Analysis Overview
SHA256
c862e53a5446da1c4dce5b9651c47279908b9c0bb86343e4ba7add7f5bbd37a9
Threat Level: Known bad
The file c862e53a5446da1c4dce5b9651c47279908b9c0bb86343e4ba7add7f5bbd37a9 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
RedLine
Raccoon
RedLine Payload
Process spawned unexpected child process
SmokeLoader
Executes dropped EXE
Downloads MZ/PE file
Loads dropped DLL
Deletes itself
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Modifies registry class
Creates scheduled task(s)
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-20 07:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-20 07:23
Reported
2021-09-20 07:25
Platform
win10-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI6CB3\\4F07.exe\", \"C:\\Windows\\lsasetup\\explorer.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\audio_filter\\fontdrvhost.exe\", \"C:\\Boot\\lv-LV\\fontdrvhost.exe\", \"C:\\Windows\\System32\\NcaSvc\\conhost.exe\", \"C:\\ProgramData\\USOPrivate\\wininit.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI6CB3\\4F07.exe\", \"C:\\Windows\\lsasetup\\explorer.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\audio_filter\\fontdrvhost.exe\", \"C:\\Boot\\lv-LV\\fontdrvhost.exe\", \"C:\\Windows\\System32\\NcaSvc\\conhost.exe\", \"C:\\ProgramData\\USOPrivate\\wininit.exe\", \"C:\\odt\\wininit.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI6CB3\\4F07.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI6CB3\\4F07.exe\", \"C:\\Windows\\lsasetup\\explorer.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI6CB3\\4F07.exe\", \"C:\\Windows\\lsasetup\\explorer.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\audio_filter\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI6CB3\\4F07.exe\", \"C:\\Windows\\lsasetup\\explorer.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\audio_filter\\fontdrvhost.exe\", \"C:\\Boot\\lv-LV\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI6CB3\\4F07.exe\", \"C:\\Windows\\lsasetup\\explorer.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\audio_filter\\fontdrvhost.exe\", \"C:\\Boot\\lv-LV\\fontdrvhost.exe\", \"C:\\Windows\\System32\\NcaSvc\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
Raccoon
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3FA4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44E4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4F07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5496.exe | N/A |
| N/A | N/A | C:\ProgramData\ZZZZZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5496.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe | N/A |
| N/A | N/A | C:\ProgramData\USOPrivate\wininit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44E4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44E4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44E4.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4F07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4F07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4F07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4F07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4F07.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\lsasetup\\explorer.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\VideoLAN\\VLC\\plugins\\audio_filter\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\NcaSvc\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4F07 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI6CB3\\4F07.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Boot\\lv-LV\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\4F07 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI6CB3\\4F07.