Analysis Overview
SHA256
72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850
Threat Level: Known bad
The file 72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe was found to be: Known bad.
Malicious Activity Summary
Shurk
RedLine
xmrig
Quasar RAT
Aurora
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Quasar payload
SectopRAT payload
Shurk Stealer payload
SectopRAT
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Sets file to hidden
Modifies file permissions
Themida packer
Checks computer location settings
Executes dropped EXE
Checks BIOS information in registry
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Adds Run key to start application
Power Settings
Checks whether UAC is enabled
Drops file in System32 directory
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-07-27 01:31
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-27 01:31
Reported
2024-07-27 01:35
Platform
win7-20240704-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Aurora
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Shurk
Shurk Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2432 created 1192 | N/A | C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe | C:\Windows\Explorer.EXE |
| PID 2432 created 1192 | N/A | C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe | C:\Windows\Explorer.EXE |
| PID 2432 created 1192 | N/A | C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe | C:\Windows\Explorer.EXE |
| PID 820 created 1192 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\Explorer.EXE |
| PID 820 created 1192 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\Explorer.EXE |
| PID 820 created 1192 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\Explorer.EXE |
| PID 820 created 1192 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\Explorer.EXE |
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Msedge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "C:\\Users\\Admin\\AppData\\Local\\Msedge.exe" | C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\OneDriveUpdate\\OneDrive Updater.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2536 set thread context of 1940 | N/A | C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 820 set thread context of 880 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\System32\conhost.exe |
| PID 820 set thread context of 1624 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\System32\svchost.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe
"C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe"
C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
"C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe"
C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe"
C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
"C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe" && exit" && && exit "
C:\Windows\system32\cmd.exe
cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe"
C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
"C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe"
C:\Windows\system32\PING.EXE
ping localhost -n 1
C:\Windows\system32\attrib.exe
attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe"
C:\Users\Admin\AppData\Local\Temp\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA)
C:\Windows\system32\cmd.exe
cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe
C:\Users\Admin\AppData\Local\Msedge.exe
C:\Users\Admin\AppData\Local\Msedge.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate' -Value '"C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe"' -PropertyType 'String'
C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn ConsoleWindowsHost /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe'
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "ConsoleWindowsHost"
C:\Windows\system32\taskeng.exe
taskeng.exe {77E434E7-06A9-4EEA-A284-880EE147B893} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn ConsoleWindowsHost /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe'
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| US | 8.8.8.8:53 | auroraforge.art | udp |
