Malware Analysis Report

2024-10-16 05:21

Sample ID 240227-ty322seb7v
Target Aurora X [by GodsExploits].zip
SHA256 f7dc829d59a3f45926630c70d20b8b7dcdb0a9c0b67110269837d2c58e096f91
Tags
discovery spyware stealer cryptone packer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f7dc829d59a3f45926630c70d20b8b7dcdb0a9c0b67110269837d2c58e096f91

Threat Level: Known bad

The file Aurora X [by GodsExploits].zip was found to be: Known bad.

Malicious Activity Summary

discovery spyware stealer cryptone packer

Suspicious use of NtCreateUserProcessOtherParentProcess

CryptOne packer

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Drops startup file

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of FindShellTrayWindow

Enumerates processes with tasklist

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 16:28

Signatures

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 16:28

Reported

2024-02-27 16:31

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 328 created 1216 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\Some.pif C:\Windows\Explorer.EXE

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\Some.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2640 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2640 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2640 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2640 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2640 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2640 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2640 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2640 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2640 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2640 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2640 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2640 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2640 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2640 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2640 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2640 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\Some.pif
PID 2640 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\Some.pif
PID 2640 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\Some.pif
PID 2640 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\Some.pif
PID 2640 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2640 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2640 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2640 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 328 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\Some.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe
PID 328 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\Some.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe
PID 328 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\Some.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe
PID 328 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\Some.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe
PID 328 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\Some.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe
PID 328 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\Some.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe
PID 328 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\Some.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe
PID 328 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\Some.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe
PID 328 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\Some.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe
PID 1692 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
PID 1692 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
PID 1692 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
PID 1692 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe

"C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Painful Painful.bat & Painful.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 29663

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Getting + Incentive + Thread + Collectibles + Informed 29663\Some.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Depends 29663\o

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\Some.pif

29663\Some.pif 29663\o

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 YkHoCyKqZzlbXuNP.YkHoCyKqZzlbXuNP udp
NL 45.15.156.186:29975 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Painful

MD5 14f0143671aa234d550f8236779661f1
SHA1 703d124e6ab5c6febec3d382ac013c73d5296804
SHA256 a15f1384ef47d3192b087bfaf5cc669391b7999fe09b9b15703d76c4c9b4a510
SHA512 7562c866a4501e007d125f1341d4324bd4b0af01089e619e85ffb70c9cc47d9bf2b6ce3a6bc9c4e132f5bdfe6801b4e8c6581656483fd2a5ec35e0fdf17dd5f4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Collectibles

MD5 e60e6b719a7a34dcccb2d6bcd97424de
SHA1 28056594a2d3155197dbf5bce5cff51dbf331b4a
SHA256 ac9e30fbe5fc06ffe55fb3edd3c5252380e49c01b25379d7f10567cc5f37acfe
SHA512 30ed4c5f1b4c690987d02ae38e4c7ea4acff53394a116960de225d0ac6a0f1d5ab3ae84224b8a0b204791424d2195fba8de4c2a616aa0627c098590285bb0e61

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Depends

MD5 ce52ef26608066638a08073742291811
SHA1 0c17e90a16708e32eb5f0d2a7a12dd1e7064ba8d
SHA256 2faed6d927ceb4c7515415500e1f8f5618e4fdcda3bc741a2d075db08a7a3bc8
SHA512 37932d682d0a93ad93d8c8aad7f7e4af1af77344b0ffd709fd0c6c1a7b24c04562c33e30ae5bea1b57223940905c65e837948ec6da4630854a200d10b107c14e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Thread

MD5 de20c902975bd3a0a74349e2802ddee9
SHA1 a69c64a294e3e4fc98b11088e48d347237e23099
SHA256 2fd852e4560b10fb8887bbb5423a3152050306976abde039889c28b0eb216274
SHA512 347d6def344010a0a69151775a6b2a0ac4917ce2a2adcae0f87457cd7b9a8a4afc33bc013a4397c4db092afd8c8b872e0de6abdfbc852b9d2d0602d6f0d29485

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Incentive

MD5 3df26aad973ee35ce3246f6f2fb1b40a
SHA1 039a6e581df432f317ac6e57fcee3a8533fb1c5f
SHA256 69afbe257da18de11385c7c113ded1cd1d6a5b9312d49c53d348829322fc2689
SHA512 0cdbb773ac59ad535ee8c08540db00515c1e9728e39e2224d6772efb4ce97b87abc4787491e96e190bf3f2b0229a76d91da49ae959a0e666d7366ac109d45205

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Getting

MD5 f0b0088291bd53c8a8ccdde80b27c1ea
SHA1 edc14809a25bacd6a8d573519430c5a0b7bdabf3
SHA256 854f3d4e76e9895fbb4db34ffc03447f3c6849bb7886f956ef005ae38225df96
SHA512 df85d8e2250a57ec1ac419b1ed8356c3b04b6578eea5c1f2fe4245a4ecb55516bcf7a08eba0b38b7447ef5472c6e1d4db7f89d28bdf0d3f978875a2ebfc05436

