Malware Analysis Report

2024-09-11 09:52

Sample ID 240726-w2mwcazcqb
Target Aurora.exe
SHA256 cad0ea7aa29ccb61cd2c595e27921c89e6fed8b0275d86c5560fcde21a1554bc
Tags
quasar redline sectoprat xmrig cheat themdas discovery evasion execution infostealer miner persistence rat spyware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cad0ea7aa29ccb61cd2c595e27921c89e6fed8b0275d86c5560fcde21a1554bc

Threat Level: Known bad

The file Aurora.exe was found to be: Known bad.

Malicious Activity Summary

quasar redline sectoprat xmrig cheat themdas discovery evasion execution infostealer miner persistence rat spyware themida trojan

Quasar RAT

Suspicious use of NtCreateUserProcessOtherParentProcess

xmrig

SectopRAT payload

SectopRAT

RedLine payload

RedLine

Quasar payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

XMRig Miner payload

Sets file to hidden

Modifies file permissions

Loads dropped DLL

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Themida packer

Command and Scripting Interpreter: PowerShell

Power Settings

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Views/modifies file attributes

Runs ping.exe

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-26 18:25

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 18:25

Reported

2024-07-26 18:28

Platform

win7-20240704-en

Max time kernel

151s

Max time network

158s

Command Line

C:\Windows\Explorer.EXE

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1816 created 1180 N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe C:\Windows\Explorer.EXE
PID 1816 created 1180 N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe C:\Windows\Explorer.EXE
PID 1816 created 1180 N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe C:\Windows\Explorer.EXE
PID 2452 created 1180 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE
PID 2452 created 1180 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE
PID 2452 created 1180 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE
PID 2452 created 1180 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "C:\\Users\\Admin\\AppData\\Local\\Msedge.exe" C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\OneDriveUpdate\\OneDrive Updater.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2636 set thread context of 1588 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2452 set thread context of 1772 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\System32\conhost.exe
PID 2452 set thread context of 836 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\System32\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1944 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
PID 1944 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
PID 1944 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
PID 1944 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
PID 1944 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 1944 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 1944 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 1944 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 1944 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 1944 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 1944 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 1944 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 2632 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe C:\Windows\system32\cmd.exe
PID 2632 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe C:\Windows\system32\cmd.exe
PID 2632 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1944 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
PID 1944 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
PID 1944 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
PID 1944 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
PID 2588 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2588 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2588 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2588 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2588 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2588 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2588 wrote to memory of 2996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2588 wrote to memory of 2996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2588 wrote to memory of 2996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2588 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2116 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Msedge.exe
PID 2116 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Msedge.exe
PID 2116 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Msedge.exe
PID 2636 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 712 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 712 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 712 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 712 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 712 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 712 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 712 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 712 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 744 wrote to memory of 2552 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 744 wrote to memory of 2552 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 744 wrote to memory of 2552 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Users\Admin\AppData\Local\Temp\Aurora.exe

"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"

C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe

"C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe"

C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe" && exit" && && exit "

C:\Windows\system32\cmd.exe

cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe"

C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe

"C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe"

C:\Windows\system32\PING.EXE

ping localhost -n 1

C:\Windows\system32\attrib.exe

attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA)

C:\Windows\system32\cmd.exe

cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe

C:\Users\Admin\AppData\Local\Msedge.exe

C:\Users\Admin\AppData\Local\Msedge.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate' -Value '"C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn ConsoleWindowsHost /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe'

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "ConsoleWindowsHost"

C:\Windows\system32\taskeng.exe

taskeng.exe {1A26D33A-DC73-4887-90A6-97674B90630B} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe

C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn ConsoleWindowsHost /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe'

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 auroraforge.art udp
US 192.64.119.108:55326 auroraforge.art tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 xmr-us-east1.nanopool.org udp
CA 51.222.12.201:14444 xmr-us-east1.nanopool.org tcp
US 8.8.8.8:53 thesirenmika.com udp
CN 123.123.123.123:55713 thesirenmika.com tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
US 192.64.119.108:55326 auroraforge.art tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
CN 123.123.123.123:55713 thesirenmika.com tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
US 192.64.119.108:55326 auroraforge.art tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
CN 123.123.123.123:55713 thesirenmika.com tcp
GB 154.81.220.233:28105 tcp