| US | 192.64.119.108:55326 | auroraforge.art | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| US | 8.8.8.8:53 | xmr-us-east1.nanopool.org | udp |
| US | 8.8.8.8:53 | thesirenmika.com | udp |
| CA | 51.222.12.201:14444 | xmr-us-east1.nanopool.org | tcp |
| CN | 123.123.123.123:55713 | thesirenmika.com | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| US | 192.64.119.108:55326 | auroraforge.art | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| CN | 123.123.123.123:55713 | thesirenmika.com | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| US | 192.64.119.108:55326 | auroraforge.art | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| CN | 123.123.123.123:55713 | thesirenmika.com | tcp |
Files
memory/2292-2-0x0000000076A90000-0x0000000076AD7000-memory.dmp
memory/2292-9-0x0000000076A90000-0x0000000076AD7000-memory.dmp
memory/2292-8-0x0000000076A90000-0x0000000076AD7000-memory.dmp
memory/2292-7-0x0000000076A90000-0x0000000076AD7000-memory.dmp
memory/2292-6-0x0000000076A90000-0x0000000076AD7000-memory.dmp
memory/2292-5-0x0000000076A90000-0x0000000076AD7000-memory.dmp
memory/2292-4-0x0000000076A90000-0x0000000076AD7000-memory.dmp
memory/2292-3-0x0000000076A90000-0x0000000076AD7000-memory.dmp
memory/2292-1-0x0000000076A9E000-0x0000000076A9F000-memory.dmp
memory/2292-0-0x0000000000DB0000-0x000000000287A000-memory.dmp
memory/2292-13-0x0000000076A90000-0x0000000076AD7000-memory.dmp
\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
| MD5 | 65f0a85c4b056d6bcee60c49e2372e35 |
| SHA1 | 6af820a2030950617bf150777af4a43a06a17184 |
| SHA256 | d64768ea74224057220bff451504b6128ddfb6161617b668626c490c84b3ae8e |
| SHA512 | 7a50bd0b3908f830494b2bff13a051ba0cdc7900934dbf8a62616f6d29b914f05f8029bbcc429a095254ebb6ab2a2d92c05dd6aebf57e34cde20f152243df383 |
\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
| MD5 | c9a9d471428a5f92068c0823e6454254 |
| SHA1 | 8b8ee8612b9b8bfbb165b3a8ca0d4a377b589dd2 |
| SHA256 | b0ffaa8c7d8fe1e804afc87e6f7659483c69d421911ddbfc410270011b91bfb5 |
| SHA512 | ca34022e99a48639fb3566ec4eb901a2f91121aee6a1f1bc601492dd94387873afc8af499aefed8d644aef8f564ca46a12ea40176da7f8d7b4e60f4b505ac8af |
\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
| MD5 | 3b4f58cd4bca7274be25e885be00798b |
| SHA1 | eb57c281d8324a1079db97c9da43483a65debbed |
| SHA256 | a6832546e1d261c33deea58e1cbb8a391af91628b130454d55aef3e292862d80 |
| SHA512 | dc909730b2feacba3c14c98a2b443d5c12dfd74ce74db53cf7e564e01707ac365811e4d3b95c0cefe2b87ebd1b074fb4a395360911c3d11de4fa8957e9bad121 |
\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
| MD5 | b9fc8581b52abfc6b563da731438e27d |
| SHA1 | 43111fe9b307c850a379fe2d64d279e994680de3 |
| SHA256 | e03debe75b2f4f4c937c50773064b9a692b262bfce4472e67900edf3f7726058 |
| SHA512 | c62540e73870caf9a93fbc2396ac99867f8f6e87661240d7642022130008bdb769954f1e8a58d13698172e62cc5b7d44a73b2f1d999db47822eb294c629436a5 |
memory/2616-38-0x0000000000A00000-0x0000000000A1E000-memory.dmp
memory/2536-39-0x0000000000B70000-0x0000000000E9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Aurora.exe
| MD5 | 1504c863a05885816d2c8874137ae7a7 |
| SHA1 | 5b16d440a7e9b5887886549f016f252900b5c0ac |
| SHA256 | 33fc61e81efa609df51277aef261623bb291e2dd5359362d50070f7a441df0ad |
| SHA512 | 055d2650ac996443130c05a742bcaabc576dbde29cc21ea956f66132f7e6da8a5771beb9cd51ff2384b2230ebe68990b35d8b14611613db2b8d2764846a487f9 |
memory/2292-55-0x0000000076A90000-0x0000000076AD7000-memory.dmp
memory/2292-57-0x0000000000DB0000-0x000000000287A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab1670.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar175D.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/1940-106-0x0000000000400000-0x0000000000724000-memory.dmp
memory/1940-105-0x0000000000400000-0x0000000000724000-memory.dmp
memory/1940-104-0x0000000000400000-0x0000000000724000-memory.dmp
memory/1940-103-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1940-101-0x0000000000400000-0x0000000000724000-memory.dmp
memory/1940-99-0x0000000000400000-0x0000000000724000-memory.dmp
memory/1940-97-0x0000000000400000-0x0000000000724000-memory.dmp