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Informed

MD5 1d1c99b1dd572318731358c8a01baa4d
SHA1 efe3d84eb1f3644277093f059aab9248dcbbb958
SHA256 708c2d2e15e3f7af01d121ef5284cda947eb180aa38c193495f46424870acee6
SHA512 6c7e8c4399bba46045343195b52b51c1a85d67fea533a09b4b4a76419ff33721014af7b5f893e711593d0b0b2d8d76c1097c72efc9a9980b21bf78560b14d601

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\Some.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\o

MD5 37e6bda5dbc39d1e0ba02532c4bafb72
SHA1 194703009f09bb2d3013165da74c23fc67ba1100
SHA256 36afba9d783a0bcd819b34dacb0f0beb2d167711b42501320244f7bcab9190e7
SHA512 92485efb80a8a28cc2a5bf6702fa212aa2072679918c1bb410f78405d0c65ccaee05fe0b95527e92f89f75af72468e0085e2bacb5f24c46062c1abd9b4b7f200

memory/328-28-0x0000000077670000-0x0000000077746000-memory.dmp

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/328-32-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1692-34-0x0000000000090000-0x0000000000128000-memory.dmp

memory/1692-37-0x0000000000090000-0x0000000000128000-memory.dmp

memory/1692-39-0x0000000000090000-0x0000000000128000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/2156-48-0x0000000000F00000-0x0000000000F08000-memory.dmp

memory/2156-49-0x000007FEF5010000-0x000007FEF59FC000-memory.dmp

memory/2156-50-0x000007FEF5010000-0x000007FEF59FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 16:28

Reported

2024-02-27 16:31

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

114s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4860 created 3352 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\Some.pif C:\Windows\Explorer.EXE

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\RegAsm.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\RegAsm.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\Some.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5060 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4144 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4144 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4144 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4144 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4144 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4144 wrote to memory of 468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4144 wrote to memory of 468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4144 wrote to memory of 468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4144 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4144 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4144 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4144 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 3112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 3112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 3112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\Some.pif
PID 4144 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\Some.pif
PID 4144 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\Some.pif
PID 4144 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4144 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4144 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4860 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\Some.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\RegAsm.exe
PID 4860 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\Some.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\RegAsm.exe
PID 4860 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\Some.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\RegAsm.exe
PID 4860 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\Some.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\RegAsm.exe
PID 4860 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\Some.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\RegAsm.exe
PID 2612 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\RegAsm.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
PID 2612 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\RegAsm.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe

"C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Painful Painful.bat & Painful.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 29659

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Getting + Incentive + Thread + Collectibles + Informed 29659\Some.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Depends 29659\o

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\Some.pif

29659\Some.pif 29659\o

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\RegAsm.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 YkHoCyKqZzlbXuNP.YkHoCyKqZzlbXuNP udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
NL 45.15.156.186:29975 tcp
US 8.8.8.8:53 186.156.15.45.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Painful

MD5 14f0143671aa234d550f8236779661f1
SHA1 703d124e6ab5c6febec3d382ac013c73d5296804
SHA256 a15f1384ef47d3192b087bfaf5cc669391b7999fe09b9b15703d76c4c9b4a510
SHA512 7562c866a4501e007d125f1341d4324bd4b0af01089e619e85ffb70c9cc47d9bf2b6ce3a6bc9c4e132f5bdfe6801b4e8c6581656483fd2a5ec35e0fdf17dd5f4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Getting

MD5 f0b0088291bd53c8a8ccdde80b27c1ea
SHA1 edc14809a25bacd6a8d573519430c5a0b7bdabf3
SHA256 854f3d4e76e9895fbb4db34ffc03447f3c6849bb7886f956ef005ae38225df96
SHA512 df85d8e2250a57ec1ac419b1ed8356c3b04b6578eea5c1f2fe4245a4ecb55516bcf7a08eba0b38b7447ef5472c6e1d4db7f89d28bdf0d3f978875a2ebfc05436

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Incentive

MD5 3df26aad973ee35ce3246f6f2fb1b40a
SHA1 039a6e581df432f317ac6e57fcee3a8533fb1c5f
SHA256 69afbe257da18de11385c7c113ded1cd1d6a5b9312d49c53d348829322fc2689
SHA512 0cdbb773ac59ad535ee8c08540db00515c1e9728e39e2224d6772efb4ce97b87abc4787491e96e190bf3f2b0229a76d91da49ae959a0e666d7366ac109d45205

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Thread

MD5 de20c902975bd3a0a74349e2802ddee9
SHA1 a69c64a294e3e4fc98b11088e48d347237e23099
SHA256 2fd852e4560b10fb8887bbb5423a3152050306976abde039889c28b0eb216274
SHA512 347d6def344010a0a69151775a6b2a0ac4917ce2a2adcae0f87457cd7b9a8a4afc33bc013a4397c4db092afd8c8b872e0de6abdfbc852b9d2d0602d6f0d29485

