Malware Analysis Report

2025-01-02 10:45

Sample ID 210920-lref4sgcam
Target d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174
SHA256 d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174
Tags
raccoon redline smokeloader lend udp backdoor discovery evasion infostealer persistence spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174

Threat Level: Known bad

The file d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174 was found to be: Known bad.

Malicious Activity Summary

raccoon redline smokeloader lend udp backdoor discovery evasion infostealer persistence spyware stealer themida trojan

RedLine Payload

Raccoon

Process spawned unexpected child process

RedLine

Modifies WinLogon for persistence

SmokeLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Checks BIOS information in registry

Deletes itself

Reads user/profile data of local email clients

Checks installed software on the system

Checks whether UAC is enabled

Looks up external IP address via web service

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-20 09:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-20 09:45

Reported

2021-09-20 09:48

Platform

win10v20210408

Max time kernel

151s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\findstr\\dllhost.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Users\\Default User\\smss.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\findstr\\dllhost.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Windows\\System32\\Windows.Internal.Bluetooth\\sihost.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\DriverRealtekHDmaster.exe\", \"C:\\Windows\\System32\\clip\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\findstr\\dllhost.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Windows\\System32\\Windows.Internal.Bluetooth\\sihost.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\DriverRealtekHDmaster.exe\", \"C:\\Windows\\System32\\clip\\lsass.exe\", \"C:\\Boot\\fi-FI\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\findstr\\dllhost.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Windows\\System32\\Windows.Internal.Bluetooth\\sihost.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\DriverRealtekHDmaster.exe\", \"C:\\Windows\\System32\\clip\\lsass.exe\", \"C:\\Boot\\fi-FI\\fontdrvhost.exe\", \"C:\\Windows\\System32\\jpnranker\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\findstr\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\findstr\\dllhost.exe\", \"C:\\odt\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\findstr\\dllhost.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Windows\\System32\\Windows.Internal.Bluetooth\\sihost.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\findstr\\dllhost.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Windows\\System32\\Windows.Internal.Bluetooth\\sihost.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\findstr\\dllhost.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Windows\\System32\\Windows.Internal.Bluetooth\\sihost.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\DriverRealtekHDmaster.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\E394.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\E394.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\clip\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\findstr\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default User\\smss.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\bcastdvr\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Boot\\fi-FI\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\jpnranker\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\findstr\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\odt\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default User\\smss.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverRealtekHDmaster = "\"C:\\Recovery\\WindowsRE\\DriverRealtekHDmaster.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Boot\\fi-FI\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\odt\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\Windows.Internal.Bluetooth\\sihost.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\Windows.Internal.Bluetooth\\sihost.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\bcastdvr\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\DriverRealtekHDmaster = "\"C:\\Recovery\\WindowsRE\\DriverRealtekHDmaster.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\clip\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\jpnranker\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\E394.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\findstr\dllhost.exe C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
File created C:\Windows\System32\jpnranker\088424020bedd6b28ac7fd22ee35dcd7322895ce C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
File opened for modification C:\Windows\System32\findstr\dllhost.exe C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
File created C:\Windows\System32\findstr\5940a34987c99120d96dace90a3f93f329dcad63 C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
File created C:\Windows\System32\Windows.Internal.Bluetooth\sihost.exe C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
File created C:\Windows\System32\Windows.Internal.Bluetooth\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3 C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
File created C:\Windows\System32\clip\lsass.exe C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
File created C:\Windows\System32\clip\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9 C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
File created C:\Windows\System32\jpnranker\conhost.exe C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E394.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\bcastdvr\dllhost.exe C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
