dcrat | 12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe
Size

13.5MB
MD5

a26a308a71c3fd57cd4fad9dc8d55fb1
SHA1

3722d8d2b321f72b2e207a8e1f7e408d35c7d607
SHA256

12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694
SHA512

306868bb537ffae0a7cd4de76b0f52079b2aa5f744f50abe3a866f4bb2f17a829cb91537a30c76240798248a0e9da6d5f92591ed1e7101337e2aa0f78e764e55
SSDEEP

393216:n5BbqQ/ThnhIxo1S/Js7D+xZlwRjMAke5F:5P4xy0ADFRYAj

Score

10^/10

dcrat bootkit infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	4612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	4612	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe	dcrat
C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe	dcrat
behavioral2/memory/3356-75-0x0000000000680000-0x00000000007EA000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Стоны.exeNVIDIA Container.exeWScript.exeNVIDIA Container.exe12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exeYkraine.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Стоны.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Ykraine.exe

Executes dropped EXE 8 IoCs

Processes:

hitler.exetin.exeYkraine.exeСтоны.exeNVIDIA Container.exeNVIDIA Container.exeNVIDIA Container.exefontdrvhost.exe

pid process

2964 hitler.exe
3644 tin.exe
2372 Ykraine.exe
552 Стоны.exe
1168 NVIDIA Container.exe
4928 NVIDIA Container.exe
3356 NVIDIA Container.exe
2144 fontdrvhost.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

tin.exe

description ioc process

File opened for modification \??\PhysicalDrive0 tin.exe

pid	process
2964	hitler.exe
3644	tin.exe
2372	Ykraine.exe
552	Стоны.exe
1168	NVIDIA Container.exe
4928	NVIDIA Container.exe
3356	NVIDIA Container.exe
2144	fontdrvhost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	tin.exe

Drops file in Program Files directory 17 IoCs

Processes:

NVIDIA Container.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe	NVIDIA Container.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe	NVIDIA Container.exe
File created	C:\Program Files\Internet Explorer\images\9e8d7a4ca61bd9	NVIDIA Container.exe
File created	C:\Program Files (x86)\Common Files\121e5b5079f7c0	NVIDIA Container.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\886983d96e3d3e	NVIDIA Container.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\TextInputHost.exe	NVIDIA Container.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\22eafd247d37c3	NVIDIA Container.exe
File created	C:\Program Files\Internet Explorer\images\RuntimeBroker.exe	NVIDIA Container.exe
File created	C:\Program Files\Windows Security\taskhostw.exe	NVIDIA Container.exe
File created	C:\Program Files\Windows Security\ea9f0e6c9e2dcd	NVIDIA Container.exe
File created	C:\Program Files\dotnet\swidtag\cmd.exe	NVIDIA Container.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\29c1c3cc0f7685	NVIDIA Container.exe
File created	C:\Program Files (x86)\Common Files\sysmon.exe	NVIDIA Container.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\System.exe	NVIDIA Container.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\System.exe	NVIDIA Container.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\27d1bcfc3c54e0	NVIDIA Container.exe
File created	C:\Program Files\dotnet\swidtag\ebf1f9fa8afd6d	NVIDIA Container.exe

Drops file in Windows directory 2 IoCs

Processes:

NVIDIA Container.exe

description ioc process

File created C:\Windows\LiveKernelReports\e6c9b481da804f NVIDIA Container.exe
File created C:\Windows\LiveKernelReports\OfficeClickToRun.exe NVIDIA Container.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\LiveKernelReports\e6c9b481da804f	NVIDIA Container.exe
File created	C:\Windows\LiveKernelReports\OfficeClickToRun.exe	NVIDIA Container.exe

Modifies registry class 2 IoCs

Processes:

NVIDIA Container.exeNVIDIA Container.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	NVIDIA Container.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	NVIDIA Container.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
3116	schtasks.exe
5024	schtasks.exe
1200	schtasks.exe
732	schtasks.exe
3512	schtasks.exe
2672	schtasks.exe
4692	schtasks.exe
1208	schtasks.exe
2508	schtasks.exe
1928	schtasks.exe
1420	schtasks.exe
3508	schtasks.exe
5008	schtasks.exe
3972	schtasks.exe
1260	schtasks.exe
3956	schtasks.exe
4188	schtasks.exe
3680	schtasks.exe
2296	schtasks.exe
652	schtasks.exe
876	schtasks.exe
5108	schtasks.exe
1668	schtasks.exe
4688	schtasks.exe
2084	schtasks.exe
212	schtasks.exe
4480	schtasks.exe
4988	schtasks.exe
4796	schtasks.exe
3500	schtasks.exe
468	schtasks.exe
3516	schtasks.exe
760	schtasks.exe
3532	schtasks.exe
2164	schtasks.exe
4408	schtasks.exe
2156	schtasks.exe
3952	schtasks.exe
4980	schtasks.exe
2240	schtasks.exe
4252	schtasks.exe
2276	schtasks.exe
4192	schtasks.exe
5060	schtasks.exe
1348	schtasks.exe
1976	schtasks.exe
4068	schtasks.exe
1576	schtasks.exe
4396	schtasks.exe
1016	schtasks.exe
4748	schtasks.exe
900	schtasks.exe
968	schtasks.exe
1568	schtasks.exe
1540	schtasks.exe
4416	schtasks.exe
3208	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

NVIDIA Container.exefontdrvhost.exe

pid	process
3356	NVIDIA Container.exe
3356	NVIDIA Container.exe
3356	NVIDIA Container.exe
3356	NVIDIA Container.exe
3356	NVIDIA Container.exe
3356	NVIDIA Container.exe
3356	NVIDIA Container.exe
3356	NVIDIA Container.exe
2144	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

NVIDIA Container.exefontdrvhost.exeAUDIODG.EXE

description pid process

Token: SeDebugPrivilege 3356 NVIDIA Container.exe
Token: SeDebugPrivilege 2144 fontdrvhost.exe
Token: 33 1308 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 1308 AUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	3356	NVIDIA Container.exe
Token: SeDebugPrivilege	2144	fontdrvhost.exe
Token: 33	1308	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1308	AUDIODG.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exeYkraine.exeСтоны.exeNVIDIA Container.exeWScript.execmd.exeNVIDIA Container.execmd.exe

description	pid	process	target process
PID 1464 wrote to memory of 2964	1464	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	hitler.exe
PID 1464 wrote to memory of 2964	1464	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	hitler.exe
PID 1464 wrote to memory of 3644	1464	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	tin.exe
PID 1464 wrote to memory of 3644	1464	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	tin.exe
PID 1464 wrote to memory of 3644	1464	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	tin.exe
PID 1464 wrote to memory of 2372	1464	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	Ykraine.exe
PID 1464 wrote to memory of 2372	1464	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	Ykraine.exe
PID 1464 wrote to memory of 552	1464	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	Стоны.exe
PID 1464 wrote to memory of 552	1464	12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe	Стоны.exe
PID 2372 wrote to memory of 1168	2372	Ykraine.exe	NVIDIA Container.exe
PID 2372 wrote to memory of 1168	2372	Ykraine.exe	NVIDIA Container.exe
PID 2372 wrote to memory of 1168	2372	Ykraine.exe	NVIDIA Container.exe
PID 552 wrote to memory of 4928	552	Стоны.exe	NVIDIA Container.exe
PID 552 wrote to memory of 4928	552	Стоны.exe	NVIDIA Container.exe
PID 552 wrote to memory of 4928	552	Стоны.exe	NVIDIA Container.exe
PID 4928 wrote to memory of 1560	4928	NVIDIA Container.exe	WScript.exe
PID 4928 wrote to memory of 1560	4928	NVIDIA Container.exe	WScript.exe
PID 4928 wrote to memory of 1560	4928	NVIDIA Container.exe	WScript.exe
PID 1560 wrote to memory of 2000	1560	WScript.exe	cmd.exe
PID 1560 wrote to memory of 2000	1560	WScript.exe	cmd.exe
PID 1560 wrote to memory of 2000	1560	WScript.exe	cmd.exe
PID 2000 wrote to memory of 3356	2000	cmd.exe	NVIDIA Container.exe
PID 2000 wrote to memory of 3356	2000	cmd.exe	NVIDIA Container.exe
PID 3356 wrote to memory of 428	3356	NVIDIA Container.exe	cmd.exe
PID 3356 wrote to memory of 428	3356	NVIDIA Container.exe	cmd.exe
PID 428 wrote to memory of 3668	428	cmd.exe	w32tm.exe
PID 428 wrote to memory of 3668	428	cmd.exe	w32tm.exe
PID 428 wrote to memory of 2144	428	cmd.exe	fontdrvhost.exe
PID 428 wrote to memory of 2144	428	cmd.exe	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe
"C:\Users\Admin\AppData\Local\Temp\12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\hitler.exe
"C:\Users\Admin\AppData\Local\Temp\hitler.exe"
2⤵
- Executes dropped EXE
PID:2964