Files

memory/1944-0-0x00000000000C0000-0x0000000001B8A000-memory.dmp

memory/1944-3-0x00000000764C0000-0x0000000076507000-memory.dmp

memory/1944-2-0x00000000764C0000-0x0000000076507000-memory.dmp

memory/1944-1-0x00000000764CE000-0x00000000764CF000-memory.dmp

memory/1944-7-0x00000000764C0000-0x0000000076507000-memory.dmp

C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe

MD5 65f0a85c4b056d6bcee60c49e2372e35
SHA1 6af820a2030950617bf150777af4a43a06a17184
SHA256 d64768ea74224057220bff451504b6128ddfb6161617b668626c490c84b3ae8e
SHA512 7a50bd0b3908f830494b2bff13a051ba0cdc7900934dbf8a62616f6d29b914f05f8029bbcc429a095254ebb6ab2a2d92c05dd6aebf57e34cde20f152243df383

\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe

MD5 c9a9d471428a5f92068c0823e6454254
SHA1 8b8ee8612b9b8bfbb165b3a8ca0d4a377b589dd2
SHA256 b0ffaa8c7d8fe1e804afc87e6f7659483c69d421911ddbfc410270011b91bfb5
SHA512 ca34022e99a48639fb3566ec4eb901a2f91121aee6a1f1bc601492dd94387873afc8af499aefed8d644aef8f564ca46a12ea40176da7f8d7b4e60f4b505ac8af

C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe

MD5 3b4f58cd4bca7274be25e885be00798b
SHA1 eb57c281d8324a1079db97c9da43483a65debbed
SHA256 a6832546e1d261c33deea58e1cbb8a391af91628b130454d55aef3e292862d80
SHA512 dc909730b2feacba3c14c98a2b443d5c12dfd74ce74db53cf7e564e01707ac365811e4d3b95c0cefe2b87ebd1b074fb4a395360911c3d11de4fa8957e9bad121

C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe

MD5 b9fc8581b52abfc6b563da731438e27d
SHA1 43111fe9b307c850a379fe2d64d279e994680de3
SHA256 e03debe75b2f4f4c937c50773064b9a692b262bfce4472e67900edf3f7726058
SHA512 c62540e73870caf9a93fbc2396ac99867f8f6e87661240d7642022130008bdb769954f1e8a58d13698172e62cc5b7d44a73b2f1d999db47822eb294c629436a5

memory/2692-31-0x0000000000290000-0x00000000002AE000-memory.dmp

memory/2636-32-0x0000000000360000-0x000000000068E000-memory.dmp

memory/1944-39-0x00000000764C0000-0x0000000076507000-memory.dmp

memory/1944-40-0x00000000000C0000-0x0000000001B8A000-memory.dmp

memory/1588-52-0x0000000000400000-0x0000000000724000-memory.dmp

memory/1588-55-0x0000000000400000-0x0000000000724000-memory.dmp

memory/1588-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1588-50-0x0000000000400000-0x0000000000724000-memory.dmp

memory/1588-49-0x0000000000400000-0x0000000000724000-memory.dmp

memory/1588-46-0x0000000000400000-0x0000000000724000-memory.dmp

memory/1588-57-0x0000000000400000-0x0000000000724000-memory.dmp

memory/1588-56-0x0000000000400000-0x0000000000724000-memory.dmp

memory/1816-58-0x000000013F8A0000-0x000000013FE3A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\84MVDLRRDCVMHDKUZLHE.temp