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Boot\\lv-LV\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\NcaSvc\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\ProgramData\\USOPrivate\\wininit.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\odt\\wininit.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\odt\\wininit.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\lsasetup\\explorer.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\VideoLAN\\VLC\\plugins\\audio_filter\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\ProgramData\\USOPrivate\\wininit.exe\"" | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\NcaSvc\conhost.exe | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| File created | C:\Windows\System32\NcaSvc\088424020bedd6b28ac7fd22ee35dcd7322895ce | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3992 set thread context of 3956 | N/A | C:\Users\Admin\AppData\Local\Temp\c862e53a5446da1c4dce5b9651c47279908b9c0bb86343e4ba7add7f5bbd37a9.exe | C:\Users\Admin\AppData\Local\Temp\c862e53a5446da1c4dce5b9651c47279908b9c0bb86343e4ba7add7f5bbd37a9.exe |
| PID 1476 set thread context of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\5496.exe | C:\Users\Admin\AppData\Local\Temp\5496.exe |
| PID 1660 set thread context of 2888 | N/A | C:\Users\Admin\AppData\Local\Temp\44E4.exe | C:\Users\Admin\AppData\Local\Temp\44E4.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\VideoLAN\VLC\plugins\audio_filter\fontdrvhost.exe | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\audio_filter\5b884080fd4f94e2695da25c503f9e33b9605b83 | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\lsasetup\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| File created | C:\Windows\lsasetup\explorer.exe | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c862e53a5446da1c4dce5b9651c47279908b9c0bb86343e4ba7add7f5bbd37a9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c862e53a5446da1c4dce5b9651c47279908b9c0bb86343e4ba7add7f5bbd37a9.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c862e53a5446da1c4dce5b9651c47279908b9c0bb86343e4ba7add7f5bbd37a9.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c862e53a5446da1c4dce5b9651c47279908b9c0bb86343e4ba7add7f5bbd37a9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c862e53a5446da1c4dce5b9651c47279908b9c0bb86343e4ba7add7f5bbd37a9.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c862e53a5446da1c4dce5b9651c47279908b9c0bb86343e4ba7add7f5bbd37a9.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5496.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\5496.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5496.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3FA4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\USOPrivate\wininit.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\USOPrivate\wininit.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\USOPrivate\wininit.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5496.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\44E4.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\44E4.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c862e53a5446da1c4dce5b9651c47279908b9c0bb86343e4ba7add7f5bbd37a9.exe
"C:\Users\Admin\AppData\Local\Temp\c862e53a5446da1c4dce5b9651c47279908b9c0bb86343e4ba7add7f5bbd37a9.exe"
C:\Users\Admin\AppData\Local\Temp\c862e53a5446da1c4dce5b9651c47279908b9c0bb86343e4ba7add7f5bbd37a9.exe