File created C:\Windows\bcastdvr\5940a34987c99120d96dace90a3f93f329dcad63 C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\837.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\837.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\837.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E394.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ECDC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Windows.Internal.Bluetooth\sihost.exe N/A
Token: 33 N/A C:\Windows\System32\Windows.Internal.Bluetooth\sihost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Windows.Internal.Bluetooth\sihost.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\837.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 804 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe
PID 804 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe
PID 804 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe
PID 804 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe
PID 804 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe
PID 804 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe
PID 3044 wrote to memory of 2676 N/A N/A C:\Users\Admin\AppData\Local\Temp\E394.exe
PID 3044 wrote to memory of 2676 N/A N/A C:\Users\Admin\AppData\Local\Temp\E394.exe
PID 3044 wrote to memory of 2676 N/A N/A C:\Users\Admin\AppData\Local\Temp\E394.exe
PID 3044 wrote to memory of 4092 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECDC.exe
PID 3044 wrote to memory of 4092 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECDC.exe
PID 3044 wrote to memory of 4092 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECDC.exe
PID 3044 wrote to memory of 512 N/A N/A C:\Users\Admin\AppData\Local\Temp\F365.exe
PID 3044 wrote to memory of 512 N/A N/A C:\Users\Admin\AppData\Local\Temp\F365.exe
PID 3044 wrote to memory of 512 N/A N/A C:\Users\Admin\AppData\Local\Temp\F365.exe
PID 3044 wrote to memory of 744 N/A N/A C:\Users\Admin\AppData\Local\Temp\24B.exe
PID 3044 wrote to memory of 744 N/A N/A C:\Users\Admin\AppData\Local\Temp\24B.exe
PID 3044 wrote to memory of 744 N/A N/A C:\Users\Admin\AppData\Local\Temp\24B.exe
PID 3044 wrote to memory of 2452 N/A N/A C:\Users\Admin\AppData\Local\Temp\837.exe
PID 3044 wrote to memory of 2452 N/A N/A C:\Users\Admin\AppData\Local\Temp\837.exe
PID 3044 wrote to memory of 2452 N/A N/A C:\Users\Admin\AppData\Local\Temp\837.exe
PID 2452 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\837.exe C:\ProgramData\ZZZZZ.exe
PID 2452 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\837.exe C:\ProgramData\ZZZZZ.exe
PID 2452 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\837.exe C:\ProgramData\ZZZZZ.exe
PID 2952 wrote to memory of 2920 N/A C:\ProgramData\ZZZZZ.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2920 N/A C:\ProgramData\ZZZZZ.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2920 N/A C:\ProgramData\ZZZZZ.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2876 N/A C:\ProgramData\ZZZZZ.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2876 N/A C:\ProgramData\ZZZZZ.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2876 N/A C:\ProgramData\ZZZZZ.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\837.exe C:\Users\Admin\AppData\Local\Temp\837.exe
PID 2452 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\837.exe C:\Users\Admin\AppData\Local\Temp\837.exe
PID 2452 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\837.exe C:\Users\Admin\AppData\Local\Temp\837.exe
PID 2452 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\837.exe C:\Users\Admin\AppData\Local\Temp\837.exe
PID 2452 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\837.exe C:\Users\Admin\AppData\Local\Temp\837.exe
PID 2452 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\837.exe C:\Users\Admin\AppData\Local\Temp\837.exe
PID 2452 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\837.exe C:\Users\Admin\AppData\Local\Temp\837.exe
PID 2452 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\837.exe C:\Users\Admin\AppData\Local\Temp\837.exe
PID 2920 wrote to memory of 3808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe
PID 2920 wrote to memory of 3808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe
PID 2876 wrote to memory of 1544 N/A C:\Windows\system32\schtasks.exe C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe
PID 2876 wrote to memory of 1544 N/A C:\Windows\system32\schtasks.exe C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe
PID 3808 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe C:\Windows\System32\Windows.Internal.Bluetooth\sihost.exe
PID 3808 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe C:\Windows\System32\Windows.Internal.Bluetooth\sihost.exe
PID 1544 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe C:\Windows\System32\cmd.exe
PID 1544 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe C:\Windows\System32\cmd.exe
PID 2340 wrote to memory of 3824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2340 wrote to memory of 3824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1544 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe
PID 1544 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe
PID 856 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe C:\Windows\System32\cmd.exe
PID 856 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe C:\Windows\System32\cmd.exe
PID 856 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
PID 856 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
PID 744 wrote to memory of 3452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 744 wrote to memory of 3452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 512 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\F365.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\F365.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\F365.exe C:\Windows\SysWOW64\cmd.exe
PID 4048 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4048 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4048 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe

"C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe"