MD5 581189de7671aadc3fe5c076dabf0405
SHA1 f7b729d938665b99778e4153cd1bc3094aba3e16
SHA256 dea43dc2bc682a2e75b9b825953748214b99f4335745ed29d9fbb53fcea6d5ef
SHA512 32a35e7a3f3e6cc9fb8645e795bc2f384d1381ebf11c0d1c9e1006e6589319cf8d337036c162dbc71240a97c0b296e126d4d8610243e2faed45d35c8e1cbc095

memory/1072-63-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

memory/1072-64-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

memory/1816-67-0x000000013F8A0000-0x000000013FE3A000-memory.dmp

memory/2452-71-0x000000013FF00000-0x000000014049A000-memory.dmp

memory/3024-77-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

memory/3024-78-0x00000000027B0000-0x00000000027B8000-memory.dmp

memory/836-83-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/2452-84-0x000000013FF00000-0x000000014049A000-memory.dmp

memory/1772-85-0x0000000140000000-0x0000000140029000-memory.dmp

memory/836-86-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/836-88-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1772-89-0x0000000140000000-0x0000000140029000-memory.dmp

memory/836-90-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/836-93-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/836-95-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/836-97-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/836-99-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/836-101-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/836-103-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/836-105-0x0000000140000000-0x00000001407EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 18:25

Reported

2024-07-26 18:26

Platform

win10v2004-20240709-en

Max time kernel

57s

Max time network

57s

Command Line

C:\Windows\Explorer.EXE

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2268 created 3448 N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe C:\Windows\Explorer.EXE
PID 2268 created 3448 N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe C:\Windows\Explorer.EXE
PID 2268 created 3448 N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe C:\Windows\Explorer.EXE
PID 1812 created 3448 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE
PID 1812 created 3448 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE
PID 1812 created 3448 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE
PID 1812 created 3448 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "C:\\Users\\Admin\\AppData\\Local\\Msedge.exe" C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\OneDriveUpdate\\OneDrive Updater.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2124 set thread context of 2752 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1812 set thread context of 1936 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\System32\conhost.exe
PID 1812 set thread context of 420 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\System32\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
PID 1208 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
PID 4660 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe C:\Windows\system32\cmd.exe
PID 4660 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 1208 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 1208 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 4204 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 1208 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 1208 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 2768 wrote to memory of 4280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2768 wrote to memory of 4280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1208 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
PID 1208 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
PID 2124 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2124 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2124 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2124 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2124 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2124 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2124 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2124 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3424 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3424 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3424 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2768 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2768 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2768 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2768 wrote to memory of 3432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 3432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3432 wrote to memory of 3964 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Msedge.exe
PID 3432 wrote to memory of 3964 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Msedge.exe
PID 2636 wrote to memory of 4552 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2636 wrote to memory of 4552 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2636 wrote to memory of 1936 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2636 wrote to memory of 1936 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2636 wrote to memory of 4452 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2636 wrote to memory of 4452 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2636 wrote to memory of 436 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2636 wrote to memory of 436 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 4532 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 4532 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 1880 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 1880 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 3744 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 3744 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1928 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1812 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\System32\conhost.exe
PID 1812 wrote to memory of 420 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\System32\svchost.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Aurora.exe

"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"

C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe

"C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe" && exit" && && exit "

C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe"

C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe"

C:\Windows\system32\cmd.exe

cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe"

C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe

"C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe"

C:\Windows\system32\PING.EXE

ping localhost -n 1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate' -Value '"C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\system32\attrib.exe

attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA)

C:\Windows\system32\cmd.exe

cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe

C:\Users\Admin\AppData\Local\Msedge.exe

C:\Users\Admin\AppData\Local\Msedge.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "ConsoleWindowsHost"

C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe

C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 22.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 auroraforge.art udp
US 192.64.119.108:55326 auroraforge.art tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 thesirenmika.com udp
CN 123.123.123.123:55713 thesirenmika.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 xmr-us-east1.nanopool.org udp
CA 51.222.12.201:14444 xmr-us-east1.nanopool.org tcp
US 8.8.8.8:53 201.12.222.51.in-addr.arpa udp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp

Files

memory/1208-2-0x0000000076F40000-0x0000000077030000-memory.dmp

memory/1208-6-0x0000000076F40000-0x0000000077030000-memory.dmp

memory/1208-5-0x0000000076F40000-0x0000000077030000-memory.dmp

memory/1208-4-0x0000000076F40000-0x0000000077030000-memory.dmp

memory/1208-3-0x0000000076F40000-0x0000000077030000-memory.dmp

memory/1208-1-0x0000000076F60000-0x0000000076F61000-memory.dmp

memory/1208-0-0x0000000000480000-0x0000000001F4A000-memory.dmp

memory/1208-7-0x0000000076F40000-0x0000000077030000-memory.dmp

memory/1208-10-0x0000000076F40000-0x0000000077030000-memory.dmp

C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe

MD5 65f0a85c4b056d6bcee60c49e2372e35
SHA1 6af820a2030950617bf150777af4a43a06a17184
SHA256 d64768ea74224057220bff451504b6128ddfb6161617b668626c490c84b3ae8e
SHA512 7a50bd0b3908f830494b2bff13a051ba0cdc7900934dbf8a62616f6d29b914f05f8029bbcc429a095254ebb6ab2a2d92c05dd6aebf57e34cde20f152243df383

C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe

MD5 c9a9d471428a5f92068c0823e6454254
SHA1 8b8ee8612b9b8bfbb165b3a8ca0d4a377b589dd2
SHA256 b0ffaa8c7d8fe1e804afc87e6f7659483c69d421911ddbfc410270011b91bfb5
SHA512 ca34022e99a48639fb3566ec4eb901a2f91121aee6a1f1bc601492dd94387873afc8af499aefed8d644aef8f564ca46a12ea40176da7f8d7b4e60f4b505ac8af

C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe

MD5 3b4f58cd4bca7274be25e885be00798b
SHA1 eb57c281d8324a1079db97c9da43483a65debbed
SHA256 a6832546e1d261c33deea58e1cbb8a391af91628b130454d55aef3e292862d80
SHA512 dc909730b2feacba3c14c98a2b443d5c12dfd74ce74db53cf7e564e01707ac365811e4d3b95c0cefe2b87ebd1b074fb4a395360911c3d11de4fa8957e9bad121

memory/2124-44-0x0000000000B00000-0x0000000000E2E000-memory.dmp

memory/1960-50-0x0000000000D00000-0x0000000000D1E000-memory.dmp

C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe

MD5 b9fc8581b52abfc6b563da731438e27d
SHA1 43111fe9b307c850a379fe2d64d279e994680de3
SHA256 e03debe75b2f4f4c937c50773064b9a692b262bfce4472e67900edf3f7726058
SHA512 c62540e73870caf9a93fbc2396ac99867f8f6e87661240d7642022130008bdb769954f1e8a58d13698172e62cc5b7d44a73b2f1d999db47822eb294c629436a5

memory/2124-52-0x0000000005BD0000-0x0000000006174000-memory.dmp

memory/1960-57-0x00000000055E0000-0x000000000561C000-memory.dmp

memory/1960-56-0x0000000005580000-0x0000000005592000-memory.dmp

memory/1960-54-0x0000000005CA0000-0x00000000062B8000-memory.dmp

memory/1960-58-0x0000000005620000-0x000000000566C000-memory.dmp

memory/2752-59-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2344-61-0x0000000004450000-0x0000000004486000-memory.dmp

memory/2344-62-0x0000000004B90000-0x00000000051B8000-memory.dmp

memory/2752-63-0x0000000005360000-0x00000000053F2000-memory.dmp

memory/2752-64-0x0000000005320000-0x000000000532A000-memory.dmp

memory/1960-67-0x0000000005890000-0x000000000599A000-memory.dmp

memory/1208-68-0x0000000076F40000-0x0000000077030000-memory.dmp

memory/2344-71-0x0000000005380000-0x00000000053E6000-memory.dmp

memory/2344-72-0x00000000053F0000-0x0000000005744000-memory.dmp

memory/2344-70-0x0000000005310000-0x0000000005376000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0p0rn2qy.rvr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2344-69-0x0000000005270000-0x0000000005292000-memory.dmp

