Analysis Overview
SHA256
72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850
Threat Level: Known bad
The file Aurora.exe was found to be: Known bad.
Malicious Activity Summary
SectopRAT
Quasar RAT
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Quasar payload
SectopRAT payload
xmrig
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Sets file to hidden
Executes dropped EXE
Loads dropped DLL
Checks BIOS information in registry
Modifies file permissions
Checks computer location settings
Themida packer
Power Settings
Checks whether UAC is enabled
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Suspicious use of SetThreadContext
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
Scheduled Task/Job: Scheduled Task
Views/modifies file attributes
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-07-26 18:44
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 18:44
Reported
2024-07-26 18:46
Platform
win7-20240704-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2732 created 1204 | N/A | C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe | C:\Windows\Explorer.EXE |
| PID 2732 created 1204 | N/A | C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe | C:\Windows\Explorer.EXE |
| PID 2732 created 1204 | N/A | C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe | C:\Windows\Explorer.EXE |
| PID 1320 created 1204 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\Explorer.EXE |
| PID 1320 created 1204 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\Explorer.EXE |
| PID 1320 created 1204 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\Explorer.EXE |
| PID 1320 created 1204 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\Explorer.EXE |
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Msedge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "C:\\Users\\Admin\\AppData\\Local\\Msedge.exe" | C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\OneDriveUpdate\\OneDrive Updater.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2784 set thread context of 1836 | N/A | C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1320 set thread context of 2376 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\System32\conhost.exe |
| PID 1320 set thread context of 1152 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\System32\svchost.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"
C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
"C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe"
C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe" && exit" && && exit "
C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
"C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe"
C:\Windows\system32\cmd.exe
cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe"
C:\Windows\system32\PING.EXE
ping localhost -n 1
C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
"C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe"
C:\Windows\system32\attrib.exe
attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA)
C:\Windows\system32\cmd.exe
cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe
C:\Users\Admin\AppData\Local\Msedge.exe
C:\Users\Admin\AppData\Local\Msedge.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate' -Value '"C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe"' -PropertyType 'String'
C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn ConsoleWindowsHost /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe'
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "ConsoleWindowsHost"
C:\Windows\system32\taskeng.exe
taskeng.exe {87C2F69C-7E69-4AAC-9C52-F131C22E044B} S-1-5-21-3450744190-3404161390-554719085-1000:PDIZKVQX\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn ConsoleWindowsHost /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe'
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
Network
| Country | Destination | Domain | Proto |
| GB | 154.81.220.233:28105 | tcp | |
| US | 8.8.8.8:53 | auroraforge.art | udp |