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Collectibles

MD5 e60e6b719a7a34dcccb2d6bcd97424de
SHA1 28056594a2d3155197dbf5bce5cff51dbf331b4a
SHA256 ac9e30fbe5fc06ffe55fb3edd3c5252380e49c01b25379d7f10567cc5f37acfe
SHA512 30ed4c5f1b4c690987d02ae38e4c7ea4acff53394a116960de225d0ac6a0f1d5ab3ae84224b8a0b204791424d2195fba8de4c2a616aa0627c098590285bb0e61

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Informed

MD5 1d1c99b1dd572318731358c8a01baa4d
SHA1 efe3d84eb1f3644277093f059aab9248dcbbb958
SHA256 708c2d2e15e3f7af01d121ef5284cda947eb180aa38c193495f46424870acee6
SHA512 6c7e8c4399bba46045343195b52b51c1a85d67fea533a09b4b4a76419ff33721014af7b5f893e711593d0b0b2d8d76c1097c72efc9a9980b21bf78560b14d601

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Depends

MD5 37e6bda5dbc39d1e0ba02532c4bafb72
SHA1 194703009f09bb2d3013165da74c23fc67ba1100
SHA256 36afba9d783a0bcd819b34dacb0f0beb2d167711b42501320244f7bcab9190e7
SHA512 92485efb80a8a28cc2a5bf6702fa212aa2072679918c1bb410f78405d0c65ccaee05fe0b95527e92f89f75af72468e0085e2bacb5f24c46062c1abd9b4b7f200

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\Some.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

memory/4860-27-0x0000000077DD1000-0x0000000077EF1000-memory.dmp

memory/4860-30-0x00000000055E0000-0x00000000055E1000-memory.dmp

memory/2612-32-0x0000000000F90000-0x0000000001028000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29659\RegAsm.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

memory/2612-35-0x00000000738B0000-0x0000000074060000-memory.dmp

memory/2612-36-0x0000000003140000-0x0000000003150000-memory.dmp

memory/2612-37-0x0000000006280000-0x0000000006824000-memory.dmp

memory/2612-38-0x0000000006E50000-0x0000000007468000-memory.dmp

memory/2612-39-0x0000000005EB0000-0x0000000005FBA000-memory.dmp

memory/2612-40-0x0000000005DE0000-0x0000000005DF2000-memory.dmp

memory/2612-41-0x0000000005E40000-0x0000000005E7C000-memory.dmp

memory/2612-42-0x00000000060C0000-0x000000000610C000-memory.dmp

memory/2612-43-0x00000000061D0000-0x0000000006236000-memory.dmp

memory/2612-44-0x00000000068D0000-0x0000000006962000-memory.dmp

memory/2612-45-0x0000000006970000-0x00000000069E6000-memory.dmp

memory/2612-46-0x0000000006AF0000-0x0000000006B0E000-memory.dmp

memory/2612-47-0x00000000076D0000-0x0000000007720000-memory.dmp

memory/2612-48-0x0000000008010000-0x00000000081D2000-memory.dmp

memory/2612-49-0x0000000008710000-0x0000000008C3C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/4344-62-0x00000000009B0000-0x00000000009B8000-memory.dmp

memory/2612-63-0x00000000738B0000-0x0000000074060000-memory.dmp

memory/4344-64-0x00007FFBA1C70000-0x00007FFBA2731000-memory.dmp

memory/4344-65-0x00007FFBA1C70000-0x00007FFBA2731000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-27 16:28

Reported

2024-02-27 16:31

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Aurora\scripts\scripts.dll

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID\ = "ShockwaveFlash.ShockwaveFlash.23" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "FlashFactory.FlashFactory" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.18 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.15\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Aurora\\scripts\\scripts.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ = "Macromedia Flash Factory Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.spl C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Aurora\\scripts\\scripts.dll, 1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.18\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.22\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.15\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 2300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2172 wrote to memory of 2300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2172 wrote to memory of 2300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2172 wrote to memory of 2300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2172 wrote to memory of 2300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2172 wrote to memory of 2300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2172 wrote to memory of 2300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Aurora\scripts\scripts.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\Aurora\scripts\scripts.dll

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-27 16:28

Reported

2024-02-27 16:31

Platform

win10v2004-20240226-en

Max time kernel

124s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Aurora\scripts\scripts.dll

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.22\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ = "IFlashAccessibility" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Aurora\\scripts" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Aurora\\scripts" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1\ = "131473" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.15\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mfp C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\ = "{57A0E746-3863-4D20-A811-950C84F1DB9B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib\ = "{57A0E746-3863-4D20-A811-950C84F1DB9B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib\ = "{57A0E746-3863-4D20-A811-950C84F1DB9B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "FlashFactory.FlashFactory" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\ = "Macromedia Flash Paper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ = "IFlashObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sor\Content Type = "text/plain" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Aurora\\scripts\\scripts.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\Extension = ".spl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Aurora\\scripts\\scripts.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3856 wrote to memory of 1644 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3856 wrote to memory of 1644 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3856 wrote to memory of 1644 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Aurora\scripts\scripts.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\Aurora\scripts\scripts.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A