C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe

"C:\Users\Admin\AppData\Local\Temp\d7c4b509210abd478046f8c8e2860851a824dfc89bd3502e285f0b00a1b25174.exe"

C:\Users\Admin\AppData\Local\Temp\E394.exe

C:\Users\Admin\AppData\Local\Temp\E394.exe

C:\Users\Admin\AppData\Local\Temp\ECDC.exe

C:\Users\Admin\AppData\Local\Temp\ECDC.exe

C:\Users\Admin\AppData\Local\Temp\F365.exe

C:\Users\Admin\AppData\Local\Temp\F365.exe

C:\Users\Admin\AppData\Local\Temp\24B.exe

C:\Users\Admin\AppData\Local\Temp\24B.exe

C:\Users\Admin\AppData\Local\Temp\837.exe

C:\Users\Admin\AppData\Local\Temp\837.exe

C:\ProgramData\ZZZZZ.exe

"C:\ProgramData\ZZZZZ.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe

C:\Users\Admin\AppData\Local\Temp\837.exe

"C:\Users\Admin\AppData\Local\Temp\837.exe"

C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe

C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe

C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe

C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\findstr\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Internal.Bluetooth\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DriverRealtekHDmaster" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DriverRealtekHDmaster.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\clip\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Boot\fi-FI\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\jpnranker\conhost.exe'" /rl HIGHEST /f

C:\Windows\System32\Windows.Internal.Bluetooth\sihost.exe

"C:\Windows\System32\Windows.Internal.Bluetooth\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"'

C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe

"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"'

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\F365.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /T 10 /NOBREAK

Network

Country Destination Domain Proto
US 8.8.8.8:53 venerynnet1.top udp
US 8.8.8.8:53 kevonahira2.top udp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 193.56.146.36:80 193.56.146.36 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 190.2.145.108:12608 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.9.20.20:13441 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
US 8.8.8.8:53 telete.in udp
RU 45.144.67.29:80 kevonahira2.top tcp
DE 195.201.225.248:443 telete.in tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
FR 176.31.32.198:80 176.31.32.198 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 104.26.12.31:443 api.ip.sb tcp
DE 74.119.192.122:80 74.119.192.122 tcp
RU 94.26.249.88:32478 tcp
RU 62.109.1.30:80 62.109.1.30 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.26.12.31:443 api.ip.sb tcp

Files

memory/904-114-0x0000000000400000-0x0000000000408000-memory.dmp

memory/904-115-0x0000000000402DCE-mapping.dmp

memory/804-116-0x0000000000030000-0x0000000000039000-memory.dmp

memory/3044-117-0x0000000000F70000-0x0000000000F85000-memory.dmp

memory/2676-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E394.exe

MD5 9b739fca61cbe5a22bfe0b77cce75697
SHA1 386760ae9e2cea9bf737e48d0d77c5b29ae9b1bd
SHA256 c59cecf273089ec7e37fcc7a55b135067644dc3bd90abb4c6f81d9fd63744201
SHA512 06377ab9e2e666bef740c8c1e7c194d38d60457728efb109bf59e1fbd5a23661acaafae90b7b230d43f067eb5bf806e8cc2eac8d12104d6c14bbac8e39ddb7fc

C:\Users\Admin\AppData\Local\Temp\E394.exe

MD5 9b739fca61cbe5a22bfe0b77cce75697
SHA1 386760ae9e2cea9bf737e48d0d77c5b29ae9b1bd
SHA256 c59cecf273089ec7e37fcc7a55b135067644dc3bd90abb4c6f81d9fd63744201
SHA512 06377ab9e2e666bef740c8c1e7c194d38d60457728efb109bf59e1fbd5a23661acaafae90b7b230d43f067eb5bf806e8cc2eac8d12104d6c14bbac8e39ddb7fc

memory/2676-122-0x0000000076EA0000-0x000000007702E000-memory.dmp

memory/2676-123-0x0000000000F00000-0x0000000000F01000-memory.dmp

memory/2676-125-0x00000000057F0000-0x00000000057F1000-memory.dmp

memory/4092-126-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ECDC.exe

MD5 fb5b06b26fcd1557db1a0af27c8b4eca
SHA1 a4b0429f9130b64f7603bd1a5d5fc4ae9327f7d1
SHA256 909316dede195efa80f9345c3f7851fc2559abe0d9a30342f3e20edfa161f873
SHA512 555e510e7f81885f59df83395a6171121748177fcc6c9670bec813581363983dcde61ac4c08ebd4976e0a752961801ec34ae69662ee6d60abeebc206a005c4bd