| US | 192.64.119.108:55326 | auroraforge.art | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| US | 8.8.8.8:53 | thesirenmika.com | udp |
| CN | 123.123.123.123:55713 | thesirenmika.com | tcp |
| US | 8.8.8.8:53 | xmr-us-east1.nanopool.org | udp |
| CA | 51.222.12.201:14444 | xmr-us-east1.nanopool.org | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| US | 192.64.119.108:55326 | auroraforge.art | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| CN | 123.123.123.123:55713 | thesirenmika.com | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| US | 192.64.119.108:55326 | auroraforge.art | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| CN | 123.123.123.123:55713 | thesirenmika.com | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp |
Files
memory/2380-0-0x0000000000920000-0x00000000023EA000-memory.dmp
memory/2380-7-0x0000000075F40000-0x0000000075F87000-memory.dmp
memory/2380-4-0x0000000075F40000-0x0000000075F87000-memory.dmp
memory/2380-3-0x0000000075F40000-0x0000000075F87000-memory.dmp
memory/2380-2-0x0000000075F40000-0x0000000075F87000-memory.dmp
memory/2380-6-0x0000000075F40000-0x0000000075F87000-memory.dmp
memory/2380-5-0x0000000075F40000-0x0000000075F87000-memory.dmp
memory/2380-1-0x0000000075F4E000-0x0000000075F4F000-memory.dmp
memory/2380-11-0x0000000075F40000-0x0000000075F87000-memory.dmp
memory/2380-12-0x0000000075F40000-0x0000000075F87000-memory.dmp
\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
| MD5 | 65f0a85c4b056d6bcee60c49e2372e35 |
| SHA1 | 6af820a2030950617bf150777af4a43a06a17184 |
| SHA256 | d64768ea74224057220bff451504b6128ddfb6161617b668626c490c84b3ae8e |
| SHA512 | 7a50bd0b3908f830494b2bff13a051ba0cdc7900934dbf8a62616f6d29b914f05f8029bbcc429a095254ebb6ab2a2d92c05dd6aebf57e34cde20f152243df383 |
\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
| MD5 | c9a9d471428a5f92068c0823e6454254 |
| SHA1 | 8b8ee8612b9b8bfbb165b3a8ca0d4a377b589dd2 |
| SHA256 | b0ffaa8c7d8fe1e804afc87e6f7659483c69d421911ddbfc410270011b91bfb5 |
| SHA512 | ca34022e99a48639fb3566ec4eb901a2f91121aee6a1f1bc601492dd94387873afc8af499aefed8d644aef8f564ca46a12ea40176da7f8d7b4e60f4b505ac8af |
memory/2328-27-0x0000000075F40000-0x0000000075F87000-memory.dmp
\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
| MD5 | 3b4f58cd4bca7274be25e885be00798b |
| SHA1 | eb57c281d8324a1079db97c9da43483a65debbed |
| SHA256 | a6832546e1d261c33deea58e1cbb8a391af91628b130454d55aef3e292862d80 |
| SHA512 | dc909730b2feacba3c14c98a2b443d5c12dfd74ce74db53cf7e564e01707ac365811e4d3b95c0cefe2b87ebd1b074fb4a395360911c3d11de4fa8957e9bad121 |
memory/2328-33-0x0000000000970000-0x000000000098E000-memory.dmp
memory/2784-35-0x0000000000860000-0x0000000000B8E000-memory.dmp
\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
| MD5 | b9fc8581b52abfc6b563da731438e27d |
| SHA1 | 43111fe9b307c850a379fe2d64d279e994680de3 |
| SHA256 | e03debe75b2f4f4c937c50773064b9a692b262bfce4472e67900edf3f7726058 |
| SHA512 | c62540e73870caf9a93fbc2396ac99867f8f6e87661240d7642022130008bdb769954f1e8a58d13698172e62cc5b7d44a73b2f1d999db47822eb294c629436a5 |
memory/2380-48-0x0000000075F40000-0x0000000075F87000-memory.dmp
memory/2380-49-0x0000000000920000-0x00000000023EA000-memory.dmp
memory/1836-55-0x0000000000400000-0x0000000000724000-memory.dmp
memory/1836-52-0x0000000000400000-0x0000000000724000-memory.dmp
memory/1836-61-0x0000000000400000-0x0000000000724000-memory.dmp
memory/1836-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1836-62-0x0000000000400000-0x0000000000724000-memory.dmp
memory/1836-58-0x0000000000400000-0x0000000000724000-memory.dmp
memory/1836-57-0x0000000000400000-0x0000000000724000-memory.dmp
memory/1836-63-0x0000000000400000-0x0000000000724000-memory.dmp
memory/2732-64-0x000000013F850000-0x000000013FDEA000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LBD5NQXK2RVQVSFCEU72.temp
| MD5 | ad71b6b2ec42a95e2a492f3a3fb04cad |
| SHA1 | 2679e976741b22beea5076aec5e5ca4ea19b8f54 |