"C:\Users\Admin\AppData\Local\Temp\c862e53a5446da1c4dce5b9651c47279908b9c0bb86343e4ba7add7f5bbd37a9.exe"
C:\Users\Admin\AppData\Local\Temp\3FA4.exe
C:\Users\Admin\AppData\Local\Temp\3FA4.exe
C:\Users\Admin\AppData\Local\Temp\44E4.exe
C:\Users\Admin\AppData\Local\Temp\44E4.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\4F07.exe
C:\Users\Admin\AppData\Local\Temp\4F07.exe
C:\Users\Admin\AppData\Local\Temp\5496.exe
C:\Users\Admin\AppData\Local\Temp\5496.exe
C:\ProgramData\ZZZZZ.exe
"C:\ProgramData\ZZZZZ.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe
C:\Users\Admin\AppData\Local\Temp\5496.exe
"C:\Users\Admin\AppData\Local\Temp\5496.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe
C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe
C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe
C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe
C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4F07" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI6CB3\4F07.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\lsasetup\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\audio_filter\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Boot\lv-LV\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\NcaSvc\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\ProgramData\USOPrivate\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
C:\ProgramData\USOPrivate\wininit.exe
"C:\ProgramData\USOPrivate\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"'
C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe
"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"'
C:\Users\Admin\AppData\Local\Temp\44E4.exe
C:\Users\Admin\AppData\Local\Temp\44E4.exe
C:\Users\Admin\AppData\Local\Temp\44E4.exe
C:\Users\Admin\AppData\Local\Temp\44E4.exe
C:\Users\Admin\AppData\Local\Temp\44E4.exe
C:\Users\Admin\AppData\Local\Temp\44E4.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | venerynnet1.top | udp |
| US | 8.8.8.8:53 | kevonahira2.top | udp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| NL | 193.56.146.36:80 | 193.56.146.36 | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.9.20.20:13441 | tcp | |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| US | 8.8.8.8:53 | telete.in | udp |
| DE | 195.201.225.248:443 | telete.in | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| FR | 176.31.32.198:80 | 176.31.32.198 | tcp |
| DE | 74.119.192.122:80 | 74.119.192.122 | tcp |
| RU | 94.26.249.88:32478 | tcp | |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 62.109.1.30:80 | 62.109.1.30 | tcp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| NL | 45.67.231.145:10991 | tcp | |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
Files
memory/3956-115-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3956-116-0x0000000000402DCE-mapping.dmp
memory/3992-117-0x0000000000030000-0x0000000000039000-memory.dmp
memory/2964-118-0x0000000002480000-0x0000000002495000-memory.dmp
memory/3860-119-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3FA4.exe
| MD5 | 085d61746c57a6e95ce293c5ce47db5b |
| SHA1 | 373e889be8cee96ce3b91cb2795cbfa95ce0f261 |
| SHA256 | 8e12b1d78be737d6d4eafc77aa6fc70d5f02b9af2b997ba040ac6a06233ad27a |
| SHA512 | c540f3dc47fde6ec718d2027f585fa3de2606f1a908561682cf07d11861ea4151d501b292cda078547a1ba5720a65a00e93ab98b4171b40afa1771b17e0bc841 |
C:\Users\Admin\AppData\Local\Temp\3FA4.exe
| MD5 | 085d61746c57a6e95ce293c5ce47db5b |
| SHA1 | 373e889be8cee96ce3b91cb2795cbfa95ce0f261 |
| SHA256 | 8e12b1d78be737d6d4eafc77aa6fc70d5f02b9af2b997ba040ac6a06233ad27a |
