Analysis Overview
SHA256
b405c6851a96d513518fa906328f07f9468bf2142baba0059ee286888d2a77ea
Threat Level: Known bad
The file Aurora [by Ryosx].zip was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
CryptOne packer
Downloads MZ/PE file
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Uses Volume Shadow Copy service COM API
Modifies Internet Explorer settings
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Runs ping.exe
Suspicious use of SetWindowsHookEx
Enumerates processes with tasklist
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-29 02:03
Signatures
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-29 02:03
Reported
2024-02-29 02:34
Platform
win10v2004-20240226-en
Max time kernel
1789s
Max time network
1799s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AuroraV2\\scripts\\scripts.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\Extension = ".spl" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.15 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ = "IFlashAccessibility" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.22 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\ = "MacromediaFlashPaper.MacromediaFlashPaper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.22\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.18\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "ShockwaveFlash.ShockwaveFlash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\Version = "1.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\ = "{57A0E746-3863-4D20-A811-950C84F1DB9B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ = "IFlashObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.spl | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib\Version = "1.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4168 wrote to memory of 3124 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4168 wrote to memory of 3124 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4168 wrote to memory of 3124 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AuroraV2\scripts\scripts.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\AuroraV2\scripts\scripts.dll
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3968 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5108 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| IE | 209.85.203.95:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 95.203.85.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-29 02:03
Reported
2024-02-29 02:10
Platform
win7-20240221-en
Max time kernel
150s
Max time network
348s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2552 created 1184 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif | C:\Windows\Explorer.EXE |
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe
"C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Approve Approve.bat & Approve.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 31206
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Nuclear + Plasma + Proper + Merger 31206\Expressions.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Practice 31206\z
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif
31206\Expressions.pif 31206\z
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5bf9758,0x7fef5bf9768,0x7fef5bf9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1092 --field-trial-handle=1392,i,13808282240714328226,1492664619194990585,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1644 --field-trial-handle=1392,i,13808282240714328226,1492664619194990585,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1536 --field-trial-handle=1392,i,13808282240714328226,1492664619194990585,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1392,i,13808282240714328226,1492664619194990585,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1392,i,13808282240714328226,1492664619194990585,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef3389758,0x7fef3389768,0x7fef3389778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2328 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1504 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3180 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3652 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3652 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3944 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2572 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2468 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3972 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3772 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1744 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\AuroraV2.rar"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\AuroraV2.rar"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4256 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4372 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4508 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=1108 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3972 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=668 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1880 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4408 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2708 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4412 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=788 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8