| SHA256 | 8055c3615fcf921102ec679df3905da9172e0ad311aa0dd0246ed626ecf8f802 |
| SHA512 | 14f1ca04f68d644e90d83d2841f6d6bf3ba9030b3a75ab107794cf3372c83465db771896d51838e08ba4e6c798ffbc81e45957669d35e98c66e711994ad5e753 |
memory/2324-71-0x00000000027E0000-0x00000000027E8000-memory.dmp
memory/2324-70-0x000000001B4D0000-0x000000001B7B2000-memory.dmp
memory/2732-74-0x000000013F850000-0x000000013FDEA000-memory.dmp
memory/2328-78-0x0000000075F40000-0x0000000075F87000-memory.dmp
memory/1320-79-0x000000013FC80000-0x000000014021A000-memory.dmp
memory/2920-85-0x000000001B4B0000-0x000000001B792000-memory.dmp
memory/2920-86-0x0000000002720000-0x0000000002728000-memory.dmp
memory/1152-92-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/1320-91-0x000000013FC80000-0x000000014021A000-memory.dmp
memory/2376-93-0x0000000140000000-0x0000000140029000-memory.dmp
memory/1152-94-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1152-96-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/2376-98-0x0000000140000000-0x0000000140029000-memory.dmp
memory/1152-99-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1152-101-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1152-103-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1152-105-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1152-107-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1152-109-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1152-111-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1152-113-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1152-115-0x0000000140000000-0x00000001407EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 18:44
Reported
2024-07-26 18:46
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3236 created 3432 | N/A | C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe | C:\Windows\Explorer.EXE |
| PID 3236 created 3432 | N/A | C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe | C:\Windows\Explorer.EXE |
| PID 3236 created 3432 | N/A | C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe | C:\Windows\Explorer.EXE |
| PID 1528 created 3432 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\Explorer.EXE |
| PID 1528 created 3432 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\Explorer.EXE |
| PID 1528 created 3432 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\Explorer.EXE |
| PID 1528 created 3432 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\Explorer.EXE |
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Msedge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "C:\\Users\\Admin\\AppData\\Local\\Msedge.exe" | C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\OneDriveUpdate\\OneDrive Updater.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2444 set thread context of 3164 | N/A | C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1528 set thread context of 3788 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\System32\conhost.exe |
| PID 1528 set thread context of 4052 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\System32\svchost.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"
C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
"C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe" && exit" && && exit "
C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe"
C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
"C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe"
C:\Windows\system32\cmd.exe
cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe"
C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
"C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate' -Value '"C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe"' -PropertyType 'String'
C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\system32\PING.EXE
ping localhost -n 1
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\system32\attrib.exe
attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA)
C:\Windows\system32\cmd.exe
cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe
C:\Users\Admin\AppData\Local\Msedge.exe
C:\Users\Admin\AppData\Local\Msedge.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "ConsoleWindowsHost"
C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| GB | 154.81.220.233:28105 | tcp | |
| US | 8.8.8.8:53 | auroraforge.art | udp |
| US | 192.64.119.108:55326 | auroraforge.art | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thesirenmika.com | udp |
| CN | 123.123.123.123:55713 | thesirenmika.com | tcp |
| US | 8.8.8.8:53 | 34.58.20.217.in-addr.arpa | udp |
| GB | 154.81.220.233:28105 | tcp | |
| US | 8.8.8.8:53 | xmr-us-east1.nanopool.org | udp |
| CA | 51.222.200.133:14444 | xmr-us-east1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 133.200.222.51.in-addr.arpa | udp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| US | 192.64.119.108:55326 | auroraforge.art | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| GB | 154.81.220.233:28105 | tcp | |
| CN | 123.123.123.123:55713 | thesirenmika.com | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| US | 192.64.119.108:55326 | auroraforge.art | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| CN | 123.123.123.123:55713 | thesirenmika.com | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp |
Files
memory/4824-0-0x0000000000140000-0x0000000001C0A000-memory.dmp
memory/4824-2-0x00000000774E0000-0x00000000775D0000-memory.dmp
memory/4824-5-0x00000000774E0000-0x00000000775D0000-memory.dmp
memory/4824-7-0x00000000774E0000-0x00000000775D0000-memory.dmp
memory/4824-6-0x00000000774E0000-0x00000000775D0000-memory.dmp
memory/4824-4-0x00000000774E0000-0x00000000775D0000-memory.dmp
memory/4824-3-0x00000000774E0000-0x00000000775D0000-memory.dmp
memory/4824-1-0x0000000077500000-0x0000000077501000-memory.dmp
memory/4824-8-0x00000000774E0000-0x00000000775D0000-memory.dmp
memory/4824-11-0x00000000774E0000-0x00000000775D0000-memory.dmp
C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
| MD5 | 65f0a85c4b056d6bcee60c49e2372e35 |
| SHA1 | 6af820a2030950617bf150777af4a43a06a17184 |
| SHA256 | d64768ea74224057220bff451504b6128ddfb6161617b668626c490c84b3ae8e |
| SHA512 | 7a50bd0b3908f830494b2bff13a051ba0cdc7900934dbf8a62616f6d29b914f05f8029bbcc429a095254ebb6ab2a2d92c05dd6aebf57e34cde20f152243df383 |
C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
| MD5 | c9a9d471428a5f92068c0823e6454254 |
| SHA1 | 8b8ee8612b9b8bfbb165b3a8ca0d4a377b589dd2 |
| SHA256 | b0ffaa8c7d8fe1e804afc87e6f7659483c69d421911ddbfc410270011b91bfb5 |
| SHA512 | ca34022e99a48639fb3566ec4eb901a2f91121aee6a1f1bc601492dd94387873afc8af499aefed8d644aef8f564ca46a12ea40176da7f8d7b4e60f4b505ac8af |
C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
| MD5 | 3b4f58cd4bca7274be25e885be00798b |
| SHA1 | eb57c281d8324a1079db97c9da43483a65debbed |
| SHA256 | a6832546e1d261c33deea58e1cbb8a391af91628b130454d55aef3e292862d80 |
| SHA512 | dc909730b2feacba3c14c98a2b443d5c12dfd74ce74db53cf7e564e01707ac365811e4d3b95c0cefe2b87ebd1b074fb4a395360911c3d11de4fa8957e9bad121 |
memory/2444-42-0x00000000006B0000-0x00000000009DE000-memory.dmp
memory/3384-43-0x0000000000280000-0x000000000029E000-memory.dmp
C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
| MD5 | b9fc8581b52abfc6b563da731438e27d |
| SHA1 | 43111fe9b307c850a379fe2d64d279e994680de3 |
| SHA256 | e03debe75b2f4f4c937c50773064b9a692b262bfce4472e67900edf3f7726058 |
| SHA512 | c62540e73870caf9a93fbc2396ac99867f8f6e87661240d7642022130008bdb769954f1e8a58d13698172e62cc5b7d44a73b2f1d999db47822eb294c629436a5 |
memory/2444-52-0x00000000057C0000-0x0000000005D64000-memory.dmp
memory/3384-55-0x0000000005210000-0x0000000005828000-memory.dmp
memory/3384-56-0x00000000025C0000-0x00000000025D2000-memory.dmp
memory/3384-58-0x0000000002620000-0x000000000265C000-memory.dmp
memory/4824-61-0x00000000774E0000-0x00000000775D0000-memory.dmp
memory/3384-62-0x0000000004BF0000-0x0000000004C3C000-memory.dmp
memory/4824-63-0x0000000000140000-0x0000000001C0A000-memory.dmp