| SHA512 | c540f3dc47fde6ec718d2027f585fa3de2606f1a908561682cf07d11861ea4151d501b292cda078547a1ba5720a65a00e93ab98b4171b40afa1771b17e0bc841 |
memory/1660-122-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\44E4.exe
| MD5 | 6f89f4c0727ee98f5056839c492fc13f |
| SHA1 | bab3223bc4eda781998e4f7ce27f5e21aec6ab8b |
| SHA256 | eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a |
| SHA512 | 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d |
C:\Users\Admin\AppData\Local\Temp\44E4.exe
| MD5 | 6f89f4c0727ee98f5056839c492fc13f |
| SHA1 | bab3223bc4eda781998e4f7ce27f5e21aec6ab8b |
| SHA256 | eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a |
| SHA512 | 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d |
memory/1660-125-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/1660-127-0x00000000050C0000-0x00000000050C1000-memory.dmp
memory/1660-128-0x0000000004BC0000-0x0000000004BC1000-memory.dmp
memory/3860-129-0x00000000021B0000-0x00000000021CF000-memory.dmp
memory/3860-131-0x0000000002470000-0x000000000248E000-memory.dmp
memory/3860-132-0x0000000000460000-0x000000000050E000-memory.dmp
memory/3860-133-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3860-134-0x00000000025C0000-0x00000000025C1000-memory.dmp
memory/3860-135-0x00000000025C2000-0x00000000025C3000-memory.dmp
memory/3860-136-0x0000000004FB0000-0x0000000004FB1000-memory.dmp
memory/3860-137-0x00000000025C3000-0x00000000025C4000-memory.dmp
memory/3860-138-0x00000000025E0000-0x00000000025E1000-memory.dmp
memory/3860-139-0x00000000055C0000-0x00000000055C1000-memory.dmp
memory/3860-140-0x00000000056D0000-0x00000000056D1000-memory.dmp
memory/1660-141-0x0000000004B70000-0x0000000004B71000-memory.dmp
memory/3860-142-0x0000000005710000-0x0000000005711000-memory.dmp
memory/424-143-0x0000000000000000-mapping.dmp
memory/424-146-0x0000000007360000-0x0000000007361000-memory.dmp
memory/424-147-0x0000000007B30000-0x0000000007B31000-memory.dmp
memory/1660-148-0x0000000004BC0000-0x00000000050BE000-memory.dmp
memory/3860-149-0x00000000025C4000-0x00000000025C6000-memory.dmp
memory/424-150-0x00000000074F0000-0x00000000074F1000-memory.dmp
memory/424-151-0x00000000074F2000-0x00000000074F3000-memory.dmp
memory/424-152-0x0000000007A50000-0x0000000007A51000-memory.dmp
memory/424-153-0x0000000008160000-0x0000000008161000-memory.dmp
memory/424-154-0x00000000083B0000-0x00000000083B1000-memory.dmp
memory/424-155-0x0000000008430000-0x0000000008431000-memory.dmp
memory/424-156-0x0000000008390000-0x0000000008391000-memory.dmp
memory/1204-158-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4F07.exe
| MD5 | 70d114c3a1cea81811059e4527ebd3bb |
| SHA1 | c9c6d7c171c4e68b10a8e083ed45f0b58e5d227f |
| SHA256 | 110a51196832486aa4bfab4b8c624627fda05e8b8539cbe964642b7d2bc9ecd6 |
| SHA512 | ec4466675299dd984cb10591a892b083f4d828ec12b2b10f9791fb59e37d2efee67b5929e387a2dbc511b8c18b5f0796288cfd126efd42c4a0c211c11c4e53bf |
C:\Users\Admin\AppData\Local\Temp\4F07.exe
| MD5 | 70d114c3a1cea81811059e4527ebd3bb |
| SHA1 | c9c6d7c171c4e68b10a8e083ed45f0b58e5d227f |
| SHA256 | 110a51196832486aa4bfab4b8c624627fda05e8b8539cbe964642b7d2bc9ecd6 |
| SHA512 | ec4466675299dd984cb10591a892b083f4d828ec12b2b10f9791fb59e37d2efee67b5929e387a2dbc511b8c18b5f0796288cfd126efd42c4a0c211c11c4e53bf |
memory/424-161-0x0000000008B70000-0x0000000008B71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5496.exe
| MD5 | 2bb0fdee239257799fd8c427dad0b3a5 |
| SHA1 | 456210504dc055b9fbbface0ac7d51e65f40fd90 |
| SHA256 | 75ddb7c0668c694e2b36817e3eb2c4ddb720fd68f8cc2214a943d423dde171c0 |