C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe
"C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"
C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe
MicrosoftEdgeWebview2Setup.exe /silent /install
C:\Program Files (x86)\Microsoft\Temp\EUE82D.tmp\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\Temp\EUE82D.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTk1MENEM0MtMTIxMy00MkNDLUFBOTEtMDNBQzIwN0REMDdBfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins5QkYwNjFEQy04QTkwLTRCQzYtQjA2OC02NkM2NTY5QUYxNTl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxIiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ0ODU4ODAwMDAiIGluc3RhbGxfdGltZV9tcz0iNzU2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{E950CD3C-1213-42CC-AA91-03AC207DD07A}" /silent
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTk1MENEM0MtMTIxMy00MkNDLUFBOTEtMDNBQzIwN0REMDdBfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins2QTI2NDk5My1EOUNBLTQ1NEUtQkUyOS03Mzg1M0UzMDA4OTl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxIiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBuZXh0dmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIzIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NDkxNDgwMDAwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
C:\Users\Admin\Desktop\AuroraV2\Aurora X.exe
"C:\Users\Admin\Desktop\AuroraV2\Aurora X.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Approve Approve.bat & Approve.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 32032
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Nuclear + Plasma + Proper + Merger 32032\Expressions.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Practice 32032\z
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\32032\Expressions.pif
32032\Expressions.pif 32032\z
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\Desktop\AuroraV2\Aurora X.exe
"C:\Users\Admin\Desktop\AuroraV2\Aurora X.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Approve Approve.bat & Approve.bat & exit
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\Desktop\AuroraV2\Aurora X.exe
"C:\Users\Admin\Desktop\AuroraV2\Aurora X.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Approve Approve.bat & Approve.bat & exit
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\32032\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\32032\RegAsm.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 32052
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Nuclear + Plasma + Proper + Merger 32052\Expressions.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Practice 32052\z
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\32052\Expressions.pif
32052\Expressions.pif 32052\z
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
cmd /c md 32068
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Nuclear + Plasma + Proper + Merger 32068\Expressions.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Practice 32068\z
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\32068\Expressions.pif
32068\Expressions.pif 32068\z
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\32052\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\32052\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\32068\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\32068\RegAsm.exe
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{89C46C0B-E3B2-4538-9E3B-947B29EF6721}\MicrosoftEdge_X64_109.0.1518.140.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{89C46C0B-E3B2-4538-9E3B-947B29EF6721}\MicrosoftEdge_X64_109.0.1518.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{89C46C0B-E3B2-4538-9E3B-947B29EF6721}\EDGEMITMP_6EC7A.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{89C46C0B-E3B2-4538-9E3B-947B29EF6721}\EDGEMITMP_6EC7A.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{89C46C0B-E3B2-4538-9E3B-947B29EF6721}\MicrosoftEdge_X64_109.0.1518.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | GcIcVSqBZYfPLer.GcIcVSqBZYfPLer | udp |
| NL | 45.15.156.186:29975 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| IE | 74.125.193.103:443 | www.google.com | udp |
| IE | 74.125.193.103:443 | www.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | ryosx.lol | udp |
| US | 198.54.116.91:443 | ryosx.lol | tcp |
| US | 198.54.116.91:443 | ryosx.lol | tcp |
| US | 198.54.116.91:443 | ryosx.lol | tcp |
| US | 8.8.8.8:53 | href.li | udp |
| US | 192.0.78.27:443 | href.li | tcp |