memory/1940-95-0x0000000000400000-0x0000000000724000-memory.dmp
memory/2912-107-0x000000013F2D0000-0x0000000140B9F000-memory.dmp
memory/2432-108-0x000000013F040000-0x000000013F5DA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9V0NI9Q3DFIJP9C8ZD4Y.temp
| MD5 | e9282e8206045abcf27cf7dea28914e3 |
| SHA1 | 147c87b047752f9982e4697a4794003c4127cc0e |
| SHA256 | ece825a610285621b424faf26176c4d2589464255b290a218c13872f123b00d5 |
| SHA512 | 2c25a260fcda99ec4bdf1cf7b8f5ed5eba7aab7943ce0af1deee9e46b02ab14f898a647e0d745f591057408f0b40dc06094d0e51422955b9f2293d135f767af1 |
memory/1144-113-0x000000001B580000-0x000000001B862000-memory.dmp
memory/1144-114-0x0000000002280000-0x0000000002288000-memory.dmp
memory/2432-117-0x000000013F040000-0x000000013F5DA000-memory.dmp
memory/820-121-0x000000013F0D0000-0x000000013F66A000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/832-128-0x000000001B570000-0x000000001B852000-memory.dmp
memory/832-129-0x0000000002030000-0x0000000002038000-memory.dmp
memory/1624-135-0x0000000000040000-0x0000000000060000-memory.dmp
memory/820-134-0x000000013F0D0000-0x000000013F66A000-memory.dmp
memory/1624-137-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/880-136-0x0000000140000000-0x0000000140029000-memory.dmp
memory/1624-139-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/880-140-0x0000000140000000-0x0000000140029000-memory.dmp
memory/1624-142-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1624-144-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1624-146-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1624-148-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1624-150-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1624-152-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1624-154-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1624-156-0x0000000140000000-0x00000001407EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-27 01:31
Reported
2024-07-27 01:37
Platform
win10v2004-20240709-en
Max time kernel
151s
Max time network
159s
Command Line
Signatures
Aurora
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Shurk
Shurk Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4408 created 3584 | N/A | C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe | C:\Windows\Explorer.EXE |
| PID 4408 created 3584 | N/A | C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe | C:\Windows\Explorer.EXE |
| PID 4408 created 3584 | N/A | C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe | C:\Windows\Explorer.EXE |
| PID 4496 created 3584 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\Explorer.EXE |
| PID 4496 created 3584 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\Explorer.EXE |
| PID 4496 created 3584 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\Explorer.EXE |
| PID 4496 created 3584 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\Explorer.EXE |
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Msedge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\OneDriveUpdate\\OneDrive Updater.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "C:\\Users\\Admin\\AppData\\Local\\Msedge.exe" | C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2692 set thread context of 4532 | N/A | C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4496 set thread context of 4640 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\System32\conhost.exe |
| PID 4496 set thread context of 216 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe | C:\Windows\System32\svchost.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe
"C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe"
C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
"C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe" && exit" && && exit "
C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe"
C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
"C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe"
C:\Windows\system32\cmd.exe
cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe"
C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