C:\Users\Admin\AppData\Local\Temp\tin.exe
"C:\Users\Admin\AppData\Local\Temp\tin.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3644

C:\Users\Admin\AppData\Local\Temp\Ykraine.exe
"C:\Users\Admin\AppData\Local\Temp\Ykraine.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
3⤵
- Executes dropped EXE
PID:1168

C:\Users\Admin\AppData\Local\Temp\Стоны.exe
"C:\Users\Admin\AppData\Local\Temp\Стоны.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qMn4xjohg.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:3668

C:\Recovery\WindowsRE\fontdrvhost.exe
"C:\Recovery\WindowsRE\fontdrvhost.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\NVIDIA\DisplayDriver\535.21\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\NVIDIA\DisplayDriver\535.21\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\SoftwareDistribution\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\SoftwareDistribution\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tint" /sc MINUTE /mo 8 /tr "'C:\NVIDIA\DisplayDriver\535.21\tin.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tin" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\tin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tint" /sc MINUTE /mo 8 /tr "'C:\NVIDIA\DisplayDriver\535.21\tin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Security\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\images\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\images\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\swidtag\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\swidtag\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520 0x304
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1308

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
Filesize
1.4MB

MD5
4a591f46c87b49a7de93f5ac771cd4ab

SHA1
e0992350818e5c56d3f2e3a6db340d1f5b8f3314

SHA256
b495e22042b08f27b690da18986ec74d5054a65d05d5cf41fdecd5751482ccbd

SHA512
b498445d1e427853690250aebff35cbd7e28e85a89ad868e3483930b16ec13198357cfcd5feb45567b1bc8f3d9f97c5ecf2d242c8a5e9d758a536d0498ba7955

Download Submit
C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat
Filesize
53B

MD5
7784d810f5ff3afa8df50e360eb90e7d

SHA1
f04802a991ff6461aa1c35b7c0f68e43d5a114c6

SHA256
0385dbf94fc27705560cf0b6b04e9a37181db486ee8f7573c5ad2217d18f4ca0

SHA512
80038ae2bfd5f8ca3f4812ab5c342878f98978007125c9dca5edb915701a5383916131cdc3082c054c49c508cd210aff70319ac0fc498cbdd6cee776df672cac

Download Submit
C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe
Filesize
225B

MD5
d7df2670ad0c6c7b9cc48122f20f086c

SHA1
e69bf8c214d8c4b768125ca03e402e1c871cc233

SHA256
d3bf5c54de984dd2d1d779494deb8a995cc062eb5f25c465d0de78d99b8cc52b

SHA512
05ed88410790bf74dc7ab880f893e555c4859c133e79a89f28b5e1a68c36f4a4f28d3b7b6532953c04b6d23a21faf53e60107efde9e6acb492a9235d48943f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\6qMn4xjohg.bat
Filesize
202B

MD5
f2bc4501fc732543d60b8dc636f0ead4

SHA1
8b0ac39ee58c89840d98f7b5f35beb3c76f25728

SHA256
69f24d2ac58a334551ec25a179ea5435ac890907f2cd763ebef3e3b9539a7a2d

SHA512
3b8594bc5a2f0a585d04225d84223ba9436eaf28426ad0098a93e8a54cd74a3f646b3cf5cd7c0ac566136a6d7defd5695a53bb06f81695e8c38024579e271aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
Filesize
1.8MB

MD5
531bf67134a7c1fb4096113ca58cc648

SHA1
99e0fc1fb7a07c0685e426b327921d3e6c34498c

SHA256
67942630366d114efa35f3f4a79741a4a4eb2c3b0c8ffaac07af527f84d4489a

SHA512
8facae8335a4f33f54e48c64814946eb8b480800b4453612fffcef64117946a35d493f433d4e27186ee864603da756319f816e70c3bfc08b8bb1861fc7030ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ykraine.exe
Filesize
1.4MB