| US | 192.0.78.27:443 | href.li | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | www.mediafire.com | udp |
| US | 104.16.113.74:443 | www.mediafire.com | tcp |
| US | 104.16.113.74:443 | www.mediafire.com | tcp |
| US | 8.8.8.8:53 | translate.google.com | udp |
| US | 8.8.8.8:53 | static.mediafire.com | udp |
| US | 8.8.8.8:53 | cdn.amplitude.com | udp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| IE | 74.125.193.102:443 | translate.google.com | tcp |
| FR | 18.161.108.4:443 | cdn.amplitude.com | tcp |
| US | 104.16.56.101:443 | static.cloudflareinsights.com | tcp |
| US | 8.8.8.8:53 | translate.googleapis.com | udp |
| IE | 74.125.193.95:443 | translate.googleapis.com | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| IE | 209.85.202.95:443 | content-autofill.googleapis.com | tcp |
| IE | 209.85.203.156:443 | stats.g.doubleclick.net | tcp |
| IE | 209.85.203.156:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | translate-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| US | 216.239.32.36:443 | region1.analytics.google.com | tcp |
| IE | 209.85.202.95:443 | translate-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | download2329.mediafire.com | udp |
| US | 199.91.155.70:443 | download2329.mediafire.com | tcp |
| US | 199.91.155.70:443 | download2329.mediafire.com | tcp |
| US | 8.8.8.8:53 | api.amplitude.com | udp |
| US | 52.39.244.51:443 | api.amplitude.com | tcp |
| IE | 74.125.193.95:443 | translate-pa.googleapis.com | udp |
| US | 216.239.32.36:443 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| DE | 172.217.16.131:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | roblox.com | udp |
| US | 128.116.102.4:443 | roblox.com | tcp |
| US | 128.116.102.4:443 | roblox.com | tcp |
| US | 8.8.8.8:53 | www.roblox.com | udp |
| NL | 128.116.21.4:443 | www.roblox.com | tcp |
| US | 8.8.8.8:53 | css.rbxcdn.com | udp |
| US | 8.8.8.8:53 | static.rbxcdn.com | udp |
| US | 8.8.8.8:53 | js.rbxcdn.com | udp |
| FR | 3.160.196.46:443 | static.rbxcdn.com | tcp |
| FR | 52.222.144.78:443 | js.rbxcdn.com | tcp |
| FR | 52.222.144.78:443 | js.rbxcdn.com | tcp |
| FR | 52.222.144.78:443 | js.rbxcdn.com | tcp |
| FR | 52.222.144.78:443 | js.rbxcdn.com | tcp |
| FR | 52.222.144.78:443 | js.rbxcdn.com | tcp |
| FR | 52.222.144.78:443 | js.rbxcdn.com | tcp |
| FR | 216.137.52.35:443 | css.rbxcdn.com | tcp |
| FR | 216.137.52.35:443 | css.rbxcdn.com | tcp |
| FR | 216.137.52.35:443 | css.rbxcdn.com | tcp |
| FR | 216.137.52.35:443 | css.rbxcdn.com | tcp |
| FR | 216.137.52.35:443 | css.rbxcdn.com | tcp |
| FR | 216.137.52.35:443 | css.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | roblox-api.arkoselabs.com | udp |
| US | 104.18.33.170:443 | roblox-api.arkoselabs.com | tcp |
| US | 8.8.8.8:53 | metrics.roblox.com | udp |
| US | 104.18.33.170:443 | roblox-api.arkoselabs.com | udp |
| US | 8.8.8.8:53 | apis.roblox.com | udp |
| NL | 128.116.21.4:443 | apis.roblox.com | tcp |
| US | 8.8.8.8:53 | apis.rbxcdn.com | udp |
| GB | 104.77.160.204:443 | apis.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | locale.roblox.com | udp |
| US | 8.8.8.8:53 | images.rbxcdn.com | udp |
| FR | 216.137.52.35:443 | css.rbxcdn.com | tcp |
| FR | 18.161.97.44:443 | images.rbxcdn.com | tcp |
| FR | 18.161.97.44:443 | images.rbxcdn.com | tcp |
| FR | 18.161.97.44:443 | images.rbxcdn.com | tcp |
| FR | 18.161.97.44:443 | images.rbxcdn.com | tcp |
| FR | 18.161.97.44:443 | images.rbxcdn.com | tcp |
| FR | 18.161.97.44:443 | images.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | auth.roblox.com | udp |
| US | 8.8.8.8:53 | ecsv2.roblox.com | udp |
| NL | 128.116.21.3:443 | ecsv2.roblox.com | tcp |
| IE | 209.85.202.95:443 | translate-pa.googleapis.com | udp |
| NL | 128.116.21.3:443 | ecsv2.roblox.com | udp |
| US | 8.8.8.8:53 | assetgame.roblox.com | udp |
| US | 8.8.8.8:53 | tr.rbxcdn.com | udp |
| GB | 88.221.134.11:443 | tr.rbxcdn.com | tcp |
| GB | 88.221.134.11:443 | tr.rbxcdn.com | tcp |
| FR | 3.160.196.46:443 | static.rbxcdn.com | tcp |
| DE | 172.217.16.131:443 | beacons.gcp.gvt2.com | udp |
| US | 8.8.8.8:53 | lms.roblox.com | udp |
| US | 8.8.8.8:53 | realtime-signalr.roblox.com | udp |
| US | 8.8.8.8:53 | thumbnails.roblox.com | udp |
| US | 8.8.8.8:53 | accountsettings.roblox.com | udp |
| US | 8.8.8.8:53 | economy.roblox.com | udp |
| US | 8.8.8.8:53 | friends.roblox.com | udp |
| US | 8.8.8.8:53 | privatemessages.roblox.com | udp |
| US | 8.8.8.8:53 | trades.roblox.com | udp |
| US | 8.8.8.8:53 | chat.roblox.com | udp |
| US | 8.8.8.8:53 | contacts.roblox.com | udp |
| US | 8.8.8.8:53 | notifications.roblox.com | udp |
| US | 8.8.8.8:53 | aws-us-west-1c-lms.rbx.com | udp |
| US | 8.8.8.8:53 | c0ak.rbxcdn.com | udp |
| US | 8.8.8.8:53 | waw1-128-116-124-3.roblox.com | udp |
| US | 8.8.8.8:53 | c0aws.rbxcdn.com | udp |
| US | 8.8.8.8:53 | lga2-128-116-32-3.roblox.com | udp |