"C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe"
C:\Windows\system32\PING.EXE
ping localhost -n 1
C:\Windows\system32\attrib.exe
attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA)
C:\Windows\system32\cmd.exe
cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe
C:\Users\Admin\AppData\Local\Msedge.exe
C:\Users\Admin\AppData\Local\Msedge.exe
C:\Users\Admin\AppData\Local\Temp\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate' -Value '"C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe"' -PropertyType 'String'
C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "ConsoleWindowsHost"
C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| GB | 154.81.220.233:28105 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | auroraforge.art | udp |
| US | 192.64.119.108:55326 | auroraforge.art | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| US | 8.8.8.8:53 | xmr-us-east1.nanopool.org | udp |
| CA | 51.222.200.133:14444 | xmr-us-east1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 133.200.222.51.in-addr.arpa | udp |
| GB | 154.81.220.233:28105 | tcp | |
| US | 8.8.8.8:53 | thesirenmika.com | udp |
| CN | 123.123.123.123:55713 | thesirenmika.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| US | 192.64.119.108:55326 | auroraforge.art | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| CN | 123.123.123.123:55713 | thesirenmika.com | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp | |
| US | 192.64.119.108:55326 | auroraforge.art | tcp |
| GB | 154.81.220.233:28105 | tcp | |
| GB | 154.81.220.233:28105 | tcp |
Files
memory/4504-0-0x00000000005C0000-0x000000000208A000-memory.dmp
memory/4504-1-0x0000000076C70000-0x0000000076C71000-memory.dmp
memory/4504-2-0x0000000076C50000-0x0000000076D40000-memory.dmp
memory/4504-3-0x0000000076C50000-0x0000000076D40000-memory.dmp
memory/4504-4-0x0000000076C50000-0x0000000076D40000-memory.dmp
memory/4504-6-0x0000000076C50000-0x0000000076D40000-memory.dmp
memory/4504-5-0x0000000076C50000-0x0000000076D40000-memory.dmp
memory/4504-7-0x0000000076C50000-0x0000000076D40000-memory.dmp
memory/4504-10-0x0000000076C50000-0x0000000076D40000-memory.dmp
C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
| MD5 | 65f0a85c4b056d6bcee60c49e2372e35 |
| SHA1 | 6af820a2030950617bf150777af4a43a06a17184 |
| SHA256 | d64768ea74224057220bff451504b6128ddfb6161617b668626c490c84b3ae8e |
| SHA512 | 7a50bd0b3908f830494b2bff13a051ba0cdc7900934dbf8a62616f6d29b914f05f8029bbcc429a095254ebb6ab2a2d92c05dd6aebf57e34cde20f152243df383 |
C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
| MD5 | c9a9d471428a5f92068c0823e6454254 |
| SHA1 | 8b8ee8612b9b8bfbb165b3a8ca0d4a377b589dd2 |
| SHA256 | b0ffaa8c7d8fe1e804afc87e6f7659483c69d421911ddbfc410270011b91bfb5 |
| SHA512 | ca34022e99a48639fb3566ec4eb901a2f91121aee6a1f1bc601492dd94387873afc8af499aefed8d644aef8f564ca46a12ea40176da7f8d7b4e60f4b505ac8af |
C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
| MD5 | 3b4f58cd4bca7274be25e885be00798b |
| SHA1 | eb57c281d8324a1079db97c9da43483a65debbed |
| SHA256 | a6832546e1d261c33deea58e1cbb8a391af91628b130454d55aef3e292862d80 |
| SHA512 | dc909730b2feacba3c14c98a2b443d5c12dfd74ce74db53cf7e564e01707ac365811e4d3b95c0cefe2b87ebd1b074fb4a395360911c3d11de4fa8957e9bad121 |
C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
| MD5 | b9fc8581b52abfc6b563da731438e27d |
| SHA1 | 43111fe9b307c850a379fe2d64d279e994680de3 |
| SHA256 | e03debe75b2f4f4c937c50773064b9a692b262bfce4472e67900edf3f7726058 |
| SHA512 | c62540e73870caf9a93fbc2396ac99867f8f6e87661240d7642022130008bdb769954f1e8a58d13698172e62cc5b7d44a73b2f1d999db47822eb294c629436a5 |
memory/3160-56-0x00000000007D0000-0x00000000007EE000-memory.dmp
memory/2692-57-0x00000000000A0000-0x00000000003CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Aurora.exe
| MD5 | 1504c863a05885816d2c8874137ae7a7 |
| SHA1 | 5b16d440a7e9b5887886549f016f252900b5c0ac |
| SHA256 | 33fc61e81efa609df51277aef261623bb291e2dd5359362d50070f7a441df0ad |
| SHA512 | 055d2650ac996443130c05a742bcaabc576dbde29cc21ea956f66132f7e6da8a5771beb9cd51ff2384b2230ebe68990b35d8b14611613db2b8d2764846a487f9 |
