Overview

overview

10

Static

static

7

72e1fc6da0...50.exe

windows7-x64

10

72e1fc6da0...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    28/07/2024, 01:27 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe

  • Size

    21.3MB

  • MD5

    416de11d210ae0ff50214021ff57b32b

  • SHA1

    3142453c18080b83d8dbdeba89524beea1c94ff3

  • SHA256

    72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850

  • SHA512

    e1f061f99e9e4e42c21269a32c9f3cfa711a8a95caf7628637d5606ae7846fc73ae982b0ee78646026c41e5c1e61e21a15829967d2fed534070e3c40e2731e4c

  • SSDEEP

    393216:TYTogFuaMaKQy6SSTMX3q7wLta40K3pNPS4n+yubbcEVPxEV+aqdvx1LB1x8NFN:TYT1Fu/6SSTMq+YK3Hx+3r5Np1FL8NF

Score
10/10
auroraquasarredlinesectopratshurkxmrigcheatthemdasdiscoveryevasionexecutioninfostealerminerpersistenceratspywarestealerthemidatrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

154.81.220.233:28105

Extracted

Family

quasar

Version

1.4.1

Botnet

themdas

C2

auroraforge.art:55326

thesirenmika.com:55713
Mutex

0cbdfe7f-0215-41e8-a7b5-d4fbbc555089

Attributes
  • encryption_key

    A730DFF691ED1723ED88E36A2C5E7ED5CCF91DD1

  • install_name

    up2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Aurora

    Aurora is a crypto wallet stealer written in Golang.

    stealeraurora
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 5 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 2 IoCs
  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer payload 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • XMRig Miner payload 11 IoCs
    miner
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 9 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Power Settings 1 TTPs 10 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1124
      • C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe
        "C:\Users\Admin\AppData\Local\Temp\72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:824
        • C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
          "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c start cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe" && exit" && && exit "
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:2820
            • C:\Windows\system32\cmd.exe
              cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe"
              5⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Suspicious use of WriteProcessMemory
              PID:2740
              • C:\Windows\system32\PING.EXE
                ping localhost -n 1
                6⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2912
              • C:\Windows\system32\attrib.exe
                attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe"
                6⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:2836
              • C:\Windows\system32\icacls.exe
                icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA)
                6⤵
                • Modifies file permissions
                PID:2872
              • C:\Windows\system32\cmd.exe
                cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe
                6⤵
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:1388
                • C:\Users\Admin\AppData\Local\Msedge.exe
                  C:\Users\Admin\AppData\Local\Msedge.exe
                  7⤵
                  • Executes dropped EXE
                  PID:1252
        • C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft Edge\build.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2844
        • C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
          "C:\Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2848
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveUpdate' -Value '"C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe"' -PropertyType 'String'
            4⤵
            • Adds Run key to start application
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1944
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /C schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1892
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn \OneDriveUpdate /tr "C:\Users\Admin\AppData\Roaming\OneDriveUpdate\OneDrive Updater.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
              5⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2200
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            #cmd
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1948
        • C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
          "C:\Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2596
        • C:\Users\Admin\AppData\Local\Temp\Aurora.exe
          "C:\Users\Admin\AppData\Local\Temp\Aurora.exe"
          3⤵
          • Executes dropped EXE
          PID:2424
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        2⤵
        • Power Settings
        PID:300
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:804
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-dc 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1784
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-ac 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:924
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-dc 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1600
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:448
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn ConsoleWindowsHost /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe'
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2924
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /run /tn "ConsoleWindowsHost"
        2⤵
          PID:1140
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
          2⤵
          • Power Settings
          PID:980
          • C:\Windows\System32\powercfg.exe
            powercfg /x -hibernate-timeout-ac 0
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:2472
          • C:\Windows\System32\powercfg.exe
            powercfg /x -hibernate-timeout-dc 0
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:352
          • C:\Windows\System32\powercfg.exe
            powercfg /x -standby-timeout-ac 0
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:1416
          • C:\Windows\System32\powercfg.exe
            powercfg /x -standby-timeout-dc 0
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:1888
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#npnsokoe#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'ConsoleWindowsHost' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ConsoleWindowsHost' -RunLevel 'Highest' -Force; }
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:584
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn ConsoleWindowsHost /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe'
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1192
        • C:\Windows\System32\conhost.exe
          C:\Windows\System32\conhost.exe
          2⤵
            PID:876
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2344
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {13CC630C-48AF-4DFD-9C5F-4F5463C9FE30} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
          1⤵
          • Loads dropped DLL
          PID:908
          • C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe
            C:\Users\Admin\AppData\Roaming\Google\Chrome\svchost.exe
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            PID:1688