| US | 8.8.8.8:53 | aws-us-west-1a-lms.rbx.com | udp |
| US | 8.8.8.8:53 | roblox-poc.global.ssl.fastly.net | udp |
| US | 8.8.8.8:53 | ord2-128-116-101-3.roblox.com | udp |
| US | 8.8.8.8:53 | robloxcorp.s.llnwi.net | udp |
| US | 8.8.8.8:53 | fra2-128-116-123-3.roblox.com | udp |
| US | 52.9.213.88:443 | aws-us-west-1c-lms.rbx.com | tcp |
| PL | 128.116.124.3:443 | waw1-128-116-124-3.roblox.com | tcp |
| FR | 3.160.196.81:443 | c0aws.rbxcdn.com | tcp |
| US | 54.215.222.157:443 | aws-us-west-1a-lms.rbx.com | tcp |
| US | 128.116.32.3:443 | lga2-128-116-32-3.roblox.com | tcp |
| US | 128.116.101.3:443 | ord2-128-116-101-3.roblox.com | tcp |
| US | 151.101.1.194:443 | roblox-poc.global.ssl.fastly.net | tcp |
| DE | 128.116.123.3:443 | fra2-128-116-123-3.roblox.com | tcp |
| GB | 87.248.205.1:443 | robloxcorp.s.llnwi.net | tcp |
| US | 128.116.101.3:443 | ord2-128-116-101-3.roblox.com | tcp |
| US | 8.8.8.8:53 | presence.roblox.com | udp |
| NL | 128.116.21.4:443 | presence.roblox.com | tcp |
| DE | 128.116.123.3:443 | fra2-128-116-123-3.roblox.com | udp |
| PL | 128.116.124.3:443 | waw1-128-116-124-3.roblox.com | udp |
| US | 128.116.32.3:443 | lga2-128-116-32-3.roblox.com | udp |
| FR | 52.222.144.78:443 | js.rbxcdn.com | tcp |
| FR | 3.160.196.46:443 | static.rbxcdn.com | tcp |
| FR | 216.137.52.35:443 | css.rbxcdn.com | tcp |
| GB | 104.77.160.221:443 | c0ak.rbxcdn.com | tcp |
| FR | 3.160.196.81:443 | c0aws.rbxcdn.com | tcp |
| FR | 18.161.97.44:443 | images.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | js.stripe.com | udp |
| US | 151.101.0.176:443 | js.stripe.com | tcp |
| GB | 88.221.134.11:443 | tr.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | followings.roblox.com | udp |
| US | 8.8.8.8:53 | games.roblox.com | udp |
| US | 8.8.8.8:53 | atl1-128-116-99-3.roblox.com | udp |
| US | 8.8.8.8:53 | iad4-128-116-102-3.roblox.com | udp |
| US | 128.116.101.3:443 | ord2-128-116-101-3.roblox.com | udp |
| US | 8.8.8.8:53 | mia4-128-116-45-3.roblox.com | udp |
| US | 8.8.8.8:53 | sin2-128-116-97-3.roblox.com | udp |
| PL | 128.116.124.3:443 | waw1-128-116-124-3.roblox.com | udp |
| US | 8.8.8.8:53 | aws-us-east-2a-lms.rbx.com | udp |
| US | 8.8.8.8:53 | aws-eu-central-1b-lms.rbx.com | udp |
| US | 8.8.8.8:53 | cdg1-128-116-122-3.roblox.com | udp |
| US | 8.8.8.8:53 | lhr2-128-116-119-3.roblox.com | udp |
| NL | 128.116.21.4:443 | games.roblox.com | tcp |
| FR | 128.116.122.3:443 | cdg1-128-116-122-3.roblox.com | tcp |
| US | 128.116.102.3:443 | iad4-128-116-102-3.roblox.com | tcp |
| US | 128.116.99.3:443 | atl1-128-116-99-3.roblox.com | tcp |
| SG | 128.116.97.3:443 | sin2-128-116-97-3.roblox.com | tcp |
| US | 128.116.45.3:443 | mia4-128-116-45-3.roblox.com | tcp |
| DE | 18.196.70.252:443 | aws-eu-central-1b-lms.rbx.com | tcp |
| US | 3.139.126.190:443 | aws-us-east-2a-lms.rbx.com | tcp |
| GB | 128.116.119.3:443 | lhr2-128-116-119-3.roblox.com | tcp |
| PL | 128.116.124.3:443 | waw1-128-116-124-3.roblox.com | tcp |
| NL | 128.116.21.4:443 | games.roblox.com | tcp |
| US | 8.8.8.8:53 | badges.roblox.com | udp |
| US | 128.116.101.3:443 | ord2-128-116-101-3.roblox.com | tcp |
| SG | 128.116.97.3:443 | sin2-128-116-97-3.roblox.com | tcp |
| US | 8.8.8.8:53 | m.stripe.network | udp |
| US | 8.8.8.8:53 | voice.roblox.com | udp |
| US | 8.8.8.8:53 | m.stripe.com | udp |
| US | 44.240.51.134:443 | m.stripe.com | tcp |
| US | 8.8.8.8:53 | ncs.roblox.com | udp |
| FR | 128.116.122.3:443 | cdg1-128-116-122-3.roblox.com | udp |
| GB | 128.116.119.3:443 | lhr2-128-116-119-3.roblox.com | udp |
| DE | 18.196.70.252:443 | aws-eu-central-1b-lms.rbx.com | tcp |
| PL | 128.116.124.3:443 | waw1-128-116-124-3.roblox.com | tcp |
| FR | 216.137.52.35:443 | css.rbxcdn.com | tcp |
| FR | 3.160.196.46:443 | static.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | hkg1-128-116-118-3.roblox.com | udp |
| US | 128.116.99.3:443 | atl1-128-116-99-3.roblox.com | udp |
| US | 8.8.8.8:53 | aws-ap-northeast-1d-lms.rbx.com | udp |
| US | 8.8.8.8:53 | sin4-128-116-50-3.roblox.com | udp |
| US | 8.8.8.8:53 | pulsar.roblox.com | udp |
| US | 8.8.8.8:53 | aws-us-west-2b-lms.rbx.com | udp |
| US | 8.8.8.8:53 | lax2-128-116-116-3.roblox.com | udp |
| US | 8.8.8.8:53 | aws-eu-west-2a-lms.rbx.com | udp |
| HK | 128.116.118.3:443 | hkg1-128-116-118-3.roblox.com | tcp |
| JP | 52.192.127.100:443 | aws-ap-northeast-1d-lms.rbx.com | tcp |
| SG | 128.116.50.3:443 | sin4-128-116-50-3.roblox.com | tcp |
| US | 128.116.116.3:443 | lax2-128-116-116-3.roblox.com | tcp |
| DE | 128.116.123.3:443 | pulsar.roblox.com | tcp |
| GB | 18.133.19.35:443 | aws-eu-west-2a-lms.rbx.com | tcp |
| US | 52.39.233.166:443 | aws-us-west-2b-lms.rbx.com | tcp |
| HK | 128.116.118.3:443 | hkg1-128-116-118-3.roblox.com | tcp |
| JP | 52.192.127.100:443 | aws-ap-northeast-1d-lms.rbx.com | tcp |
| US | 52.39.233.166:443 | aws-us-west-2b-lms.rbx.com | tcp |