memory/3164-64-0x0000000000400000-0x0000000000724000-memory.dmp
memory/2568-66-0x0000000002CE0000-0x0000000002D16000-memory.dmp
memory/3384-68-0x0000000004E10000-0x0000000004F1A000-memory.dmp
memory/2568-67-0x0000000005920000-0x0000000005F48000-memory.dmp
memory/3164-69-0x00000000054D0000-0x0000000005562000-memory.dmp
memory/2568-77-0x0000000005FC0000-0x0000000006026000-memory.dmp
memory/2568-76-0x0000000005F50000-0x0000000005FB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qguaimw1.xfl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3164-78-0x0000000005470000-0x000000000547A000-memory.dmp
memory/2568-70-0x0000000005840000-0x0000000005862000-memory.dmp
memory/2568-83-0x0000000006030000-0x0000000006384000-memory.dmp
memory/2568-84-0x0000000006600000-0x000000000661E000-memory.dmp
memory/3164-88-0x0000000005F20000-0x0000000005F70000-memory.dmp
memory/3164-89-0x0000000006160000-0x0000000006212000-memory.dmp
memory/2568-102-0x0000000006C00000-0x0000000006C1E000-memory.dmp
memory/2568-92-0x000000006EFE0000-0x000000006F02C000-memory.dmp
memory/2568-103-0x0000000007620000-0x00000000076C3000-memory.dmp
memory/2568-91-0x00000000075E0000-0x0000000007612000-memory.dmp
memory/2568-105-0x0000000007930000-0x000000000794A000-memory.dmp
memory/2568-104-0x0000000007F80000-0x00000000085FA000-memory.dmp
memory/2568-106-0x00000000079A0000-0x00000000079AA000-memory.dmp
memory/2568-107-0x0000000007BB0000-0x0000000007C46000-memory.dmp
memory/2568-108-0x0000000007B30000-0x0000000007B41000-memory.dmp
memory/2568-109-0x0000000007B60000-0x0000000007B6E000-memory.dmp
memory/2568-110-0x0000000007B70000-0x0000000007B84000-memory.dmp
memory/2568-111-0x0000000007C70000-0x0000000007C8A000-memory.dmp
memory/2568-112-0x0000000007C50000-0x0000000007C58000-memory.dmp
memory/2568-113-0x0000000007CB0000-0x0000000007CD2000-memory.dmp
memory/3236-116-0x00007FF6964A0000-0x00007FF696A3A000-memory.dmp
memory/5076-117-0x00000139680B0000-0x00000139680D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9a83edb6f12fbbd39f80d0d6eb9bbae1 |
| SHA1 | 7b0cf3ca94fc8f0efcdf74820b23476b05fb177d |
| SHA256 | 5cf0874c1e9530e0e33425cf824724b967ce604e02c784aa17536d496c87f657 |
| SHA512 | 9c8f2a3abc3f7d8126a7ed4f51818494c392ca8ff2d1f7f7e9ceef9c75d73d39ad80c6fb85fa7788fb0dda3efeef02b40653bd53ab39692ccfb877ef4794ae29 |
memory/3236-132-0x00007FF6964A0000-0x00007FF696A3A000-memory.dmp
memory/1528-134-0x00007FF79A0C0000-0x00007FF79A65A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | fee026663fcb662152188784794028ee |
| SHA1 | 3c02a26a9cb16648fad85c6477b68ced3cb0cb45 |
| SHA256 | dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b |
| SHA512 | 7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d95b08252ed624f6d91b46523f110f29 |
| SHA1 | 17577997bc1fb5d3fbe59be84013165534415dc3 |
| SHA256 | 342ce7c39bf9992d31d4b61ef138b2b084c96c74736ed00bb19aae49be16ca02 |
| SHA512 | 0c4288176d56f4ee6d8f08f568fba07ad859f50a395c39d2afd3baf55d3d29ca065a1ce305d1bd790477c35977c0ffa230543e805622f80a77bcee71b24eb257 |
memory/4052-151-0x000002B4F8BC0000-0x000002B4F8BE0000-memory.dmp
memory/1528-152-0x00007FF79A0C0000-0x00007FF79A65A000-memory.dmp
memory/3788-153-0x00007FF60CE50000-0x00007FF60CE79000-memory.dmp
memory/4052-154-0x00007FF7B30F0000-0x00007FF7B38DF000-memory.dmp
memory/4052-156-0x00007FF7B30F0000-0x00007FF7B38DF000-memory.dmp
memory/3788-157-0x00007FF60CE50000-0x00007FF60CE79000-memory.dmp
memory/4052-158-0x00007FF7B30F0000-0x00007FF7B38DF000-memory.dmp
memory/4052-160-0x00007FF7B30F0000-0x00007FF7B38DF000-memory.dmp
memory/4052-162-0x00007FF7B30F0000-0x00007FF7B38DF000-memory.dmp
memory/4052-164-0x00007FF7B30F0000-0x00007FF7B38DF000-memory.dmp
memory/4052-166-0x00007FF7B30F0000-0x00007FF7B38DF000-memory.dmp
memory/4052-168-0x00007FF7B30F0000-0x00007FF7B38DF000-memory.dmp
memory/4052-170-0x00007FF7B30F0000-0x00007FF7B38DF000-memory.dmp
memory/4052-172-0x00007FF7B30F0000-0x00007FF7B38DF000-memory.dmp
memory/4052-174-0x00007FF7B30F0000-0x00007FF7B38DF000-memory.dmp