        Network

        • flag-us
          DNS
          github.com
          Aurora.exe
          Remote address:
          8.8.8.8:53
          Request
          github.com
          IN A
          Response
          github.com
          IN A
          20.26.156.215
        • flag-us
          DNS
          auroraforge.art
          RegAsm.exe
          Remote address:
          8.8.8.8:53
          Request
          auroraforge.art
          IN A
          Response
          auroraforge.art
          IN A
          192.64.119.108
        • flag-us
          DNS
          xmr-us-east1.nanopool.org
          svchost.exe
          Remote address:
          8.8.8.8:53
          Request
          xmr-us-east1.nanopool.org
          IN A
          Response
          xmr-us-east1.nanopool.org
          IN A
          51.222.106.253
          xmr-us-east1.nanopool.org
          IN A
          51.222.200.133
          xmr-us-east1.nanopool.org
          IN A
          51.222.12.201
          xmr-us-east1.nanopool.org
          IN A
          51.79.71.77
        • flag-us
          DNS
          thesirenmika.com
          RegAsm.exe
          Remote address:
          8.8.8.8:53
          Request
          thesirenmika.com
          IN A
          Response
          thesirenmika.com
          IN A
          123.123.123.123
        • 20.26.156.215:443
          github.com
          tls
          Aurora.exe
          4.7kB
           135.9kB
           73
          111
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 192.64.119.108:55326
          auroraforge.art
          RegAsm.exe
          152 B
           3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 51.222.12.201:14444
          xmr-us-east1.nanopool.org
          svchost.exe
          1.3kB
           4.7kB
           15
          14
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 123.123.123.123:55713
          thesirenmika.com
          RegAsm.exe
          152 B
           3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 192.64.119.108:55326
          auroraforge.art
          RegAsm.exe
          152 B
           3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 123.123.123.123:55713
          thesirenmika.com
          RegAsm.exe
          152 B
           3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 192.64.119.108:55326
          auroraforge.art
          RegAsm.exe
          152 B
           3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 154.81.220.233:28105
          build.exe
          152 B
           120 B
           3
          3
        • 8.8.8.8:53
          github.com
          dns
          Aurora.exe
          56 B
           72 B
           1
          1

          DNS Request

          github.com

          DNS Response

          20.26.156.215

        • 8.8.8.8:53
          auroraforge.art
          dns
          RegAsm.exe
          61 B
           77 B
           1
          1

          DNS Request

          auroraforge.art

          DNS Response

          192.64.119.108

        • 8.8.8.8:53
          xmr-us-east1.nanopool.org
          dns
          svchost.exe
          71 B
           135 B
           1
          1

          DNS Request

          xmr-us-east1.nanopool.org

          DNS Response

          51.222.106.253
          51.222.200.133
          51.222.12.201
          51.79.71.77

        • 8.8.8.8:53
          thesirenmika.com
          dns
          RegAsm.exe
          62 B
           78 B
           1
          1

          DNS Request

          thesirenmika.com

          DNS Response

          123.123.123.123

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Power Settings

        1
        T1653

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        File and Directory Permissions Modification

        1
        T1222

        Hide Artifacts

        2
        T1564

        Hidden Files and Directories

        2
        T1564.001

        Modify Registry

        1
        T1112

        Virtualization/Sandbox Evasion

        1
        T1497

        Credential Access

        Discovery

        Query Registry

        3
        T1012

        Remote System Discovery

        1
        T1018

        System Information Discovery

        3
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Virtualization/Sandbox Evasion

        1
        T1497

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Cab1538.tmp
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar1605.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\AdobeLicense\AdobeUpdate.exe
          Filesize

          80KB

          MD5

          65f0a85c4b056d6bcee60c49e2372e35

          SHA1

          6af820a2030950617bf150777af4a43a06a17184

          SHA256

          d64768ea74224057220bff451504b6128ddfb6161617b668626c490c84b3ae8e

          SHA512

          7a50bd0b3908f830494b2bff13a051ba0cdc7900934dbf8a62616f6d29b914f05f8029bbcc429a095254ebb6ab2a2d92c05dd6aebf57e34cde20f152243df383

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z2FCJFND2T29L6YFZ7P3.temp
          Filesize

          7KB

          MD5

          533cdacb2424c7fa2206a5242638b6f7

          SHA1

          7ab0e332ec311316006829f1ca75d38b905eae92

          SHA256

          42e61ac924eef8c34ba386fa2b75c1c46d0aede8370442456a92df342a6e41c6

          SHA512

          3ef996e2ab8d4701a682903276e5b550b80fa2295d60578e0eb11c0dbfbb79007d1d06fc00d475f04d12ce9c8313a17f146cc553d2b0226e49e578f0389f9561

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Aurora.exe
          Filesize