| SG | 128.116.50.3:443 | sin4-128-116-50-3.roblox.com | tcp |
| US | 8.8.8.8:53 | cs.ns1p.net | udp |
| DE | 18.159.47.95:443 | cs.ns1p.net | tcp |
| NL | 128.116.21.3:443 | realtime-signalr.roblox.com | tcp |
| NL | 128.116.21.4:443 | ncs.roblox.com | tcp |
| NL | 128.116.21.4:443 | ncs.roblox.com | tcp |
| NL | 128.116.21.4:443 | ncs.roblox.com | tcp |
| NL | 128.116.21.3:443 | realtime-signalr.roblox.com | tcp |
| US | 8.8.8.8:53 | setup.rbxcdn.com | udp |
| FR | 3.160.188.89:443 | setup.rbxcdn.com | tcp |
| NL | 128.116.21.4:443 | ncs.roblox.com | tcp |
| US | 8.8.8.8:53 | client-telemetry.roblox.com | udp |
| NL | 128.116.21.3:443 | client-telemetry.roblox.com | tcp |
| NL | 128.116.21.4:443 | ncs.roblox.com | tcp |
| US | 8.8.8.8:53 | ecsv2.roblox.com | udp |
| NL | 128.116.21.3:443 | ecsv2.roblox.com | tcp |
| US | 8.8.8.8:53 | clientsettingscdn.roblox.com | udp |
| GB | 104.84.73.17:443 | clientsettingscdn.roblox.com | tcp |
| US | 8.8.8.8:53 | setup.rbxcdn.com | udp |
| FR | 3.160.188.113:443 | setup.rbxcdn.com | tcp |
| FR | 3.160.188.113:443 | setup.rbxcdn.com | tcp |
| FR | 3.160.188.113:443 | setup.rbxcdn.com | tcp |
| NL | 128.116.21.4:443 | ncs.roblox.com | tcp |
| NL | 128.116.21.3:443 | ecsv2.roblox.com | tcp |
| NL | 128.116.21.3:443 | ecsv2.roblox.com | tcp |
| NL | 128.116.21.4:443 | ncs.roblox.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 128.116.21.4:443 | ncs.roblox.com | tcp |
| NL | 128.116.21.4:443 | ncs.roblox.com | tcp |
| NL | 128.116.21.4:443 | ncs.roblox.com | tcp |
| NL | 128.116.21.4:443 | ncs.roblox.com | tcp |
| NL | 45.15.156.186:29975 | tcp | |
| NL | 128.116.21.4:443 | ncs.roblox.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 20.7.47.135:443 | msedge.api.cdp.microsoft.com | tcp |
| NL | 45.15.156.186:29975 | tcp | |
| NL | 45.15.156.186:29975 | tcp | |
| US | 8.8.8.8:53 | msedge.f.tlu.dl.delivery.mp.microsoft.com | udp |
| GB | 88.221.135.73:80 | msedge.f.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Approve
| MD5 | 4849b374e88e174f9b35b5e5e9269ae6 |
| SHA1 | 6199bff5bad3b5088685aeb08686ad303f4f6c29 |
| SHA256 | 1deef19e64390b8d41481acd973405e9ce23cfabdcac203f684532de244ac073 |
| SHA512 | 1c079cb1d8f78e1833945967fc0daf3bd8250196fe430bea1db8522385e0b193e1ee488b821c760e1f12f4c8d61b653871df4675e73c115964857ed3d2cc0ff9 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nuclear
| MD5 | 62a7e75d1df779e6169adb0cfa905694 |
| SHA1 | 3f855dc814432bd0cd6e793c5a5bb2776b838602 |
| SHA256 | 7fa7da730c634c4a21832d2d35cbe4a6d1484fcfadbae988e2e97a9ad76f73db |
| SHA512 | 1f22866bfe4c6186b77c05aca2e4088c30e7ea1fe6057782a2a7aefda9221c78be2fe2cc5c673fd266e12218e91a66b254e90ff1d94f9ba6b8552c1e6bbc1698 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Plasma
| MD5 | 65b274e03e99948cbb03a0464e66ba89 |
| SHA1 | 129196df7c9cc04f868f66e0f8fad494a6c4e379 |
| SHA256 | 4bfaa5267e22645c0cdacc3154902d9ca2ea3559f47d6acf6813aa20ee1bb75d |
| SHA512 | 2fcb83966b7c9d1709124c9efc5bd24aa1135e91a74d2c92e344465de1ab4b42811a8f2e264e801acbe4f3080e575a0730a38e87564c9f5c74a9d5f71b7a8bc4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Proper
| MD5 | 5047c62efa1d3a7319f3495137cb8224 |
| SHA1 | 0d0d3d840d2d484d8e4db23fd72aff6a0c514aed |
| SHA256 | 76c8d934bd2c8abae1b4cc482c45cf910935411ab643f8c0e54be92c2f63849a |
| SHA512 | 66cfc6656cd6f18fea5fba95d0403664b188acf21a53d76eda5f6692d41950f69ccf2b0ae8e7aeefb0e50c068acf4f61357109983ff2c6db8e1efc076bd9ecfc |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Merger
| MD5 | 7196d7109e4b363cd13654db907ffea4 |
| SHA1 | 21f016d6c8e5bde1c23e48e9cb811dce3227eb7b |
| SHA256 | 9eacfcb6381b4e19513707811960b233337460e57a798e053d6cd0b4e1c3a7e4 |
| SHA512 | 41ab7e0411dcb7b378a2068756a403f0092b19dac52f244f871e871abee10b78d29b54a89b411a9b841777a5e4d47def9c60f40cdbbd60bc2f3690c739fd4b02 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Practice
| MD5 | 02c12a95e4fcbadc9cd8c35c8a6b5b45 |
| SHA1 | 3f9f0e5680497727ff7f6a3a3a245087ec668a79 |
| SHA256 | d3cd709f6751e6f167b3e04706f45542528088af51454a6cfde05041523b0e72 |
| SHA512 | 5cb441debcb4a68dbe2ad07576452bb7bbdc2630b711a9ef2a2d9068216c48d00e9a063d52fce2bdb274b7872d842c91e84318da31d6d7c8d2d41a4e72204a2c |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
memory/2552-25-0x0000000077260000-0x0000000077336000-memory.dmp
memory/2552-27-0x0000000000180000-0x0000000000181000-memory.dmp
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe
| MD5 | b58b926c3574d28d5b7fdd2ca3ec30d5 |
| SHA1 | d260c4ffd603a9cfc057fcb83d678b1cecdf86f9 |
| SHA256 | 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3 |
| SHA512 | b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab |
memory/3060-31-0x0000000000090000-0x0000000000128000-memory.dmp
memory/3060-34-0x0000000000090000-0x0000000000128000-memory.dmp
memory/3060-36-0x0000000000090000-0x0000000000128000-memory.dmp
\??\pipe\crashpad_2620_PEZQVFNKXQUAKOES