| SHA512 | f4def1d023d56b9d71d0c7ea35665dfc709b90e7163a7dd5d4074dabaf773818891fe7ef055d00645b911c533e828a66c4070f4fcc7a539ad88dd909cec92bc0 |
C:\Users\Admin\AppData\Local\Temp\5496.exe
| MD5 | 2bb0fdee239257799fd8c427dad0b3a5 |
| SHA1 | 456210504dc055b9fbbface0ac7d51e65f40fd90 |
| SHA256 | 75ddb7c0668c694e2b36817e3eb2c4ddb720fd68f8cc2214a943d423dde171c0 |
| SHA512 | f4def1d023d56b9d71d0c7ea35665dfc709b90e7163a7dd5d4074dabaf773818891fe7ef055d00645b911c533e828a66c4070f4fcc7a539ad88dd909cec92bc0 |
memory/1476-164-0x0000000000000000-mapping.dmp
memory/1476-167-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/424-172-0x000000000A250000-0x000000000A251000-memory.dmp
memory/424-173-0x0000000009800000-0x0000000009801000-memory.dmp
memory/1204-174-0x0000000000990000-0x0000000000A20000-memory.dmp
memory/1476-176-0x0000000004BA0000-0x0000000004BA1000-memory.dmp
memory/1204-175-0x0000000000400000-0x0000000000493000-memory.dmp
C:\ProgramData\ZZZZZ.exe
| MD5 | d5d4f07e59ffad621f322b68c12e411e |
| SHA1 | c29e234e8ecf6eeaa4b6f6fead0f69d14865805a |
| SHA256 | 42506f9e15ffdab6fce67556b602075ff779e2e84c6a40058a3941f0f71071b2 |
| SHA512 | b8faf0ae840a3096ecfe62284c5a6a81ea17c1fa7ab62bdd7281afd15154b62ee35f1ecf4401d8c89ebc5128cba10536b6043e7094633f5b4d9303136591cd1e |
memory/2328-177-0x0000000000000000-mapping.dmp
C:\ProgramData\ZZZZZ.exe
| MD5 | d5d4f07e59ffad621f322b68c12e411e |
| SHA1 | c29e234e8ecf6eeaa4b6f6fead0f69d14865805a |
| SHA256 | 42506f9e15ffdab6fce67556b602075ff779e2e84c6a40058a3941f0f71071b2 |
| SHA512 | b8faf0ae840a3096ecfe62284c5a6a81ea17c1fa7ab62bdd7281afd15154b62ee35f1ecf4401d8c89ebc5128cba10536b6043e7094633f5b4d9303136591cd1e |
memory/2520-181-0x0000000000000000-mapping.dmp
memory/1476-180-0x0000000005D90000-0x0000000005DAD000-memory.dmp
memory/2728-184-0x000000000041C5C6-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5496.exe
| MD5 | 2bb0fdee239257799fd8c427dad0b3a5 |
| SHA1 | 456210504dc055b9fbbface0ac7d51e65f40fd90 |
| SHA256 | 75ddb7c0668c694e2b36817e3eb2c4ddb720fd68f8cc2214a943d423dde171c0 |
| SHA512 | f4def1d023d56b9d71d0c7ea35665dfc709b90e7163a7dd5d4074dabaf773818891fe7ef055d00645b911c533e828a66c4070f4fcc7a539ad88dd909cec92bc0 |
memory/2796-183-0x0000000000000000-mapping.dmp
memory/2728-182-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5496.exe.log
| MD5 | d6f3d3ca17bf02d595a877bb35dd4acb |
| SHA1 | af325d8a34c8b1fe855eefe617a731bdaf21dcb1 |
| SHA256 | b1e5516dd59805ff5247fb26bee630ad14073ec1d2e7aa4a98ea6a2c0de0cca8 |
| SHA512 | d30f3ab293c26e96bb26b925f7992c32cfb5f78d872084541be7f93227bd6867af96dc9c442009ce78b3844e13e2260a8422b46e8aa3f8e1faebae0b258cd89e |
memory/4000-186-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe
| MD5 | fbdc90a57978628f46593258cf59e1eb |
| SHA1 | ac3361f6e6b15e31f7652f6b34a767adaf97e442 |
| SHA256 | afda4dc1bd63a2f99314a24bb7f8819712a1d708099de7c7473322ed3f7b114e |
| SHA512 | 947f2b7417b8849d43c1eaecb03d8bcfe6bfefceeaa605404cfff9f1e3976ce2d2a64f20a989f7da081e30e59113a55f6d525c014e2fc4dcb31f8eafd9fb299e |
C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe
| MD5 | fbdc90a57978628f46593258cf59e1eb |
| SHA1 | ac3361f6e6b15e31f7652f6b34a767adaf97e442 |
| SHA256 | afda4dc1bd63a2f99314a24bb7f8819712a1d708099de7c7473322ed3f7b114e |
| SHA512 | 947f2b7417b8849d43c1eaecb03d8bcfe6bfefceeaa605404cfff9f1e3976ce2d2a64f20a989f7da081e30e59113a55f6d525c014e2fc4dcb31f8eafd9fb299e |
memory/4000-192-0x00000000007A0000-0x00000000007A1000-memory.dmp
memory/4060-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe
| MD5 | 8d87235cc7ca1ba8ac22da5c6d5dfa22 |
| SHA1 | 4c992057524df70210d8f9706f5931d6496e645b |