          25.2MB

          MD5

          1504c863a05885816d2c8874137ae7a7

          SHA1

          5b16d440a7e9b5887886549f016f252900b5c0ac

          SHA256

          33fc61e81efa609df51277aef261623bb291e2dd5359362d50070f7a441df0ad

          SHA512

          055d2650ac996443130c05a742bcaabc576dbde29cc21ea956f66132f7e6da8a5771beb9cd51ff2384b2230ebe68990b35d8b14611613db2b8d2764846a487f9

          Download Submit

        • \Users\Admin\AppData\Roaming\Microsoft Edge\build.exe
          Filesize

          95KB

          MD5

          c9a9d471428a5f92068c0823e6454254

          SHA1

          8b8ee8612b9b8bfbb165b3a8ca0d4a377b589dd2

          SHA256

          b0ffaa8c7d8fe1e804afc87e6f7659483c69d421911ddbfc410270011b91bfb5

          SHA512

          ca34022e99a48639fb3566ec4eb901a2f91121aee6a1f1bc601492dd94387873afc8af499aefed8d644aef8f564ca46a12ea40176da7f8d7b4e60f4b505ac8af

          Download Submit

        • \Users\Admin\AppData\Roaming\OneDrive Update Tool\OneDrive.exe
          Filesize

          3.2MB

          MD5

          3b4f58cd4bca7274be25e885be00798b

          SHA1

          eb57c281d8324a1079db97c9da43483a65debbed

          SHA256

          a6832546e1d261c33deea58e1cbb8a391af91628b130454d55aef3e292862d80

          SHA512

          dc909730b2feacba3c14c98a2b443d5c12dfd74ce74db53cf7e564e01707ac365811e4d3b95c0cefe2b87ebd1b074fb4a395360911c3d11de4fa8957e9bad121

          Download Submit

        • \Users\Admin\AppData\Roaming\VLC Media Player\vlc.exe
          Filesize

          5.6MB

          MD5

          b9fc8581b52abfc6b563da731438e27d

          SHA1

          43111fe9b307c850a379fe2d64d279e994680de3

          SHA256

          e03debe75b2f4f4c937c50773064b9a692b262bfce4472e67900edf3f7726058

          SHA512

          c62540e73870caf9a93fbc2396ac99867f8f6e87661240d7642022130008bdb769954f1e8a58d13698172e62cc5b7d44a73b2f1d999db47822eb294c629436a5

          Download Submit

        • memory/448-107-0x0000000002830000-0x0000000002838000-memory.dmp

          Filesize

          32KB

          Download

        • memory/448-106-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/584-121-0x0000000002200000-0x0000000002208000-memory.dmp

          Filesize

          32KB

          Download

        • memory/584-120-0x000000001B530000-0x000000001B812000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/824-2-0x0000000075DC0000-0x0000000075E07000-memory.dmp

          Filesize

          284KB

          Download

        • memory/824-0-0x0000000000990000-0x000000000245A000-memory.dmp

          Filesize

          26.8MB

          Download

        • memory/824-1-0x0000000075DCE000-0x0000000075DCF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/824-54-0x0000000000990000-0x000000000245A000-memory.dmp

          Filesize

          26.8MB

          Download

        • memory/824-50-0x0000000075DC0000-0x0000000075E07000-memory.dmp

          Filesize

          284KB

          Download

        • memory/824-6-0x0000000075DC0000-0x0000000075E07000-memory.dmp

          Filesize

          284KB

          Download

        • memory/876-128-0x0000000140000000-0x0000000140029000-memory.dmp

          Filesize

          164KB

          Download

        • memory/876-132-0x0000000140000000-0x0000000140029000-memory.dmp

          Filesize

          164KB

          Download

        • memory/1688-126-0x000000013FD90000-0x000000014032A000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1688-114-0x000000013FD90000-0x000000014032A000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1948-100-0x0000000000400000-0x0000000000724000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/1948-93-0x0000000000400000-0x0000000000724000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/1948-91-0x0000000000400000-0x0000000000724000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/1948-95-0x0000000000400000-0x0000000000724000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/1948-97-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1948-98-0x0000000000400000-0x0000000000724000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/1948-99-0x0000000000400000-0x0000000000724000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/1948-89-0x0000000000400000-0x0000000000724000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/2344-136-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2344-138-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2344-127-0x0000000000240000-0x0000000000260000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2344-144-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2344-148-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2344-129-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2344-131-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2344-142-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2344-133-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2344-140-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2344-146-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2424-84-0x000000013FB20000-0x00000001413EF000-memory.dmp

          Filesize

          24.8MB

          Download

        • memory/2596-101-0x000000013FA60000-0x000000013FFFA000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2596-110-0x000000013FA60000-0x000000013FFFA000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2844-31-0x00000000001A0000-0x00000000001BE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2848-32-0x00000000013D0000-0x00000000016FE000-memory.dmp

          Filesize

          3.2MB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.