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
memory/1956-85-0x0000000001290000-0x0000000001298000-memory.dmp
memory/1956-86-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp
memory/1956-87-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 89f4922a7587a9f92f626d7868051285 |
| SHA1 | 9419dc4f12c1cafefe5a1a12997cd4c0ae5d6702 |
| SHA256 | 16d4c209625f423200c0a930685ec659bdc58c7e5c7848d0008979311b945ce7 |
| SHA512 | 009d7b6d168824bb8c8c15f256502673af694fec8b7fd3761567bddcb0c40500d77de42c13313fa33e7848d8380d097cdc4c14dd21e71023572de5508127f9cb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
| MD5 | f732dbed9289177d15e236d0f8f2ddd3 |
| SHA1 | 53f822af51b014bc3d4b575865d9c3ef0e4debde |
| SHA256 | 2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93 |
| SHA512 | b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
| MD5 | 9eae63c7a967fc314dd311d9f46a45b7 |
| SHA1 | caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf |
| SHA256 | 4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d |
| SHA512 | bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | c909c3d86f52f6e103763a631ae8e7ec |
| SHA1 | 0eb3c97783e3e2b2105c38f10333902e0f70d6c6 |
| SHA256 | ab0b140a095c3a4082d14c44f7ca70b714cebc796bb5091df9b3fff8b04e8629 |
| SHA512 | 9e55f1d54cef68e12df51932fd673816def3602ab1fb4a5d3e7e806e318455888fa1c3fe906caf4649cc4d3efa553bd61e23d0839ee3f3475467da9b2eb88f7e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000007
| MD5 | 03d881fc5a4ab4013bd1b30988abb179 |
| SHA1 | 9ad861569715575d7b676e5683b14dd3cffec304 |
| SHA256 | 5da7b30f55f920166ad821f532fb95bd11546bf63a228fc41357aa122fcaf5e8 |
| SHA512 | 29ab8ac2c642a83086266f88ffde8d71c96cd0d98812fac526e0a0adc58d8bc7f99760ad19a71cc38c3ef5edb9ab9d642ef6b665bf4ce336260b0171411e26f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000008.ldb
| MD5 | fe7ac6296a783949264d5abc8d69b443 |
| SHA1 | 32bca04fb95f953deb38e3bc05c0314362420b76 |
| SHA256 | ee1ac8b2768e40583cad98e8edc274ec882384c4776b3fa07b75a6070d0b6ce2 |
| SHA512 | e4f55e14469880ba92bbb61d3708d3489f56f195d0a21938c9ab14588a29172258849c84b72d3405665889f88a55dadeba6c5a02b211c44c9ded24feb76ddbfc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000007
| MD5 | 22b937965712bdbc90f3c4e5cd2a8950 |
| SHA1 | 25a5df32156e12134996410c5f7d9e59b1d6c155 |
| SHA256 | cad3bbec41899ea5205612fc1494fa7ba88847fb75437a2def22211a4003e2eb |
| SHA512 | 931427ad4609ab4ca12b2ee852d4965680f58602b00c182a2d340acf3163d888be6cfad87ca089f2b47929ddfa66be03ab13a6d24922397334d6997d4c8ede3b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
| MD5 | aedfb251afbb71adbdbf8985633caf28 |
| SHA1 | 1382e407ac77bceb4153b3898cdda45398a67251 |
| SHA256 | fbbf7f4e5e37568015f4230c731d25cd1b9fbfd32b997ce92af3d9b661639e85 |
| SHA512 | ec2fbcb43d2d0f3c1c808a1fed3e51b6a3d5703171aa5bd438858539f899f3fe1dc452f531a651e0c6c61be87b64051ce81ea277ddb77f79e20cda53e5702dd4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG
| MD5 | e9697730c052617e50350806dd61c257 |
| SHA1 | d26ed0473b4df7c83a262df7ed18f951cb9befc4 |
| SHA256 | f1c27d547de5716e59b2d839dbdd55666508de2750382485ec91cb18de931c0d |
| SHA512 | 1dfdf4550dc2f44ea50adb50f5e1a24ed057a968232deaa98f219611c9f448ed867c69f13164a72a0865cd87c35fa40ecbb58e2675e13904b9112a7f7682d602 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000008.ldb
| MD5 | 58aaf15e9f7ae996de480c32c50c448c |
| SHA1 | 62d1f1d9618835eb40c32eb68679cf81404d788c |
| SHA256 | 878dbde98165f451d8a70041b6d9ca99403840f5bd3528479cbba79c85f65c25 |
| SHA512 | 0327a48f54b9cccd265b29b323762ec7f408026eb324e204ddf26a69e5e053a8a20937d4ee75af191bfffbecbcee9b98b41f757678723f15edfe4d60be27f8b4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
| MD5 | fbdbcd13468e7072bf988a7fc10761a5 |
| SHA1 | 296a987c15ee206b80e78c8a822ca8d2514939bf |
| SHA256 | f0856ca3f71cfa9d8ec913e88f1fcf5c29c34ca94c40f2594f43cf6ce34c84be |
| SHA512 | d2e19f547098d5126b55f2b6ae55719cc7c2c867beebbc7f026be7d7de2bb2f316315f623cd0123269b54806a396208814f17a24e6e448bcac8c2cc75ef7a04f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000009.log
| MD5 | e556f26df3e95c19dbaeca8f5df0c341 |
| SHA1 | 247a89f0557fc3666b5173833db198b188f3aa2e |
| SHA256 | b0a7b19404285905663876774a2176939a6ed75ef3904e44283a125824bd0bf3 |
| SHA512 | 055bc4ab12feedf3245eaaf0a0109036909c44e3b69916f8a01e6c8459785317fe75ca6b28f8b339316fc2310d3e5392cd15dbdb0f84016667f304d377444e2e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000007
| MD5 | b6d5d86412551e2d21c97af6f00d20c3 |
| SHA1 | 543302ae0c758954e222399987bb5e364be89029 |
| SHA256 | e0b2fdc217d9c571a35f41c21ed2596309f3f00a7297a8d1ded05f54f0e68191 |
| SHA512 | 5b56ae73a61add9e26f77d95c9b823f82a7fcdc75eed64b388fb4967f5c6c42cb0796b0b99dc25c89f38952786176c10d173dec7862a8a5ce5f820280f72d665 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000008.ldb
| MD5 | c218d8230ecc27a23c94fe7231839de5 |
| SHA1 | 96cb72550b246c262a8f0ed2e075e15d8be14f9b |