MD5
da5341ed73474db53c94c38f66e210ae

SHA1
49d8d239ac77cde765c8f516be1e52c3d2d37a2e

SHA256
bae4b959e9f74d9d085067b57a805654c86cc45f8c7cd32b9711874504ae59dd

SHA512
c2c5cf298aa6476b043e9afcd2ca4a2e685b8a96187d69b834f9f3761aa1d525a4b032d19ea03d349ef32a3ba699c3126bc359cb7f117395f5303ebebf310572

Download Submit
C:\Users\Admin\AppData\Local\Temp\hitler.exe
Filesize
10.4MB

MD5
3a1733f19b9ca74fe793df23700c3519

SHA1
31cf4474f0ac00d45c19b7e31e7dc9fde3054091

SHA256
1b2a026beda12eff88e2397931018031e4358de05aa449e3441434e6cf5dad6c

SHA512
0cd23dce1880c0b11d19f7d58102020baba7033e828aee233f8ed6b7d11c622d1dcec38c4a3e6c4691e07f7a1609fe550a30517e662236e164e550e87bea777b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tin.exe
Filesize
439KB

MD5
b3edc0708fb191e2d3016c68585ed31e

SHA1
ab1ce0cb2a819b82206dc1e922e97b284b585d17

SHA256
c9fffa589040d8a6d22285255604948ff3bb3efa7077c776b6b09272bc293b7d

SHA512
77b67f4cf6344f56e20172357831497c6ae4ff57c5a852762437419a7e5819805e10098dc87f90e937cf7603b72a94e6cf66681e1602974355fae8644b2a42dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Стоны.exe
Filesize
1.5MB

MD5
90132dd5e5a65801d56cb0b20c92d724

SHA1
bec1e6ef261f88b0aca2cb0aca2ea1eaf5f9aae7

SHA256
8e9e6d72b2a39b62c7341bdc0f529a070f25b2c33bfefe5b6cc6e5d3c86590e9

SHA512
e8c0bb9a9390558a117bdf5518a136a41b84417b01b835d092202b3e2d644bf997bd344e2a3f2a971aae5b5bcdeb85865250be5fcf86e840d854cbc7791e5f33

Download Submit
memory/552-49-0x0000000000200000-0x0000000000388000-memory.dmp

Filesize
1.5MB

Download
memory/1464-0-0x00007FFA75253000-0x00007FFA75255000-memory.dmp

Filesize
8KB

Download
memory/1464-55-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

Filesize
10.8MB

Download
memory/1464-3-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

Filesize
10.8MB

Download
memory/1464-1-0x0000000000A20000-0x00000000017AA000-memory.dmp

Filesize
13.5MB

Download
memory/2372-44-0x00000000007A0000-0x0000000000918000-memory.dmp

Filesize
1.5MB

Download
memory/2964-28-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

Filesize
10.8MB

Download
memory/2964-69-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

Filesize
10.8MB

Download
memory/2964-35-0x0000000000C30000-0x0000000001690000-memory.dmp

Filesize
10.4MB

Download
memory/3356-75-0x0000000000680000-0x00000000007EA000-memory.dmp

Filesize
1.4MB

Download
memory/3356-76-0x00000000028F0000-0x000000000290C000-memory.dmp

Filesize
112KB

Download
memory/3356-81-0x0000000002A60000-0x0000000002A6E000-memory.dmp

Filesize
56KB

Download
memory/3356-82-0x000000001B3B0000-0x000000001B3BC000-memory.dmp

Filesize
48KB

Download
memory/3356-80-0x0000000002A50000-0x0000000002A5E000-memory.dmp

Filesize
56KB

Download
memory/3356-79-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/3356-78-0x0000000002A20000-0x0000000002A36000-memory.dmp

Filesize
88KB

Download
memory/3356-77-0x000000001B360000-0x000000001B3B0000-memory.dmp

Filesize
320KB

Download
memory/3644-32-0x0000000000420000-0x00000000004BD000-memory.dmp

Filesize
628KB

Download