C:\Users\Admin\AppData\Local\Temp\ECDC.exe

MD5 fb5b06b26fcd1557db1a0af27c8b4eca
SHA1 a4b0429f9130b64f7603bd1a5d5fc4ae9327f7d1
SHA256 909316dede195efa80f9345c3f7851fc2559abe0d9a30342f3e20edfa161f873
SHA512 555e510e7f81885f59df83395a6171121748177fcc6c9670bec813581363983dcde61ac4c08ebd4976e0a752961801ec34ae69662ee6d60abeebc206a005c4bd

memory/2676-129-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

memory/2676-130-0x00000000051E0000-0x00000000051E1000-memory.dmp

memory/2676-131-0x0000000005030000-0x0000000005031000-memory.dmp

memory/2676-132-0x00000000051D0000-0x00000000051D1000-memory.dmp

memory/512-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F365.exe

MD5 0be1df1b8b528ea610da0b59e70cc74e
SHA1 201048738b0975aa0bb8ddedda262a8c9b7ec17d
SHA256 16b377f7277dee8f7edf8bbec69025c7273b33a3ca24eabaf22aaf41ce06dab9
SHA512 91385b1813c85ed146b0ae7a4ad05688a07918b89793e55e5a86f412842b2ebbe859ad62bc8f83f964017986933cb323696591cc39aec8c61d22c6b6cae77df6

C:\Users\Admin\AppData\Local\Temp\F365.exe

MD5 0be1df1b8b528ea610da0b59e70cc74e
SHA1 201048738b0975aa0bb8ddedda262a8c9b7ec17d
SHA256 16b377f7277dee8f7edf8bbec69025c7273b33a3ca24eabaf22aaf41ce06dab9
SHA512 91385b1813c85ed146b0ae7a4ad05688a07918b89793e55e5a86f412842b2ebbe859ad62bc8f83f964017986933cb323696591cc39aec8c61d22c6b6cae77df6

memory/2676-136-0x0000000005070000-0x0000000005071000-memory.dmp

memory/4092-138-0x00000000022A0000-0x00000000022BF000-memory.dmp

memory/4092-139-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4092-140-0x0000000002690000-0x0000000002691000-memory.dmp

memory/4092-137-0x0000000000790000-0x00000000007C0000-memory.dmp

memory/4092-142-0x0000000002692000-0x0000000002693000-memory.dmp

memory/4092-141-0x0000000004B50000-0x0000000004B51000-memory.dmp

memory/4092-143-0x0000000002693000-0x0000000002694000-memory.dmp

memory/4092-144-0x00000000023F0000-0x000000000240E000-memory.dmp

memory/512-151-0x0000000006570000-0x000000000A64F000-memory.dmp

memory/4092-150-0x0000000002694000-0x0000000002696000-memory.dmp

memory/512-152-0x0000000000400000-0x0000000004605000-memory.dmp

memory/744-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\24B.exe

MD5 cf978064b4209388a67a9fc8d8304559
SHA1 31b74b3f4bb510736d4756a45f7a098c47552e33
SHA256 487f7c670fd41c29794ecf4577efba0790553a1b4895f85a54ac42d2e1f546bd
SHA512 7291c032db21b002df75cf1724f864056a47873bc46442a0fb4f0f4a230d5a77efe7ee6e523b7bb6e71eda8942455c3c2be40fc9cae3b56acb1dfe0ab7ae88cd