| SHA256 | db9eec857cbbec11ee7d41e9cec0429ce31770e99a3f7821c97b134514718f4a |
| SHA512 | 166a3ad3a4405aabecb58f3e51ace570845a7e97a013459c06a93eefb1a0b446f27a1af0d1e5d333e2464cf85b00094ae97da0db0313562161681b9f8356ce9d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000009.log
| MD5 | a2f36fd75efcba856d1371d330ed4751 |
| SHA1 | fb7c3dff0fa2b47c6f0026287d12d16d05d14d8b |
| SHA256 | 561fe33b81dac187686e9e50103590f3a857f4e1b9c8ada714d43964b938ea7f |
| SHA512 | 79ca96560a074fa678cfdc06007d0e1e01718831d18c4a800c5361b8ba8091b46acada47418a8d7be3b626d2d9af5cf346abcdd88166a9d1634f81157ab1ad6a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000007
| MD5 | 1c0c23649f958fa25b0407c289db12da |
| SHA1 | 5f6b10cd5a39fe8c30353bcf4cd4e4a60ef35574 |
| SHA256 | d5134b804a775cfb79c6166d15b5721d38ffc2da11948a6c1263595d6c2941cf |
| SHA512 | b691e882018833a108bd286bc76c55a140d00d5a266617a3a381af1ceff01aefaef17acef29d14dec931d7051455726cde8974cd04cc07302f1c3cc452fe2f52 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG
| MD5 | 50ca69f8a964fabaeb0a099f04beab20 |
| SHA1 | c70aa2d96e4223ad9598a4db72dee6bffca40f96 |
| SHA256 | 231585fb183e961536ac1773ee546a475ee400f0be81ae0209e90de7286ec253 |
| SHA512 | ddb4ec8e2b0ebfa335f31ac5607f7caa73a0c048a1ac0491bcb843b2a0f14a13dbc8ca9fe1ae6cd59393a933ac6d0e6bf31717eda2e490ec92fcb69084e0c770 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp
| MD5 | 60e3f691077715586b918375dd23c6b0 |
| SHA1 | 476d3eab15649c40c6aebfb6ac2366db50283d1b |
| SHA256 | e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee |
| SHA512 | d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000009.log
| MD5 | fe62c64b5b3d092170445d5f5230524e |
| SHA1 | 0e27b930da78fce26933c18129430816827b66d3 |
| SHA256 | 1e1a9ca70503efd8c607f9bc7131f08aba0476d75f2586dadb4da5485a5315d4 |
| SHA512 | 924daccfbfb0c0464b4c5fd769e01a8f2e96fe28b635aa27ab4cd91766b05b03bbf941af14c017436107673f01bad815ce1fac2a649e745c76b3c736994b4fd2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000007
| MD5 | 382f201891d6a1aa3250f3215b5eaf26 |
| SHA1 | 5d80dca0af3735dce89ba16b7eaae68fec2a24e5 |
| SHA256 | 156a1b122b04baf82bbe1232c69a9cb160cfa82d4b65b3fd0a47cf09900b1098 |
| SHA512 | 83fee0565fa368bd5ea3128b1754817c3230d88eee21d9ddff811e9648478f83c5fde2a80c825aedc7462daa4806b3b00f182dc0446c00854137b83400c521de |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG
| MD5 | 7d0a8b53355edc2af81d1b986de745b0 |
| SHA1 | 2391106ae6cdfbed37e1bcaa7ab20d32beea680a |
| SHA256 | 2d84f53cefdfca435ed5f6d694590209800d726b343153417bccd4d6a58d4f57 |
| SHA512 | 48d1a0ba59361a3bd760ddc69a1358c61bdf8c8f908572fa1af2becf24e73afa4e3e6b8c38873247a1a0312779cf591aea327209c913b2c355e674f070fe05fa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000007
| MD5 | 1be22f40a06c4e7348f4e7eaf40634a9 |
| SHA1 | 8205ec74cd32ef63b1cc274181a74b95eedf86df |
| SHA256 | 45a28788cde0d2a0232d19c391eae45777fe640790ac0674d6daa5672c444691 |
| SHA512 | b8f6f42d375e3ad8015d744fa2814994fa6e588b41cce0131fca48194dd40146b08169a8ce0da350525ff32a59a16edb503c72e0f07254955c82a0d38074856e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
| MD5 | cbd61b3a5990d4b3e45e7c6be7558f59 |
| SHA1 | c2e563d454cec1eecd5b6d0b761a7963b2975304 |
| SHA256 | b9cf9b092017a8302653bcef4f640dd58f4009edb0bc0c62987c5acf147d1fc5 |
| SHA512 | b321bfd2b1aeec61081e84d7cd2af24c4be45e7ae06027210fe7b552abfc9775e6e96c855a57f427ee316f392bc5a693793c723f86c8aaaec79e4dd3d9559362 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp
| MD5 | 979c29c2917bed63ccf520ece1d18cda |
| SHA1 | 65cd81cdce0be04c74222b54d0881d3fdfe4736c |
| SHA256 | b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53 |
| SHA512 | e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000006
| MD5 | 78c55e45e9d1dc2e44283cf45c66728a |
| SHA1 | 88e234d9f7a513c4806845ce5c07e0016cf13352 |
| SHA256 | 7b69a2bee12703825dc20e7d07292125180b86685d2d1b9fd097df76fc6791ec |
| SHA512 | f2ad4594024871286b98a94223b8e7155c7934ef4ebb55f25a4a485a059f75b572d21bc96e9b48ed394be8a41fe0208f7bfb6e28a79d75640c5b684f0c848fe3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar5623.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 57e187555dc54b8af11b6e35e126d51b |
| SHA1 | 32bdbd5c94de3d791d1f31787e4275af9f0a696d |
| SHA256 | 397ced5395a33f0a96b4a6c055408558766d2459d807c330f7678693ae9419b2 |
| SHA512 | 5650d69c28ae67930f53f10cd0a6700b360bf8f59988e2dcbb5ad1f099a9dbdfc78a09556244ce3bbec975713271d2f0fba09d0e00b47dc6f95d52d03b7d4aa3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7b6bbe5205b4b98764069ee9a388d939 |
| SHA1 | 271e011644b8c47b0715d174ac8b04f7c4cf1c12 |
| SHA256 | 4b1f6f083b40a31511c938748b9dbf363a0165fbc027b42794fd0931bb9dc7e2 |
| SHA512 | cf0f7e8567306ca3cf63c5d59a5c77e7c18db1e87ffe7d5e9d3040c5e84a226e9d73355b602cd98e1f8b3525b20d5a6ca7141d42847291577c4e305b7b8c6aaa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a889e42514b17855d1a22f412b4f04c1 |
| SHA1 | 1f0b1dc0748cd7ba9ad68ab9d54dec9c514edc53 |
