Analysis Overview
SHA256
f7dc829d59a3f45926630c70d20b8b7dcdb0a9c0b67110269837d2c58e096f91
Threat Level: Known bad
The file Aurora X [by GodsExploits].zip was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
CryptOne packer
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-28 19:21
Signatures
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-28 19:20
Reported
2024-02-28 19:23
Platform
win10-20240221-en
Max time kernel
128s
Max time network
143s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 772 created 3308 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif | C:\Windows\Explorer.EXE |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\RegAsm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\RegAsm.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Painful Painful.bat & Painful.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 17846
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Getting + Incentive + Thread + Collectibles + Informed 17846\Some.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Depends 17846\o
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif
17846\Some.pif 17846\o
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\RegAsm.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | YkHoCyKqZzlbXuNP.YkHoCyKqZzlbXuNP | udp |
| NL | 45.15.156.186:29975 | tcp | |
| US | 8.8.8.8:53 | 186.156.15.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Painful
| MD5 | 14f0143671aa234d550f8236779661f1 |
| SHA1 | 703d124e6ab5c6febec3d382ac013c73d5296804 |
| SHA256 | a15f1384ef47d3192b087bfaf5cc669391b7999fe09b9b15703d76c4c9b4a510 |
| SHA512 | 7562c866a4501e007d125f1341d4324bd4b0af01089e619e85ffb70c9cc47d9bf2b6ce3a6bc9c4e132f5bdfe6801b4e8c6581656483fd2a5ec35e0fdf17dd5f4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Getting
| MD5 | f0b0088291bd53c8a8ccdde80b27c1ea |
| SHA1 | edc14809a25bacd6a8d573519430c5a0b7bdabf3 |
| SHA256 | 854f3d4e76e9895fbb4db34ffc03447f3c6849bb7886f956ef005ae38225df96 |
| SHA512 | df85d8e2250a57ec1ac419b1ed8356c3b04b6578eea5c1f2fe4245a4ecb55516bcf7a08eba0b38b7447ef5472c6e1d4db7f89d28bdf0d3f978875a2ebfc05436 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Incentive
| MD5 | 3df26aad973ee35ce3246f6f2fb1b40a |
| SHA1 | 039a6e581df432f317ac6e57fcee3a8533fb1c5f |
| SHA256 | 69afbe257da18de11385c7c113ded1cd1d6a5b9312d49c53d348829322fc2689 |
| SHA512 | 0cdbb773ac59ad535ee8c08540db00515c1e9728e39e2224d6772efb4ce97b87abc4787491e96e190bf3f2b0229a76d91da49ae959a0e666d7366ac109d45205 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Thread
| MD5 | de20c902975bd3a0a74349e2802ddee9 |
| SHA1 | a69c64a294e3e4fc98b11088e48d347237e23099 |
| SHA256 | 2fd852e4560b10fb8887bbb5423a3152050306976abde039889c28b0eb216274 |
| SHA512 | 347d6def344010a0a69151775a6b2a0ac4917ce2a2adcae0f87457cd7b9a8a4afc33bc013a4397c4db092afd8c8b872e0de6abdfbc852b9d2d0602d6f0d29485 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Collectibles
| MD5 | e60e6b719a7a34dcccb2d6bcd97424de |
| SHA1 | 28056594a2d3155197dbf5bce5cff51dbf331b4a |
| SHA256 | ac9e30fbe5fc06ffe55fb3edd3c5252380e49c01b25379d7f10567cc5f37acfe |
| SHA512 | 30ed4c5f1b4c690987d02ae38e4c7ea4acff53394a116960de225d0ac6a0f1d5ab3ae84224b8a0b204791424d2195fba8de4c2a616aa0627c098590285bb0e61 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Informed
| MD5 | 1d1c99b1dd572318731358c8a01baa4d |
| SHA1 | efe3d84eb1f3644277093f059aab9248dcbbb958 |
| SHA256 | 708c2d2e15e3f7af01d121ef5284cda947eb180aa38c193495f46424870acee6 |
| SHA512 | 6c7e8c4399bba46045343195b52b51c1a85d67fea533a09b4b4a76419ff33721014af7b5f893e711593d0b0b2d8d76c1097c72efc9a9980b21bf78560b14d601 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Depends
| MD5 | 37e6bda5dbc39d1e0ba02532c4bafb72 |
| SHA1 | 194703009f09bb2d3013165da74c23fc67ba1100 |
| SHA256 | 36afba9d783a0bcd819b34dacb0f0beb2d167711b42501320244f7bcab9190e7 |
| SHA512 | 92485efb80a8a28cc2a5bf6702fa212aa2072679918c1bb410f78405d0c65ccaee05fe0b95527e92f89f75af72468e0085e2bacb5f24c46062c1abd9b4b7f200 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
memory/772-27-0x0000000077641000-0x0000000077754000-memory.dmp
memory/772-30-0x0000000000BE0000-0x0000000000BE1000-memory.dmp
memory/1828-32-0x0000000001120000-0x00000000011B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\RegAsm.exe
| MD5 | b58b926c3574d28d5b7fdd2ca3ec30d5 |
| SHA1 | d260c4ffd603a9cfc057fcb83d678b1cecdf86f9 |
| SHA256 | 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3 |
| SHA512 | b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab |
memory/1828-35-0x00000000732B0000-0x000000007399E000-memory.dmp