C:\Users\Admin\AppData\Local\Temp\24B.exe

MD5 cf978064b4209388a67a9fc8d8304559
SHA1 31b74b3f4bb510736d4756a45f7a098c47552e33
SHA256 487f7c670fd41c29794ecf4577efba0790553a1b4895f85a54ac42d2e1f546bd
SHA512 7291c032db21b002df75cf1724f864056a47873bc46442a0fb4f0f4a230d5a77efe7ee6e523b7bb6e71eda8942455c3c2be40fc9cae3b56acb1dfe0ab7ae88cd

memory/2452-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\837.exe

MD5 2bb0fdee239257799fd8c427dad0b3a5
SHA1 456210504dc055b9fbbface0ac7d51e65f40fd90
SHA256 75ddb7c0668c694e2b36817e3eb2c4ddb720fd68f8cc2214a943d423dde171c0
SHA512 f4def1d023d56b9d71d0c7ea35665dfc709b90e7163a7dd5d4074dabaf773818891fe7ef055d00645b911c533e828a66c4070f4fcc7a539ad88dd909cec92bc0

C:\Users\Admin\AppData\Local\Temp\837.exe

MD5 2bb0fdee239257799fd8c427dad0b3a5
SHA1 456210504dc055b9fbbface0ac7d51e65f40fd90
SHA256 75ddb7c0668c694e2b36817e3eb2c4ddb720fd68f8cc2214a943d423dde171c0
SHA512 f4def1d023d56b9d71d0c7ea35665dfc709b90e7163a7dd5d4074dabaf773818891fe7ef055d00645b911c533e828a66c4070f4fcc7a539ad88dd909cec92bc0

memory/2452-159-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2452-161-0x0000000004900000-0x0000000004901000-memory.dmp

memory/2452-162-0x0000000004B60000-0x0000000004B61000-memory.dmp

memory/744-163-0x0000000000970000-0x0000000000A00000-memory.dmp

memory/744-164-0x0000000000400000-0x0000000000493000-memory.dmp

memory/2676-165-0x0000000006A40000-0x0000000006A41000-memory.dmp

memory/2676-167-0x0000000007140000-0x0000000007141000-memory.dmp

memory/2952-169-0x0000000000000000-mapping.dmp

C:\ProgramData\ZZZZZ.exe

MD5 d5d4f07e59ffad621f322b68c12e411e
SHA1 c29e234e8ecf6eeaa4b6f6fead0f69d14865805a
SHA256 42506f9e15ffdab6fce67556b602075ff779e2e84c6a40058a3941f0f71071b2
SHA512 b8faf0ae840a3096ecfe62284c5a6a81ea17c1fa7ab62bdd7281afd15154b62ee35f1ecf4401d8c89ebc5128cba10536b6043e7094633f5b4d9303136591cd1e

C:\ProgramData\ZZZZZ.exe

MD5 d5d4f07e59ffad621f322b68c12e411e
SHA1 c29e234e8ecf6eeaa4b6f6fead0f69d14865805a
SHA256 42506f9e15ffdab6fce67556b602075ff779e2e84c6a40058a3941f0f71071b2
SHA512 b8faf0ae840a3096ecfe62284c5a6a81ea17c1fa7ab62bdd7281afd15154b62ee35f1ecf4401d8c89ebc5128cba10536b6043e7094633f5b4d9303136591cd1e

memory/2920-172-0x0000000000000000-mapping.dmp

memory/2452-174-0x0000000005AD0000-0x0000000005AED000-memory.dmp

memory/2912-175-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2876-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\837.exe

MD5 2bb0fdee239257799fd8c427dad0b3a5
SHA1 456210504dc055b9fbbface0ac7d51e65f40fd90
SHA256 75ddb7c0668c694e2b36817e3eb2c4ddb720fd68f8cc2214a943d423dde171c0
SHA512 f4def1d023d56b9d71d0c7ea35665dfc709b90e7163a7dd5d4074dabaf773818891fe7ef055d00645b911c533e828a66c4070f4fcc7a539ad88dd909cec92bc0

memory/2912-176-0x000000000041C5C6-mapping.dmp

memory/3808-179-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe

MD5 fbdc90a57978628f46593258cf59e1eb
SHA1 ac3361f6e6b15e31f7652f6b34a767adaf97e442
SHA256 afda4dc1bd63a2f99314a24bb7f8819712a1d708099de7c7473322ed3f7b114e
SHA512 947f2b7417b8849d43c1eaecb03d8bcfe6bfefceeaa605404cfff9f1e3976ce2d2a64f20a989f7da081e30e59113a55f6d525c014e2fc4dcb31f8eafd9fb299e

memory/2676-178-0x0000000006C10000-0x0000000006C11000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\837.exe.log

