDIA Container.exe	schtasks.exe
PID 1652 wrote to memory of 2160	1652	NVIDIA Container.exe	schtasks.exe
PID 1652 wrote to memory of 2160	1652	NVIDIA Container.exe	schtasks.exe
PID 2972 wrote to memory of 776	2972	WScript.exe	cmd.exe
PID 2972 wrote to memory of 776	2972	WScript.exe	cmd.exe
PID 2972 wrote to memory of 776	2972	WScript.exe	cmd.exe
PID 2972 wrote to memory of 776	2972	WScript.exe	cmd.exe
PID 2900 wrote to memory of 1528	2900	WScript.exe	cmd.exe
PID 2900 wrote to memory of 1528	2900	WScript.exe	cmd.exe
PID 2900 wrote to memory of 1528	2900	WScript.exe	cmd.exe
PID 2900 wrote to memory of 1528	2900	WScript.exe	cmd.exe
PID 776 wrote to memory of 1380	776	cmd.exe	NVIDIA Container.exe
PID 776 wrote to memory of 1380	776	cmd.exe	NVIDIA Container.exe
PID 776 wrote to memory of 1380	776	cmd.exe	NVIDIA Container.exe
PID 776 wrote to memory of 1380	776	cmd.exe	NVIDIA Container.exe
PID 1528 wrote to memory of 1280	1528	cmd.exe	NVIDIA Container.exe
PID 1528 wrote to memory of 1280	1528	cmd.exe	NVIDIA Container.exe
PID 1528 wrote to memory of 1280	1528	cmd.exe	NVIDIA Container.exe
PID 1528 wrote to memory of 1280	1528	cmd.exe	NVIDIA Container.exe
PID 2160 wrote to memory of 1376	2160	WScript.exe	cmd.exe
PID 2160 wrote to memory of 1376	2160	WScript.exe	cmd.exe
PID 2160 wrote to memory of 1376	2160	WScript.exe	cmd.exe
PID 2160 wrote to memory of 1376	2160	WScript.exe	cmd.exe
PID 1376 wrote to memory of 2324	1376	cmd.exe	NVIDIA Container.exe
PID 1376 wrote to memory of 2324	1376	cmd.exe	NVIDIA Container.exe
PID 1376 wrote to memory of 2324	1376	cmd.exe	NVIDIA Container.exe
PID 1376 wrote to memory of 2324	1376	cmd.exe	NVIDIA Container.exe
PID 1380 wrote to memory of 2432	1380	NVIDIA Container.exe	NVIDIA Container.exe
PID 1380 wrote to memory of 2432	1380	NVIDIA Container.exe	NVIDIA Container.exe
PID 1380 wrote to memory of 2432	1380	NVIDIA Container.exe	NVIDIA Container.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe
"C:\Users\Admin\AppData\Local\Temp\12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Local\Temp\hitler.exe
"C:\Users\Admin\AppData\Local\Temp\hitler.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Users\Admin\AppData\Local\Temp\tin.exe
"C:\Users\Admin\AppData\Local\Temp\tin.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2572

C:\Users\Admin\AppData\Local\Temp\Ykraine.exe
"C:\Users\Admin\AppData\Local\Temp\Ykraine.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UyLYgP0VAm.bat"
7⤵
PID:2728

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:2988

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe
"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Users\Admin\AppData\Local\Temp\Стоны.exe
"C:\Users\Admin\AppData\Local\Temp\Стоны.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:776

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\en-US\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tint" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\de-DE\tin.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tin" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\tin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\NVIDIA\DisplayDriver\535.21\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tint" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\de-DE\tin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\NVIDIA\DisplayDriver\535.21\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\NVIDIA Container.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA Container" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\NVIDIA Container.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\NVIDIA Container.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\NVIDIA\DisplayDriver\535.21\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\NVIDIA\DisplayDriver\535.21\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\NVIDIA Container.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA Container" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\NVIDIA Container.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\NVIDIA Container.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Music\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tint" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\tin.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tin" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\tin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tint" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\tin.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tint" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\tin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tin" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\tin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\bin\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tint" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\tin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre7\bin\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\NVIDIA Container.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA Container" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\NVIDIA Container.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\NVIDIA Container.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\NVIDIA\DisplayDriver\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2136

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
Filesize
1.4MB

MD5
4a591f46c87b49a7de93f5ac771cd4ab

SHA1
e0992350818e5c56d3f2e3a6db340d1f5b8f3314

SHA256
b495e22042b08f27b690da18986ec74d5054a65d05d5cf41fdecd5751482ccbd

SHA512
b498445d1e427853690250aebff35cbd7e28e85a89ad868e3483930b16ec13198357cfcd5feb45567b1bc8f3d9f97c5ecf2d242c8a5e9d758a536d0498ba7955

Download Submit
C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat
Filesize
53B

MD5
7784d810f5ff3afa8df50e360eb90e7d

SHA1
f04802a991ff6461aa1c35b7c0f68e43d5a114c6

SHA256
0385dbf94fc27705560cf0b6b04e9a37181db486ee8f7573c5ad2217d18f4ca0

SHA512
80038ae2bfd5f8ca3f4812ab5c342878f98978007125c9dca5edb915701a5383916131cdc3082c054c49c508cd210aff70319ac0fc498cbdd6cee776df672cac