| SHA256 | 813646e5b40be0e72d0e6b5e0bb1d8e2cf7a6bae0007b96fbf91da9c3d7e15f9 |
| SHA512 | 40127990c3de8c3ab625a7f495ad44fa9e279325ae20243aad4ae6fa5beb490ad9c6a03ee8fc27358dad922826d57c262be50fb9c59e1b8d7d2952a1f14a69ee |
memory/4060-201-0x0000000000690000-0x0000000000691000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe
| MD5 | 8d87235cc7ca1ba8ac22da5c6d5dfa22 |
| SHA1 | 4c992057524df70210d8f9706f5931d6496e645b |
| SHA256 | 813646e5b40be0e72d0e6b5e0bb1d8e2cf7a6bae0007b96fbf91da9c3d7e15f9 |
| SHA512 | 40127990c3de8c3ab625a7f495ad44fa9e279325ae20243aad4ae6fa5beb490ad9c6a03ee8fc27358dad922826d57c262be50fb9c59e1b8d7d2952a1f14a69ee |
memory/2728-203-0x0000000005050000-0x0000000005656000-memory.dmp
memory/4000-205-0x000000001B6A0000-0x000000001B6A2000-memory.dmp
memory/4060-206-0x000000001C6F0000-0x000000001C8D9000-memory.dmp
\Users\Admin\AppData\LocalLow\sqlite3.dll
| MD5 | f964811b68f9f1487c2b41e1aef576ce |
| SHA1 | b423959793f14b1416bc3b7051bed58a1034025f |
| SHA256 | 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7 |
| SHA512 | 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4 |
memory/3860-208-0x00000000067F0000-0x00000000067F1000-memory.dmp
memory/3860-209-0x00000000069C0000-0x00000000069C1000-memory.dmp
memory/1100-211-0x0000000000000000-mapping.dmp
C:\ProgramData\USOPrivate\wininit.exe
| MD5 | fbdc90a57978628f46593258cf59e1eb |
| SHA1 | ac3361f6e6b15e31f7652f6b34a767adaf97e442 |
| SHA256 | afda4dc1bd63a2f99314a24bb7f8819712a1d708099de7c7473322ed3f7b114e |
| SHA512 | 947f2b7417b8849d43c1eaecb03d8bcfe6bfefceeaa605404cfff9f1e3976ce2d2a64f20a989f7da081e30e59113a55f6d525c014e2fc4dcb31f8eafd9fb299e |
C:\ProgramData\USOPrivate\wininit.exe
| MD5 | fbdc90a57978628f46593258cf59e1eb |
| SHA1 | ac3361f6e6b15e31f7652f6b34a767adaf97e442 |
| SHA256 | afda4dc1bd63a2f99314a24bb7f8819712a1d708099de7c7473322ed3f7b114e |
| SHA512 | 947f2b7417b8849d43c1eaecb03d8bcfe6bfefceeaa605404cfff9f1e3976ce2d2a64f20a989f7da081e30e59113a55f6d525c014e2fc4dcb31f8eafd9fb299e |
memory/1100-216-0x000000001B940000-0x000000001B942000-memory.dmp
memory/3860-219-0x0000000007420000-0x0000000007421000-memory.dmp
memory/4060-220-0x000000001C8E0000-0x000000001CAC7000-memory.dmp
memory/4060-221-0x00000000010D0000-0x00000000010D1000-memory.dmp
memory/2976-222-0x0000000000000000-mapping.dmp
memory/1100-223-0x00000000014F0000-0x00000000014F6000-memory.dmp
memory/1100-224-0x0000000001560000-0x0000000001567000-memory.dmp
memory/1100-225-0x0000000001520000-0x0000000001526000-memory.dmp
memory/1100-226-0x0000000001530000-0x0000000001532000-memory.dmp
memory/1100-227-0x000000001B930000-0x000000001B932000-memory.dmp
memory/2740-228-0x0000000000000000-mapping.dmp
memory/4060-229-0x000000001BEC0000-0x000000001BEC2000-memory.dmp
memory/1100-230-0x000000001B942000-0x000000001B944000-memory.dmp
memory/1100-231-0x000000001B944000-0x000000001B945000-memory.dmp
memory/1100-232-0x000000001B945000-0x000000001B947000-memory.dmp
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll
| MD5 | 02cc7b8ee30056d5912de54f1bdfc219 |
| SHA1 | a6923da95705fb81e368ae48f93d28522ef552fb |
| SHA256 | 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5 |
| SHA512 | 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5 |
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll
| MD5 | eae9273f8cdcf9321c6c37c244773139 |
| SHA1 | 8378e2a2f3635574c106eea8419b5eb00b8489b0 |
| SHA256 | a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc |
| SHA512 | 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097 |
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll
| MD5 | 4e8df049f3459fa94ab6ad387f3561ac |
| SHA1 | 06ed392bc29ad9d5fc05ee254c2625fd65925114 |
| SHA256 | 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871 |
| SHA512 | 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6 |
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll
| MD5 | 60acd24430204ad2dc7f148b8cfe9bdc |
| SHA1 | 989f377b9117d7cb21cbe92a4117f88f9c7693d9 |
| SHA256 | 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97 |
| SHA512 | 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01 |
memory/1004-237-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe
| MD5 | 8d87235cc7ca1ba8ac22da5c6d5dfa22 |
| SHA1 | 4c992057524df70210d8f9706f5931d6496e645b |
| SHA256 | 813646e5b40be0e72d0e6b5e0bb1d8e2cf7a6bae0007b96fbf91da9c3d7e15f9 |
| SHA512 | 40127990c3de8c3ab625a7f495ad44fa9e279325ae20243aad4ae6fa5beb490ad9c6a03ee8fc27358dad922826d57c262be50fb9c59e1b8d7d2952a1f14a69ee |
C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe
| MD5 | 8d87235cc7ca1ba8ac22da5c6d5dfa22 |
| SHA1 | 4c992057524df70210d8f9706f5931d6496e645b |
| SHA256 | 813646e5b40be0e72d0e6b5e0bb1d8e2cf7a6bae0007b96fbf91da9c3d7e15f9 |
| SHA512 | 40127990c3de8c3ab625a7f495ad44fa9e279325ae20243aad4ae6fa5beb490ad9c6a03ee8fc27358dad922826d57c262be50fb9c59e1b8d7d2952a1f14a69ee |
memory/1524-253-0x0000000000000000-mapping.dmp
memory/1284-254-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
| MD5 | 0da8a7ce212a4bce4ef2bbc06888feb8 |
| SHA1 | b1dd20967b8d14e634f5bf9025407eb41dd31c02 |
| SHA256 | a6ebeea56bff6c7defd5f8c1f8762c9d28dc2650911b3ab70bea47f86d133849 |
| SHA512 | 4eec5fe72a386a68274730fb4aee54ef059075f07933ce9ec08cc7a7ce32dfb5e1beb09461f0ede3601b5f95605eb36949a0b02707b26f8b64a16d550cb92d11 |
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
| MD5 | 0da8a7ce212a4bce4ef2bbc06888feb8 |
| SHA1 | b1dd20967b8d14e634f5bf9025407eb41dd31c02 |
| SHA256 | a6ebeea56bff6c7defd5f8c1f8762c9d28dc2650911b3ab70bea47f86d133849 |
| SHA512 | 4eec5fe72a386a68274730fb4aee54ef059075f07933ce9ec08cc7a7ce32dfb5e1beb09461f0ede3601b5f95605eb36949a0b02707b26f8b64a16d550cb92d11 |
memory/2028-259-0x0000000000000000-mapping.dmp
memory/1004-260-0x000000001CC90000-0x000000001CC92000-memory.dmp
memory/1284-261-0x0000000001690000-0x0000000001692000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44E4.exe
| MD5 | 6f89f4c0727ee98f5056839c492fc13f |
| SHA1 | bab3223bc4eda781998e4f7ce27f5e21aec6ab8b |
| SHA256 | eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a |
| SHA512 | 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d |
C:\Users\Admin\AppData\Local\Temp\44E4.exe
| MD5 | 6f89f4c0727ee98f5056839c492fc13f |
| SHA1 | bab3223bc4eda781998e4f7ce27f5e21aec6ab8b |
| SHA256 | eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a |
| SHA512 | 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d |
C:\Users\Admin\AppData\Local\Temp\44E4.exe
| MD5 | 6f89f4c0727ee98f5056839c492fc13f |
| SHA1 | bab3223bc4eda781998e4f7ce27f5e21aec6ab8b |
| SHA256 | eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a |
| SHA512 | 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d |
memory/2888-268-0x000000000041C5E2-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\44E4.exe.log
| MD5 | 9e7845217df4a635ec4341c3d52ed685 |
| SHA1 | d65cb39d37392975b038ce503a585adadb805da5 |
| SHA256 | d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b |
| SHA512 | 307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1 |
memory/424-278-0x00000000074F3000-0x00000000074F4000-memory.dmp
memory/2888-279-0x0000000004DC0000-0x00000000053C6000-memory.dmp