memory/2692-63-0x0000000005110000-0x00000000056B4000-memory.dmp
memory/3160-70-0x0000000005810000-0x0000000005E28000-memory.dmp
memory/4504-71-0x0000000076C50000-0x0000000076D40000-memory.dmp
memory/3160-72-0x0000000005060000-0x0000000005072000-memory.dmp
memory/3160-75-0x00000000050C0000-0x00000000050FC000-memory.dmp
memory/4504-73-0x00000000005C0000-0x000000000208A000-memory.dmp
memory/3216-76-0x0000000002E70000-0x0000000002EA6000-memory.dmp
memory/3216-79-0x00000000059E0000-0x0000000006008000-memory.dmp
memory/4532-80-0x0000000000400000-0x0000000000724000-memory.dmp
memory/3160-82-0x0000000005100000-0x000000000514C000-memory.dmp
memory/3216-84-0x00000000057C0000-0x00000000057E2000-memory.dmp
memory/3216-86-0x0000000006080000-0x00000000060E6000-memory.dmp
memory/3216-85-0x0000000005860000-0x00000000058C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o5mv0zlc.x5s.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4532-92-0x00000000057D0000-0x0000000005862000-memory.dmp
memory/2464-83-0x00007FF673850000-0x00007FF67511F000-memory.dmp
memory/4532-97-0x0000000005760000-0x000000000576A000-memory.dmp
memory/3216-98-0x00000000061F0000-0x0000000006544000-memory.dmp
memory/3160-99-0x0000000005360000-0x000000000546A000-memory.dmp
memory/3216-100-0x0000000006750000-0x000000000676E000-memory.dmp
memory/4532-101-0x0000000005C40000-0x0000000005C90000-memory.dmp
memory/4532-102-0x0000000006460000-0x0000000006512000-memory.dmp
memory/3216-104-0x0000000074B70000-0x0000000074BBC000-memory.dmp
memory/3216-114-0x0000000006D40000-0x0000000006D5E000-memory.dmp
memory/3216-115-0x0000000007960000-0x0000000007A03000-memory.dmp
memory/4372-116-0x000001BF0C190000-0x000001BF0C1B2000-memory.dmp
memory/3216-103-0x0000000007920000-0x0000000007952000-memory.dmp
memory/3216-127-0x0000000007AC0000-0x0000000007ADA000-memory.dmp
memory/3216-126-0x0000000008100000-0x000000000877A000-memory.dmp
memory/3216-128-0x0000000007B30000-0x0000000007B3A000-memory.dmp
memory/4408-129-0x00007FF7D34A0000-0x00007FF7D3A3A000-memory.dmp
memory/3216-130-0x0000000007D40000-0x0000000007DD6000-memory.dmp
memory/3216-131-0x0000000006B80000-0x0000000006B91000-memory.dmp
memory/4408-136-0x00007FF7D34A0000-0x00007FF7D3A3A000-memory.dmp
memory/3216-138-0x0000000006B50000-0x0000000006B5E000-memory.dmp
memory/3216-139-0x0000000006B60000-0x0000000006B74000-memory.dmp
memory/3216-140-0x0000000007E00000-0x0000000007E1A000-memory.dmp
memory/3216-141-0x0000000007DE0000-0x0000000007DE8000-memory.dmp
memory/3216-142-0x0000000007E40000-0x0000000007E62000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 207407f1b9da6c059d29a5b03e992d47 |
| SHA1 | ba20ac0bc2c3413a677fe91715b8504f20a62758 |
| SHA256 | 0d0415974b7f063ebbf75e0aa98a27aafdc553f849cf6ecc98ca58d3f93a2b7e |
| SHA512 | d344b45e1d4ec233d07e12288ab566d052702c8f71a6366d3657ccf06caccd5583f80460bda6ae533badbde33a920f0a503737a0373419c8bd2bbcf6660040b4 |
memory/4496-146-0x00007FF709480000-0x00007FF709A1A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | fee026663fcb662152188784794028ee |
| SHA1 | 3c02a26a9cb16648fad85c6477b68ced3cb0cb45 |
| SHA256 | dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b |
| SHA512 | 7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6 |
memory/216-164-0x0000029615370000-0x0000029615390000-memory.dmp
memory/4496-163-0x00007FF709480000-0x00007FF709A1A000-memory.dmp
memory/4640-165-0x00007FF66C910000-0x00007FF66C939000-memory.dmp
memory/216-166-0x00007FF7F5F60000-0x00007FF7F674F000-memory.dmp
memory/216-168-0x00007FF7F5F60000-0x00007FF7F674F000-memory.dmp
memory/4640-169-0x00007FF66C910000-0x00007FF66C939000-memory.dmp
memory/216-170-0x00007FF7F5F60000-0x00007FF7F674F000-memory.dmp
memory/216-172-0x00007FF7F5F60000-0x00007FF7F674F000-memory.dmp
memory/216-174-0x00007FF7F5F60000-0x00007FF7F674F000-memory.dmp
memory/216-176-0x00007FF7F5F60000-0x00007FF7F674F000-memory.dmp
memory/216-178-0x00007FF7F5F60000-0x00007FF7F674F000-memory.dmp
memory/216-180-0x00007FF7F5F60000-0x00007FF7F674F000-memory.dmp
memory/216-182-0x00007FF7F5F60000-0x00007FF7F674F000-memory.dmp