Download Submit
C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe
Filesize
225B

MD5
d7df2670ad0c6c7b9cc48122f20f086c

SHA1
e69bf8c214d8c4b768125ca03e402e1c871cc233

SHA256
d3bf5c54de984dd2d1d779494deb8a995cc062eb5f25c465d0de78d99b8cc52b

SHA512
05ed88410790bf74dc7ab880f893e555c4859c133e79a89f28b5e1a68c36f4a4f28d3b7b6532953c04b6d23a21faf53e60107efde9e6acb492a9235d48943f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
Filesize
1.8MB

MD5
531bf67134a7c1fb4096113ca58cc648

SHA1
99e0fc1fb7a07c0685e426b327921d3e6c34498c

SHA256
67942630366d114efa35f3f4a79741a4a4eb2c3b0c8ffaac07af527f84d4489a

SHA512
8facae8335a4f33f54e48c64814946eb8b480800b4453612fffcef64117946a35d493f433d4e27186ee864603da756319f816e70c3bfc08b8bb1861fc7030ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UyLYgP0VAm.bat
Filesize
249B

MD5
cb30d0899efd90229e4efd8ac0b89746

SHA1
1e35b9684e39b018eca99ad97eea04caa4c8ff86

SHA256
b9c5158f1801e8f6f9a3240b9b07e4cd13c9d271e4565dd244a1d6b45788353f

SHA512
340a4d69cd401e41248e1b08996f6c08056d1426582e8ae9979ab7143ebdb164c690b49fc9ba1ffcf915ef9d168af47417eabf661bddcfbaa49b83cd1ac41eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ykraine.exe
Filesize
1.4MB

MD5
da5341ed73474db53c94c38f66e210ae

SHA1
49d8d239ac77cde765c8f516be1e52c3d2d37a2e

SHA256
bae4b959e9f74d9d085067b57a805654c86cc45f8c7cd32b9711874504ae59dd

SHA512
c2c5cf298aa6476b043e9afcd2ca4a2e685b8a96187d69b834f9f3761aa1d525a4b032d19ea03d349ef32a3ba699c3126bc359cb7f117395f5303ebebf310572

Download Submit
C:\Users\Admin\AppData\Local\Temp\hitler.exe
Filesize
10.4MB

MD5
3a1733f19b9ca74fe793df23700c3519

SHA1
31cf4474f0ac00d45c19b7e31e7dc9fde3054091

SHA256
1b2a026beda12eff88e2397931018031e4358de05aa449e3441434e6cf5dad6c

SHA512
0cd23dce1880c0b11d19f7d58102020baba7033e828aee233f8ed6b7d11c622d1dcec38c4a3e6c4691e07f7a1609fe550a30517e662236e164e550e87bea777b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tin.exe
Filesize
439KB

MD5
b3edc0708fb191e2d3016c68585ed31e

SHA1
ab1ce0cb2a819b82206dc1e922e97b284b585d17

SHA256
c9fffa589040d8a6d22285255604948ff3bb3efa7077c776b6b09272bc293b7d

SHA512
77b67f4cf6344f56e20172357831497c6ae4ff57c5a852762437419a7e5819805e10098dc87f90e937cf7603b72a94e6cf66681e1602974355fae8644b2a42dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Стоны.exe
Filesize
1.5MB

MD5
90132dd5e5a65801d56cb0b20c92d724

SHA1
bec1e6ef261f88b0aca2cb0aca2ea1eaf5f9aae7

SHA256
8e9e6d72b2a39b62c7341bdc0f529a070f25b2c33bfefe5b6cc6e5d3c86590e9

SHA512
e8c0bb9a9390558a117bdf5518a136a41b84417b01b835d092202b3e2d644bf997bd344e2a3f2a971aae5b5bcdeb85865250be5fcf86e840d854cbc7791e5f33

Download Submit
memory/884-10-0x0000000000BE0000-0x0000000001640000-memory.dmp

Filesize
10.4MB

Download
memory/884-11-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/884-52-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/1280-63-0x00000000001A0000-0x00000000001B0000-memory.dmp

Filesize
64KB

Download
memory/1280-66-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download
memory/1280-68-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/1280-67-0x0000000000A50000-0x0000000000A5E000-memory.dmp

Filesize
56KB

Download
memory/1280-62-0x0000000000180000-0x0000000000196000-memory.dmp

Filesize
88KB

Download
memory/1280-61-0x0000000000160000-0x000000000017C000-memory.dmp

Filesize
112KB

Download
memory/1280-60-0x0000000000EC0000-0x000000000102A000-memory.dmp

Filesize
1.4MB

Download
memory/2564-3-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2564-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2564-28-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2564-1-0x0000000000E40000-0x0000000001BCA000-memory.dmp

Filesize
13.5MB

Download
memory/2572-16-0x00000000003B0000-0x000000000044D000-memory.dmp

Filesize
628KB

Download
memory/2572-122-0x00000000003B0000-0x000000000044D000-memory.dmp

Filesize
628KB

Download
memory/2712-27-0x00000000009B0000-0x0000000000B38000-memory.dmp

Filesize
1.5MB

Download
memory/2880-121-0x00000000013D0000-0x000000000153A000-memory.dmp

Filesize
1.4MB

Download
memory/2988-22-0x0000000000010000-0x0000000000188000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads