Malware Analysis Report

2024-09-11 09:51

Sample ID 240726-xs6grssanb
Target Aurora.exe
SHA256 cad0ea7aa29ccb61cd2c595e27921c89e6fed8b0275d86c5560fcde21a1554bc
Tags
themida quasar redline sectoprat xmrig cheat themdas discovery evasion execution infostealer miner persistence rat spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cad0ea7aa29ccb61cd2c595e27921c89e6fed8b0275d86c5560fcde21a1554bc

Threat Level: Known bad

The file Aurora.exe was found to be: Known bad.

Malicious Activity Summary

themida quasar redline sectoprat xmrig cheat themdas discovery evasion execution infostealer miner persistence rat spyware trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

SectopRAT payload

SectopRAT

RedLine

Quasar payload

Quasar RAT

RedLine payload

xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

XMRig Miner payload

Sets file to hidden

Checks BIOS information in registry

Checks computer location settings

Modifies file permissions

Loads dropped DLL

Executes dropped EXE

Themida packer

Command and Scripting Interpreter: PowerShell

Power Settings

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Runs ping.exe

Views/modifies file attributes

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-26 19:08

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 19:07

Reported

2024-07-26 19:11

Platform

win7-20240704-en

Max time kernel

150s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2780 created 1212 N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe C:\Windows\Explorer.EXE
PID 2780 created 1212 N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe C:\Windows\Explorer.EXE
PID 2780 created 1212 N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe C:\Windows\Explorer.EXE
PID 2228 created 1212 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE
PID 2228 created 1212 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE
PID 2228 created 1212 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE
PID 2228 created 1212 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "C:\\Users\\Admin\\AppData\\Local\\Msedge.exe" C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\OneDriveUpdate\\OneDrive Updater.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2428 set thread context of 2912 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2228 set thread context of 1816 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\System32\conhost.exe
PID 2228 set thread context of 1964 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\System32\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2564 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
PID 2564 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
PID 2564 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
PID 2564 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
PID 2564 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 2564 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 2564 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 2564 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 1688 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe C:\Windows\system32\cmd.exe
PID 2564 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 2564 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 2564 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 2564 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 2564 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
PID 2564 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
PID 2564 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
PID 2564 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
PID 2756 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2756 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2756 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2888 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2888 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2888 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2888 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2888 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2888 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2888 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2888 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2888 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2888 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2888 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2888 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Msedge.exe
PID 2748 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Msedge.exe
PID 2748 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Msedge.exe
PID 2300 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2300 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2300 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2300 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2428 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2428 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2428 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2428 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2428 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2428 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2428 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2428 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2428 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2428 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2428 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2428 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2428 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2428 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2428 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Aurora.exe

"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"

C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe

"C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe"

C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe" && exit" && && exit "

C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe

"C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe"

C:\Windows\system32\cmd.exe

cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe"

C:\Windows\system32\PING.EXE

ping localhost -n 1

C:\Windows\system32\attrib.exe

attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA)

C:\Windows\system32\cmd.exe

cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate' -Value '"C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Msedge.exe

C:\Users\Admin\AppData\Local\Msedge.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn ConsoleWindowsHost /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe'

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "ConsoleWindowsHost"

C:\Windows\system32\taskeng.exe

taskeng.exe {3852F004-611B-47DB-9F3F-5D813D753CFB} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe

C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn ConsoleWindowsHost /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe'

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 auroraforge.art udp
US 192.64.119.108:55326 auroraforge.art tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 xmr-us-east1.nanopool.org udp
CA 51.222.200.133:14444 xmr-us-east1.nanopool.org tcp
US 8.8.8.8:53 thesirenmika.com udp
CN 123.123.123.123:55713 thesirenmika.com tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
US 192.64.119.108:55326 auroraforge.art tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
CN 123.123.123.123:55713 thesirenmika.com tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
US 192.64.119.108:55326 auroraforge.art tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
CN 123.123.123.123:55713 thesirenmika.com tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp

Files

memory/2564-0-0x0000000000CC0000-0x000000000278A000-memory.dmp

memory/2564-2-0x00000000755C0000-0x0000000075607000-memory.dmp

memory/2564-3-0x00000000755C0000-0x0000000075607000-memory.dmp

memory/2564-1-0x00000000755CE000-0x00000000755CF000-memory.dmp

memory/2564-7-0x00000000755C0000-0x0000000075607000-memory.dmp

\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe

MD5 65f0a85c4b056d6bcee60c49e2372e35
SHA1 6af820a2030950617bf150777af4a43a06a17184
SHA256 d64768ea74224057220bff451504b6128ddfb6161617b668626c490c84b3ae8e
SHA512 7a50bd0b3908f830494b2bff13a051ba0cdc7900934dbf8a62616f6d29b914f05f8029bbcc429a095254ebb6ab2a2d92c05dd6aebf57e34cde20f152243df383

\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe

MD5 c9a9d471428a5f92068c0823e6454254
SHA1 8b8ee8612b9b8bfbb165b3a8ca0d4a377b589dd2
SHA256 b0ffaa8c7d8fe1e804afc87e6f7659483c69d421911ddbfc410270011b91bfb5
SHA512 ca34022e99a48639fb3566ec4eb901a2f91121aee6a1f1bc601492dd94387873afc8af499aefed8d644aef8f564ca46a12ea40176da7f8d7b4e60f4b505ac8af

\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe

MD5 3b4f58cd4bca7274be25e885be00798b
SHA1 eb57c281d8324a1079db97c9da43483a65debbed
SHA256 a6832546e1d261c33deea58e1cbb8a391af91628b130454d55aef3e292862d80
SHA512 dc909730b2feacba3c14c98a2b443d5c12dfd74ce74db53cf7e564e01707ac365811e4d3b95c0cefe2b87ebd1b074fb4a395360911c3d11de4fa8957e9bad121

\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe

MD5 b9fc8581b52abfc6b563da731438e27d
SHA1 43111fe9b307c850a379fe2d64d279e994680de3
SHA256 e03debe75b2f4f4c937c50773064b9a692b262bfce4472e67900edf3f7726058
SHA512 c62540e73870caf9a93fbc2396ac99867f8f6e87661240d7642022130008bdb769954f1e8a58d13698172e62cc5b7d44a73b2f1d999db47822eb294c629436a5

memory/2428-33-0x0000000000340000-0x000000000066E000-memory.dmp

memory/2492-32-0x00000000009F0000-0x0000000000A0E000-memory.dmp

memory/2564-35-0x00000000755C0000-0x0000000075607000-memory.dmp

memory/2564-41-0x0000000000CC0000-0x000000000278A000-memory.dmp

memory/2912-50-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2912-46-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2912-52-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2912-56-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2912-48-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2912-58-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2912-55-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2912-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2780-59-0x000000013FFF0000-0x000000014058A000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HI05FPAEKR8GVDUFADRJ.temp

MD5 56a3c8d6d56a2b35a3cfe7674ce80cfd
SHA1 8dba97edd6051301cb07f29de58ea8eafa607b9e
SHA256 1e0e90ab41e50295400604bd724cc17f6ea29e7dab13363540adea621f96331f
SHA512 34620a71e97e02233be6a68690ce14989229891895922f573dc2e06438540f3003d5fc4aafef436ef30b4380a3522518c71761ebbfee823676e8b477aa5a7e68

memory/2976-65-0x000000001B200000-0x000000001B4E2000-memory.dmp

memory/2976-66-0x00000000022D0000-0x00000000022D8000-memory.dmp

memory/2780-69-0x000000013FFF0000-0x000000014058A000-memory.dmp

memory/2228-73-0x000000013FB10000-0x00000001400AA000-memory.dmp

memory/2500-79-0x000000001B0B0000-0x000000001B392000-memory.dmp

memory/2500-80-0x00000000023A0000-0x00000000023A8000-memory.dmp

memory/1964-86-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/2228-85-0x000000013FB10000-0x00000001400AA000-memory.dmp

memory/1816-87-0x0000000140000000-0x0000000140029000-memory.dmp

memory/1964-88-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1964-90-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1816-92-0x0000000140000000-0x0000000140029000-memory.dmp

memory/1964-93-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1964-95-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1964-97-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1964-99-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1964-101-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1964-103-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1964-105-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/1964-107-0x0000000140000000-0x00000001407EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 19:07

Reported

2024-07-26 19:11

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4076 created 3508 N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe C:\Windows\Explorer.EXE
PID 4076 created 3508 N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe C:\Windows\Explorer.EXE
PID 4076 created 3508 N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe C:\Windows\Explorer.EXE
PID 1464 created 3508 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE
PID 1464 created 3508 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE
PID 1464 created 3508 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE
PID 1464 created 3508 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\Explorer.EXE

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "C:\\Users\\Admin\\AppData\\Local\\Msedge.exe" C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\OneDriveUpdate\\OneDrive Updater.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1380 set thread context of 2600 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1464 set thread context of 2240 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\System32\conhost.exe
PID 1464 set thread context of 3540 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\System32\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4764 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
PID 4764 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
PID 4864 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe C:\Windows\system32\cmd.exe
PID 4864 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe C:\Windows\system32\cmd.exe
PID 4764 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 4764 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 4764 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
PID 4764 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 4764 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 4764 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
PID 3488 wrote to memory of 1392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3488 wrote to memory of 1392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1392 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1392 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1380 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4764 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
PID 4764 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\Aurora.exe C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
PID 1380 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 1380 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 1380 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\SysWOW64\cmd.exe
PID 1380 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1380 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1380 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1380 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1380 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1380 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1380 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1380 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1380 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1380 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1380 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3012 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3012 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3012 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1392 wrote to memory of 4748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1392 wrote to memory of 4748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1392 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1392 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1392 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1392 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1588 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Msedge.exe
PID 1588 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Msedge.exe
PID 1948 wrote to memory of 4324 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1948 wrote to memory of 4324 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1948 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1948 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1948 wrote to memory of 1132 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1948 wrote to memory of 1132 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1948 wrote to memory of 3224 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1948 wrote to memory of 3224 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 852 wrote to memory of 4068 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 852 wrote to memory of 4068 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 852 wrote to memory of 720 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 852 wrote to memory of 720 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 852 wrote to memory of 4296 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 852 wrote to memory of 4296 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 852 wrote to memory of 4084 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 852 wrote to memory of 4084 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1464 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\System32\conhost.exe
PID 1464 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe C:\Windows\System32\svchost.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Aurora.exe

"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"

C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe

"C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe" && exit" && && exit "

C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe"

C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe"

C:\Windows\system32\cmd.exe

cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe"

C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe

"C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe"

C:\Windows\system32\PING.EXE

ping localhost -n 1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate' -Value '"C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\system32\attrib.exe

attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA)

C:\Windows\system32\cmd.exe

cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe

C:\Users\Admin\AppData\Local\Msedge.exe

C:\Users\Admin\AppData\Local\Msedge.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "ConsoleWindowsHost"

C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe

C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 23.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 auroraforge.art udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 192.64.119.108:55326 auroraforge.art tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 thesirenmika.com udp
CN 123.123.123.123:55713 thesirenmika.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 xmr-us-east1.nanopool.org udp
CA 51.222.200.133:14444 xmr-us-east1.nanopool.org tcp
US 8.8.8.8:53 133.200.222.51.in-addr.arpa udp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
US 192.64.119.108:55326 auroraforge.art tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
CN 123.123.123.123:55713 thesirenmika.com tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
GB 154.81.220.233:28105 tcp
US 192.64.119.108:55326 auroraforge.art tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
CN 123.123.123.123:55713 thesirenmika.com tcp
GB 154.81.220.233:28105 tcp
GB 154.81.220.233:28105 tcp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/4764-1-0x00000000772D0000-0x00000000772D1000-memory.dmp

memory/4764-5-0x00000000772B0000-0x00000000773A0000-memory.dmp

memory/4764-6-0x00000000772B0000-0x00000000773A0000-memory.dmp

memory/4764-4-0x00000000772B0000-0x00000000773A0000-memory.dmp

memory/4764-3-0x00000000772B0000-0x00000000773A0000-memory.dmp

memory/4764-2-0x00000000772B0000-0x00000000773A0000-memory.dmp

memory/4764-0-0x00000000000F0000-0x0000000001BBA000-memory.dmp

memory/4764-7-0x00000000772B0000-0x00000000773A0000-memory.dmp

memory/4764-10-0x00000000772B0000-0x00000000773A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe

MD5 65f0a85c4b056d6bcee60c49e2372e35
SHA1 6af820a2030950617bf150777af4a43a06a17184
SHA256 d64768ea74224057220bff451504b6128ddfb6161617b668626c490c84b3ae8e
SHA512 7a50bd0b3908f830494b2bff13a051ba0cdc7900934dbf8a62616f6d29b914f05f8029bbcc429a095254ebb6ab2a2d92c05dd6aebf57e34cde20f152243df383

C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe

MD5 c9a9d471428a5f92068c0823e6454254
SHA1 8b8ee8612b9b8bfbb165b3a8ca0d4a377b589dd2
SHA256 b0ffaa8c7d8fe1e804afc87e6f7659483c69d421911ddbfc410270011b91bfb5
SHA512 ca34022e99a48639fb3566ec4eb901a2f91121aee6a1f1bc601492dd94387873afc8af499aefed8d644aef8f564ca46a12ea40176da7f8d7b4e60f4b505ac8af

C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe

MD5 3b4f58cd4bca7274be25e885be00798b
SHA1 eb57c281d8324a1079db97c9da43483a65debbed
SHA256 a6832546e1d261c33deea58e1cbb8a391af91628b130454d55aef3e292862d80
SHA512 dc909730b2feacba3c14c98a2b443d5c12dfd74ce74db53cf7e564e01707ac365811e4d3b95c0cefe2b87ebd1b074fb4a395360911c3d11de4fa8957e9bad121

memory/1380-41-0x00000000002A0000-0x00000000005CE000-memory.dmp

memory/4264-42-0x0000000000C60000-0x0000000000C7E000-memory.dmp

C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe

MD5 b9fc8581b52abfc6b563da731438e27d
SHA1 43111fe9b307c850a379fe2d64d279e994680de3
SHA256 e03debe75b2f4f4c937c50773064b9a692b262bfce4472e67900edf3f7726058
SHA512 c62540e73870caf9a93fbc2396ac99867f8f6e87661240d7642022130008bdb769954f1e8a58d13698172e62cc5b7d44a73b2f1d999db47822eb294c629436a5

memory/4264-47-0x0000000005CB0000-0x00000000062C8000-memory.dmp

memory/4264-53-0x0000000005620000-0x0000000005632000-memory.dmp

memory/1380-43-0x0000000005310000-0x00000000058B4000-memory.dmp

memory/4264-54-0x0000000005690000-0x00000000056CC000-memory.dmp

memory/4264-55-0x00000000056D0000-0x000000000571C000-memory.dmp

memory/2600-60-0x0000000000400000-0x0000000000724000-memory.dmp

memory/4264-59-0x0000000005930000-0x0000000005A3A000-memory.dmp

memory/2240-63-0x0000000002610000-0x0000000002646000-memory.dmp

memory/2600-62-0x0000000005380000-0x0000000005412000-memory.dmp

memory/2600-65-0x0000000005340000-0x000000000534A000-memory.dmp

memory/2240-64-0x00000000051C0000-0x00000000057E8000-memory.dmp

memory/4764-68-0x00000000772B0000-0x00000000773A0000-memory.dmp

memory/4764-69-0x00000000000F0000-0x0000000001BBA000-memory.dmp

memory/2240-75-0x0000000005180000-0x00000000051A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p0xaqygf.u3a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2240-81-0x00000000059D0000-0x0000000005A36000-memory.dmp

memory/2240-80-0x0000000005960000-0x00000000059C6000-memory.dmp

memory/2240-82-0x0000000005B40000-0x0000000005E94000-memory.dmp

memory/2240-83-0x0000000005F30000-0x0000000005F4E000-memory.dmp

memory/2600-88-0x0000000005DF0000-0x0000000005E40000-memory.dmp

memory/2240-90-0x000000006F2E0000-0x000000006F32C000-memory.dmp

memory/2240-100-0x0000000006EA0000-0x0000000006EBE000-memory.dmp

memory/2240-89-0x0000000006EC0000-0x0000000006EF2000-memory.dmp

memory/2240-101-0x0000000007110000-0x00000000071B3000-memory.dmp

memory/2600-102-0x0000000006030000-0x00000000060E2000-memory.dmp

memory/2240-104-0x0000000007270000-0x000000000728A000-memory.dmp

memory/2240-103-0x00000000078B0000-0x0000000007F2A000-memory.dmp

memory/2240-105-0x00000000072E0000-0x00000000072EA000-memory.dmp

memory/2240-106-0x00000000074F0000-0x0000000007586000-memory.dmp

memory/2240-107-0x0000000007470000-0x0000000007481000-memory.dmp

memory/2240-108-0x00000000074A0000-0x00000000074AE000-memory.dmp

memory/2240-109-0x00000000074B0000-0x00000000074C4000-memory.dmp

memory/2240-110-0x00000000075B0000-0x00000000075CA000-memory.dmp

memory/2240-111-0x0000000007590000-0x0000000007598000-memory.dmp

memory/2240-112-0x00000000075D0000-0x00000000075F2000-memory.dmp

memory/4076-115-0x00007FF728070000-0x00007FF72860A000-memory.dmp

memory/2016-125-0x000002DC642F0000-0x000002DC64312000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e411fabafc7ef048a42b4470983d39ed
SHA1 3587365a3736a608335a32dd5022d6774e6b4d23
SHA256 76d9bf4ff1a68c30efedfb84399c792d3ae728a3636682900379967c02fa115f
SHA512 36258f0c2794f12b85c4b2bfcf7739c75df2c8d0fb22aed7ec00939fb6d167fdee6046ca5e41ee501553264babc4b00c80fe9ba2b87732990da490f2674823e3

memory/4076-131-0x00007FF728070000-0x00007FF72860A000-memory.dmp

memory/1464-133-0x00007FF7E1F60000-0x00007FF7E24FA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 fee026663fcb662152188784794028ee
SHA1 3c02a26a9cb16648fad85c6477b68ced3cb0cb45
SHA256 dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b
SHA512 7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d95b08252ed624f6d91b46523f110f29
SHA1 17577997bc1fb5d3fbe59be84013165534415dc3
SHA256 342ce7c39bf9992d31d4b61ef138b2b084c96c74736ed00bb19aae49be16ca02
SHA512 0c4288176d56f4ee6d8f08f568fba07ad859f50a395c39d2afd3baf55d3d29ca065a1ce305d1bd790477c35977c0ffa230543e805622f80a77bcee71b24eb257

memory/3540-151-0x00000190CA140000-0x00000190CA160000-memory.dmp

memory/1464-150-0x00007FF7E1F60000-0x00007FF7E24FA000-memory.dmp

memory/2240-152-0x00007FF6C5340000-0x00007FF6C5369000-memory.dmp

memory/3540-153-0x00007FF6D3C50000-0x00007FF6D443F000-memory.dmp

memory/3540-155-0x00007FF6D3C50000-0x00007FF6D443F000-memory.dmp

memory/3540-157-0x00007FF6D3C50000-0x00007FF6D443F000-memory.dmp

memory/2240-156-0x00007FF6C5340000-0x00007FF6C5369000-memory.dmp

memory/3540-159-0x00007FF6D3C50000-0x00007FF6D443F000-memory.dmp

memory/3540-161-0x00007FF6D3C50000-0x00007FF6D443F000-memory.dmp

memory/3540-163-0x00007FF6D3C50000-0x00007FF6D443F000-memory.dmp

memory/3540-165-0x00007FF6D3C50000-0x00007FF6D443F000-memory.dmp

memory/3540-167-0x00007FF6D3C50000-0x00007FF6D443F000-memory.dmp

memory/3540-169-0x00007FF6D3C50000-0x00007FF6D443F000-memory.dmp

memory/3540-171-0x00007FF6D3C50000-0x00007FF6D443F000-memory.dmp

memory/3540-173-0x00007FF6D3C50000-0x00007FF6D443F000-memory.dmp