memory/1828-36-0x00000000062A0000-0x000000000679E000-memory.dmp
memory/1828-37-0x0000000006DB0000-0x00000000073B6000-memory.dmp
memory/1828-38-0x0000000005F90000-0x000000000609A000-memory.dmp
memory/1828-39-0x0000000005EC0000-0x0000000005ED2000-memory.dmp
memory/1828-40-0x0000000005F20000-0x0000000005F5E000-memory.dmp
memory/1828-41-0x00000000060A0000-0x00000000060EB000-memory.dmp
memory/1828-42-0x00000000061A0000-0x0000000006206000-memory.dmp
memory/1828-43-0x0000000006940000-0x00000000069D2000-memory.dmp
memory/1828-44-0x00000000067A0000-0x0000000006816000-memory.dmp
memory/1828-45-0x0000000006920000-0x000000000693E000-memory.dmp
memory/1828-46-0x0000000007850000-0x00000000078A0000-memory.dmp
memory/1828-47-0x00000000081A0000-0x0000000008362000-memory.dmp
memory/1828-48-0x00000000088A0000-0x0000000008DCC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
memory/3392-55-0x00000000003A0000-0x00000000003A8000-memory.dmp
memory/1828-56-0x00000000732B0000-0x000000007399E000-memory.dmp
memory/3392-57-0x00007FFB15780000-0x00007FFB1616C000-memory.dmp
memory/3392-58-0x00007FFB15780000-0x00007FFB1616C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-28 19:20
Reported
2024-02-28 19:23
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4420 created 3484 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif | C:\Windows\Explorer.EXE |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\RegAsm.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\RegAsm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\RegAsm.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Painful Painful.bat & Painful.bat & exit
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 17839
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Getting + Incentive + Thread + Collectibles + Informed 17839\Some.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Depends 17839\o
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif
17839\Some.pif 17839\o
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\RegAsm.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | YkHoCyKqZzlbXuNP.YkHoCyKqZzlbXuNP | udp |
| US | 8.8.8.8:53 | 203.33.253.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| NL | 45.15.156.186:29975 | tcp | |
| US | 8.8.8.8:53 | 186.156.15.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.141.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Painful
| MD5 | 14f0143671aa234d550f8236779661f1 |
| SHA1 | 703d124e6ab5c6febec3d382ac013c73d5296804 |
| SHA256 | a15f1384ef47d3192b087bfaf5cc669391b7999fe09b9b15703d76c4c9b4a510 |
| SHA512 | 7562c866a4501e007d125f1341d4324bd4b0af01089e619e85ffb70c9cc47d9bf2b6ce3a6bc9c4e132f5bdfe6801b4e8c6581656483fd2a5ec35e0fdf17dd5f4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Getting
| MD5 | f0b0088291bd53c8a8ccdde80b27c1ea |
| SHA1 | edc14809a25bacd6a8d573519430c5a0b7bdabf3 |
| SHA256 | 854f3d4e76e9895fbb4db34ffc03447f3c6849bb7886f956ef005ae38225df96 |
| SHA512 | df85d8e2250a57ec1ac419b1ed8356c3b04b6578eea5c1f2fe4245a4ecb55516bcf7a08eba0b38b7447ef5472c6e1d4db7f89d28bdf0d3f978875a2ebfc05436 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Incentive
| MD5 | 3df26aad973ee35ce3246f6f2fb1b40a |
| SHA1 | 039a6e581df432f317ac6e57fcee3a8533fb1c5f |
| SHA256 | 69afbe257da18de11385c7c113ded1cd1d6a5b9312d49c53d348829322fc2689 |
| SHA512 | 0cdbb773ac59ad535ee8c08540db00515c1e9728e39e2224d6772efb4ce97b87abc4787491e96e190bf3f2b0229a76d91da49ae959a0e666d7366ac109d45205 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Thread
| MD5 | de20c902975bd3a0a74349e2802ddee9 |
| SHA1 | a69c64a294e3e4fc98b11088e48d347237e23099 |
| SHA256 | 2fd852e4560b10fb8887bbb5423a3152050306976abde039889c28b0eb216274 |
| SHA512 | 347d6def344010a0a69151775a6b2a0ac4917ce2a2adcae0f87457cd7b9a8a4afc33bc013a4397c4db092afd8c8b872e0de6abdfbc852b9d2d0602d6f0d29485 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Collectibles
| MD5 | e60e6b719a7a34dcccb2d6bcd97424de |
| SHA1 | 28056594a2d3155197dbf5bce5cff51dbf331b4a |
| SHA256 | ac9e30fbe5fc06ffe55fb3edd3c5252380e49c01b25379d7f10567cc5f37acfe |
| SHA512 | 30ed4c5f1b4c690987d02ae38e4c7ea4acff53394a116960de225d0ac6a0f1d5ab3ae84224b8a0b204791424d2195fba8de4c2a616aa0627c098590285bb0e61 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Informed
| MD5 | 1d1c99b1dd572318731358c8a01baa4d |
| SHA1 | efe3d84eb1f3644277093f059aab9248dcbbb958 |
| SHA256 | 708c2d2e15e3f7af01d121ef5284cda947eb180aa38c193495f46424870acee6 |
| SHA512 | 6c7e8c4399bba46045343195b52b51c1a85d67fea533a09b4b4a76419ff33721014af7b5f893e711593d0b0b2d8d76c1097c72efc9a9980b21bf78560b14d601 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Depends
| MD5 | 37e6bda5dbc39d1e0ba02532c4bafb72 |
| SHA1 | 194703009f09bb2d3013165da74c23fc67ba1100 |
| SHA256 | 36afba9d783a0bcd819b34dacb0f0beb2d167711b42501320244f7bcab9190e7 |
| SHA512 | 92485efb80a8a28cc2a5bf6702fa212aa2072679918c1bb410f78405d0c65ccaee05fe0b95527e92f89f75af72468e0085e2bacb5f24c46062c1abd9b4b7f200 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
memory/4420-27-0x00000000771C1000-0x00000000772E1000-memory.dmp
memory/4420-30-0x0000000000B10000-0x0000000000B11000-memory.dmp
memory/3628-32-0x0000000000BB0000-0x0000000000C48000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\RegAsm.exe
| MD5 | 0d5df43af2916f47d00c1573797c1a13 |
| SHA1 | 230ab5559e806574d26b4c20847c368ed55483b0 |
| SHA256 | c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc |
| SHA512 | f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2 |
memory/3628-35-0x0000000072CA0000-0x0000000073450000-memory.dmp
memory/3628-36-0x0000000005180000-0x0000000005190000-memory.dmp
memory/3628-37-0x0000000005D50000-0x00000000062F4000-memory.dmp
memory/3628-38-0x0000000006920000-0x0000000006F38000-memory.dmp
memory/3628-39-0x0000000005990000-0x0000000005A9A000-memory.dmp
memory/3628-40-0x00000000058C0000-0x00000000058D2000-memory.dmp
memory/3628-41-0x0000000005920000-0x000000000595C000-memory.dmp
memory/3628-42-0x0000000005BA0000-0x0000000005BEC000-memory.dmp
memory/3628-43-0x0000000005CB0000-0x0000000005D16000-memory.dmp
memory/3628-44-0x0000000006380000-0x00000000063F6000-memory.dmp
memory/3628-45-0x00000000064A0000-0x0000000006532000-memory.dmp
memory/3628-46-0x0000000006440000-0x000000000645E000-memory.dmp
memory/3628-47-0x00000000071D0000-0x0000000007220000-memory.dmp
memory/3628-48-0x0000000007D90000-0x0000000007F52000-memory.dmp
memory/3628-49-0x0000000008490000-0x00000000089BC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
memory/3628-63-0x0000000072CA0000-0x0000000073450000-memory.dmp
memory/4828-62-0x0000000000C90000-0x0000000000C98000-memory.dmp
memory/4828-64-0x00007FFAC34E0000-0x00007FFAC3FA1000-memory.dmp
memory/4828-65-0x00007FFAC34E0000-0x00007FFAC3FA1000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-28 19:20
Reported
2024-02-28 19:23
Platform
win10-20240221-en
Max time kernel
133s
Max time network
135s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4788 wrote to memory of 200 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4788 wrote to memory of 200 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4788 wrote to memory of 200 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Aurora\scripts\scripts.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Aurora\scripts\scripts.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-28 19:20
Reported
2024-02-28 19:23
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
142s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.22\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.22 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.spl | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Aurora\\scripts\\scripts.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ = "IFlashAccessibility" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\ = "MacromediaFlashPaper.MacromediaFlashPaper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\ = "Shockwave Flash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.swf | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.swf\ = "ShockwaveFlash.ShockwaveFlash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ = "IFlashAccessibility" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\ = "{57A0E746-3863-4D20-A811-950C84F1DB9B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib\Version = "1.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\ = "Macromedia Flash Factory Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.spl | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ = "IFlashObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\ = "FlashAccessibility" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3596 wrote to memory of 2088 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3596 wrote to memory of 2088 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3596 wrote to memory of 2088 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Aurora\scripts\scripts.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Aurora\scripts\scripts.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.178.17.96.in-addr.arpa | udp |