MD5 d6f3d3ca17bf02d595a877bb35dd4acb
SHA1 af325d8a34c8b1fe855eefe617a731bdaf21dcb1
SHA256 b1e5516dd59805ff5247fb26bee630ad14073ec1d2e7aa4a98ea6a2c0de0cca8
SHA512 d30f3ab293c26e96bb26b925f7992c32cfb5f78d872084541be7f93227bd6867af96dc9c442009ce78b3844e13e2260a8422b46e8aa3f8e1faebae0b258cd89e

memory/4092-182-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe

MD5 fbdc90a57978628f46593258cf59e1eb
SHA1 ac3361f6e6b15e31f7652f6b34a767adaf97e442
SHA256 afda4dc1bd63a2f99314a24bb7f8819712a1d708099de7c7473322ed3f7b114e
SHA512 947f2b7417b8849d43c1eaecb03d8bcfe6bfefceeaa605404cfff9f1e3976ce2d2a64f20a989f7da081e30e59113a55f6d525c014e2fc4dcb31f8eafd9fb299e

memory/3808-187-0x0000000000390000-0x0000000000391000-memory.dmp

memory/1544-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe

MD5 8d87235cc7ca1ba8ac22da5c6d5dfa22
SHA1 4c992057524df70210d8f9706f5931d6496e645b
SHA256 813646e5b40be0e72d0e6b5e0bb1d8e2cf7a6bae0007b96fbf91da9c3d7e15f9
SHA512 40127990c3de8c3ab625a7f495ad44fa9e279325ae20243aad4ae6fa5beb490ad9c6a03ee8fc27358dad922826d57c262be50fb9c59e1b8d7d2952a1f14a69ee

C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe

MD5 8d87235cc7ca1ba8ac22da5c6d5dfa22
SHA1 4c992057524df70210d8f9706f5931d6496e645b
SHA256 813646e5b40be0e72d0e6b5e0bb1d8e2cf7a6bae0007b96fbf91da9c3d7e15f9
SHA512 40127990c3de8c3ab625a7f495ad44fa9e279325ae20243aad4ae6fa5beb490ad9c6a03ee8fc27358dad922826d57c262be50fb9c59e1b8d7d2952a1f14a69ee

memory/2676-198-0x0000000006960000-0x0000000006961000-memory.dmp

memory/1544-197-0x0000000000C00000-0x0000000000C01000-memory.dmp

memory/2912-201-0x0000000005080000-0x0000000005686000-memory.dmp

memory/3808-202-0x000000001B170000-0x000000001B172000-memory.dmp

memory/1544-204-0x000000001CCB0000-0x000000001CE99000-memory.dmp

\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 f964811b68f9f1487c2b41e1aef576ce
SHA1 b423959793f14b1416bc3b7051bed58a1034025f
SHA256 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

memory/1544-209-0x000000001CEA0000-0x000000001D087000-memory.dmp

memory/1544-210-0x000000001C370000-0x000000001C371000-memory.dmp

memory/4004-211-0x0000000000000000-mapping.dmp

C:\Windows\System32\Windows.Internal.Bluetooth\sihost.exe

MD5 fbdc90a57978628f46593258cf59e1eb
SHA1 ac3361f6e6b15e31f7652f6b34a767adaf97e442
SHA256 afda4dc1bd63a2f99314a24bb7f8819712a1d708099de7c7473322ed3f7b114e
SHA512 947f2b7417b8849d43c1eaecb03d8bcfe6bfefceeaa605404cfff9f1e3976ce2d2a64f20a989f7da081e30e59113a55f6d525c014e2fc4dcb31f8eafd9fb299e