memory/1208-82-0x0000000000480000-0x0000000001F4A000-memory.dmp

memory/2344-83-0x0000000005A00000-0x0000000005A1E000-memory.dmp

memory/2752-88-0x0000000005DD0000-0x0000000005E20000-memory.dmp

memory/2752-89-0x0000000006020000-0x00000000060D2000-memory.dmp

memory/2344-90-0x0000000005FD0000-0x0000000006002000-memory.dmp

memory/2344-91-0x000000006EB70000-0x000000006EBBC000-memory.dmp

memory/2344-101-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

memory/2344-102-0x00000000069D0000-0x0000000006A73000-memory.dmp

memory/2344-103-0x0000000007370000-0x00000000079EA000-memory.dmp

memory/2344-104-0x0000000006D30000-0x0000000006D4A000-memory.dmp

memory/2344-105-0x0000000006DA0000-0x0000000006DAA000-memory.dmp

memory/2344-106-0x0000000006FB0000-0x0000000007046000-memory.dmp

memory/2344-107-0x0000000006F30000-0x0000000006F41000-memory.dmp

memory/2344-108-0x0000000006F60000-0x0000000006F6E000-memory.dmp

memory/2344-109-0x0000000006F70000-0x0000000006F84000-memory.dmp

memory/2344-110-0x0000000007070000-0x000000000708A000-memory.dmp

memory/2344-111-0x0000000007050000-0x0000000007058000-memory.dmp

memory/2344-112-0x0000000007090000-0x00000000070B2000-memory.dmp

memory/2268-115-0x00007FF60E4E0000-0x00007FF60EA7A000-memory.dmp

memory/2772-116-0x000001D82A1C0000-0x000001D82A1E2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6481a7f3f06f3b9e309953197eb98fa5
SHA1 272342df67707d8fadb4ce42a847595b493230d9
SHA256 1b258d70e55092f825a0f3a79529723ad114e64a407e368055cb74e020dcd173
SHA512 08aedfc9a3c47e1ed1de4f2eb94b344d8fac6c5129d8a01a050432d899b44e5b4cf3e99395e60743f4a83eaa3b2a3015c74a89520b536398af209d2956b9d452

memory/2268-131-0x00007FF60E4E0000-0x00007FF60EA7A000-memory.dmp

memory/1812-133-0x00007FF65B650000-0x00007FF65BBEA000-memory.dmp

memory/3212-136-0x000001BCC1C70000-0x000001BCC1C71000-memory.dmp

memory/3212-135-0x000001BCC1C70000-0x000001BCC1C71000-memory.dmp

memory/3212-134-0x000001BCC1C70000-0x000001BCC1C71000-memory.dmp

memory/3212-146-0x000001BCC1C70000-0x000001BCC1C71000-memory.dmp

memory/3212-144-0x000001BCC1C70000-0x000001BCC1C71000-memory.dmp

memory/3212-143-0x000001BCC1C70000-0x000001BCC1C71000-memory.dmp

memory/3212-142-0x000001BCC1C70000-0x000001BCC1C71000-memory.dmp

memory/3212-141-0x000001BCC1C70000-0x000001BCC1C71000-memory.dmp

memory/3212-140-0x000001BCC1C70000-0x000001BCC1C71000-memory.dmp

memory/3212-145-0x000001BCC1C70000-0x000001BCC1C71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 fee026663fcb662152188784794028ee
SHA1 3c02a26a9cb16648fad85c6477b68ced3cb0cb45
SHA256 dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b
SHA512 7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d95b08252ed624f6d91b46523f110f29
SHA1 17577997bc1fb5d3fbe59be84013165534415dc3
SHA256 342ce7c39bf9992d31d4b61ef138b2b084c96c74736ed00bb19aae49be16ca02
SHA512 0c4288176d56f4ee6d8f08f568fba07ad859f50a395c39d2afd3baf55d3d29ca065a1ce305d1bd790477c35977c0ffa230543e805622f80a77bcee71b24eb257

memory/1812-163-0x00007FF65B650000-0x00007FF65BBEA000-memory.dmp

memory/420-164-0x0000022AADFC0000-0x0000022AADFE0000-memory.dmp

memory/1936-166-0x00007FF7FDD50000-0x00007FF7FDD79000-memory.dmp

memory/420-167-0x00007FF652660000-0x00007FF652E4F000-memory.dmp