C:\Windows\System32\Windows.Internal.Bluetooth\sihost.exe

MD5 fbdc90a57978628f46593258cf59e1eb
SHA1 ac3361f6e6b15e31f7652f6b34a767adaf97e442
SHA256 afda4dc1bd63a2f99314a24bb7f8819712a1d708099de7c7473322ed3f7b114e
SHA512 947f2b7417b8849d43c1eaecb03d8bcfe6bfefceeaa605404cfff9f1e3976ce2d2a64f20a989f7da081e30e59113a55f6d525c014e2fc4dcb31f8eafd9fb299e

memory/2340-216-0x0000000000000000-mapping.dmp

memory/1544-217-0x0000000001B10000-0x0000000001B12000-memory.dmp

memory/4004-218-0x000000001BAC0000-0x000000001BAC2000-memory.dmp

memory/3824-219-0x0000000000000000-mapping.dmp

memory/4004-220-0x0000000001120000-0x0000000001126000-memory.dmp

memory/4004-221-0x0000000001150000-0x0000000001157000-memory.dmp

memory/4004-222-0x0000000001190000-0x0000000001196000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll

MD5 02cc7b8ee30056d5912de54f1bdfc219
SHA1 a6923da95705fb81e368ae48f93d28522ef552fb
SHA256 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA512 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

memory/4004-223-0x0000000001160000-0x0000000001162000-memory.dmp

memory/4004-225-0x0000000001140000-0x0000000001142000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll

MD5 eae9273f8cdcf9321c6c37c244773139
SHA1 8378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256 a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA512 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

memory/4004-227-0x000000001BAC2000-0x000000001BAC4000-memory.dmp

memory/4004-229-0x000000001BAC5000-0x000000001BAC7000-memory.dmp

memory/856-230-0x0000000000000000-mapping.dmp

memory/4004-228-0x000000001BAC4000-0x000000001BAC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe

MD5 8d87235cc7ca1ba8ac22da5c6d5dfa22
SHA1 4c992057524df70210d8f9706f5931d6496e645b
SHA256 813646e5b40be0e72d0e6b5e0bb1d8e2cf7a6bae0007b96fbf91da9c3d7e15f9
SHA512 40127990c3de8c3ab625a7f495ad44fa9e279325ae20243aad4ae6fa5beb490ad9c6a03ee8fc27358dad922826d57c262be50fb9c59e1b8d7d2952a1f14a69ee

C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe

MD5 8d87235cc7ca1ba8ac22da5c6d5dfa22
SHA1 4c992057524df70210d8f9706f5931d6496e645b
SHA256 813646e5b40be0e72d0e6b5e0bb1d8e2cf7a6bae0007b96fbf91da9c3d7e15f9
SHA512 40127990c3de8c3ab625a7f495ad44fa9e279325ae20243aad4ae6fa5beb490ad9c6a03ee8fc27358dad922826d57c262be50fb9c59e1b8d7d2952a1f14a69ee

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll

MD5 4e8df049f3459fa94ab6ad387f3561ac
SHA1 06ed392bc29ad9d5fc05ee254c2625fd65925114
SHA256 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA512 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

memory/2676-238-0x0000000007B00000-0x0000000007B01000-memory.dmp

memory/744-249-0x0000000000000000-mapping.dmp

memory/856-248-0x000000001C430000-0x000000001C432000-memory.dmp

memory/3876-250-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5 0da8a7ce212a4bce4ef2bbc06888feb8
SHA1 b1dd20967b8d14e634f5bf9025407eb41dd31c02
SHA256 a6ebeea56bff6c7defd5f8c1f8762c9d28dc2650911b3ab70bea47f86d133849
SHA512 4eec5fe72a386a68274730fb4aee54ef059075f07933ce9ec08cc7a7ce32dfb5e1beb09461f0ede3601b5f95605eb36949a0b02707b26f8b64a16d550cb92d11

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5 0da8a7ce212a4bce4ef2bbc06888feb8
SHA1 b1dd20967b8d14e634f5bf9025407eb41dd31c02
SHA256 a6ebeea56bff6c7defd5f8c1f8762c9d28dc2650911b3ab70bea47f86d133849
SHA512 4eec5fe72a386a68274730fb4aee54ef059075f07933ce9ec08cc7a7ce32dfb5e1beb09461f0ede3601b5f95605eb36949a0b02707b26f8b64a16d550cb92d11

memory/3452-255-0x0000000000000000-mapping.dmp

memory/3876-256-0x0000000003520000-0x0000000003522000-memory.dmp

memory/4048-257-0x0000000000000000-mapping.dmp

memory/2952-258-0x0000000000000000-mapping.dmp