| SHA256 | 60967a5babf9250c99b32fd6f4f03e3d17d782c9a317e4bc69c41e96f304e3f3 |
| SHA512 | 09a211c6a2803038be8ef2a2babb45ebab2c0ce2aefd5e1e69c77bd807927632dac57c8792f53dd321ff2a5ac085a9db2141d25e20b97731204b5c7e617aec57 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d25a0902625cc1db6570cfb0860e92ec |
| SHA1 | 907af3a9f48479eb51ac3bda6ba5a43378240607 |
| SHA256 | 41f78fbbbcc6cb76091de6f0eece892db1dc46562b8d83567195a7a961c6abab |
| SHA512 | efd01c064b7d92afb667d4e70f5e773b3c974718e98ec0c2d41070b2ae2a24c24a2985e62662c918e072b9b8dfb9c34add54d405ef330ef51490070a512ec390 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5b8a00c37c72b5937fc3fa010992f8f1 |
| SHA1 | c87b7af0a8766a70f0726207f63cabc27badaa50 |
| SHA256 | 56ef36d78c54788c5f082c66b74582fd8ca62e669b232f5f8ecfb00ad749fbb8 |
| SHA512 | 31c1bc907230d793f2449c1f03ad3d56a2213b9abe78824d41648616d49b1f09c5e7a6c8480eb2267b7c66693e65e185b2e26e3339a34a59bd4127b920250155 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 86291e2952509de452de229144dc44c0 |
| SHA1 | d7bd363264485b9eb4d8a9096a030dfeb4052355 |
| SHA256 | b071f22b4651b7a0271d244b6633138fda107f2600e4d64bac22f8ac72d32260 |
| SHA512 | 0a7f9e0e340128cf7fc92af243b0cc64d5317e5a7df63e117be412bd27945990520773eb3bb2fff4aba8d00a3e049d11828019fd21cb4990c22edae391a484ea |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 5c8aaeceb9b511e7a55707aee7f5b9e2 |
| SHA1 | 5c8cad4071e956842f0398a4e3e3aecf675a4bea |
| SHA256 | f36fc2171c1b6b7591aaea1812370e71bdb533ba7b697af7ce8f9f499d2655ff |
| SHA512 | 03b889d725ec4dc46e089cccb0d382eb401bab25d94ddee66b9a0b9750bfe57868b5a7629d237809eebb6a6ba677acfc8a67a4296dd6068a6491aac7bdce6a37 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 48889c50289e63068f71300843cc34a4 |
| SHA1 | ca6e6a49ec93d6080704cba95c488ad4263c0e2e |
| SHA256 | b73fd6a535bcd6db99efbb690c77d5f5f3a203620780f11b53746d6c7a799120 |
| SHA512 | 0b021da08fdab7b697e1f1157a6d814a60a074dc8257061e1799d7685a305f9a6b66a86f26a90bbd1b9b5db76e51175027f13f25283ab797628efcdedb74d6f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 45b1ea0c20f43e5793906d51fa83be1f |
| SHA1 | 8b8b361b0a4491bf1ce931fdbf6ec082e0b25692 |
| SHA256 | 3df3421a221f10adeb25706e295832a3cdc9bf86f556235dd3d977831ee703f2 |
| SHA512 | 00da291f6a2bfff35d45af3a2c26e9c644bdfcc2c5a6c332ce9b42b54a51b059f7bee2dd8ee6cef09919c096e90f437e80336ce2dd8003b3a4f621b74a3d12e5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 49c1483704362ec5947758a6717f3f12 |
| SHA1 | 949627c661a55cf3acdbb13541c338bd1708d008 |
| SHA256 | 1dc338ebf732ae3f6e14bdfbc772a2744e97938e88910b1ae721c102bc57b497 |
| SHA512 | 339687791b5fa90f346efd28ba1c6caf1e71217a9a5148bb628d7e2d8bc23033bf33694481c0e7e7419b6242fc17547e6a247b20cdd2e0b3e246aee44e92826e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ef9030a8a67c1763688c1b0affb8a873 |
| SHA1 | f9d4f36d7037fb83d0bf5c43e50eee11b9abb596 |
| SHA256 | fc877e98237df4de89ecba26aac350b9b68cd825aec7ce749277cb32c2deb715 |
| SHA512 | 5ddacc866b9bb2c27eb67ef0def47e6b01695a5690c5c8f250d0bb0527bc58fa0dfd81b22efdda0346e3d6aebb8401f4071503b8094bd17ba3fac05b9fe03289 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9dd70def1a958ebd76a452d9bcbc4c66 |
| SHA1 | 4ad070e4ae4832658e200ae0017a0dddb6bf2e18 |
| SHA256 | bf3616fa286ad8739a7bea8f0e59b2098566515a5575c48bad539aa3c774d23b |
| SHA512 | 4df3035de5f88e6f33c2d2bf5410936999d52587c2e02406640954262dc66f23ebc964c50cee63ce75d06a0acf599a25ac8a42a4c6141988374e37cb4bf3a88f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | b9da6e9760a8a212dd90a8816addc149 |
| SHA1 | 571a99ca28dc10b12fad81026f65ebd1fe73440a |
| SHA256 | 2ec3653c494dabe4f8ca27aa5d00a296049514a872790a38daa7f2b26e10ff34 |
| SHA512 | 07f2475acdaaf5c5ad18baa27bb300b1f67bd83b5cef545f96507e453f14f33b0e995117efbad9201d9c3593fc86f8e0f8e98652864a8f9639c8e4821e67ba99 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | ccbf6f3be25c599f17e23701f727817f |
| SHA1 | 1760d349664043d22bc4253d3fc76554e7bc593e |
| SHA256 | f2849ed4c1dfa8c64be3b88a045e0dc904947a5c3c2951455871540df7345474 |
| SHA512 | 79ced623a258c19753170d3b19c1c9927829484d9adb2687204dd0e3ea2c661b2bc86b4ea6546b7f808c1236696b3e787d88f8e30e5f8f5191642257d2701ffe |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\CURRENT~RFf78e3ab.TMP
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | fbb713c19f9eefde4194efc0e175459e |
| SHA1 | ac93255ec5919c763fd9a6ab7ec9a7a630405681 |
| SHA256 | 05df84fe37fc6a5dc0283fa1e3884f7759fb57f6402e134b798a6aa9bf0fc680 |
| SHA512 | 3751a280e0f5f42ebda29ea7c11c79d58ef0335a1e0eb7205a67391d22b483743e99644e9eeb69a048cc268828503fb17150a58693038ab80976152265a10f81 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\000004.dbtmp
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 6b7af3854116496f1ab3bf8d02b8b741 |
| SHA1 | 65797e7d62f6f9feb289481f2d254ed494fd83a3 |
| SHA256 | 26d13389df01e5b06e22fbfa83abf601618f45c773e803b34dd40f5033ed4e8b |
| SHA512 | b2badee617bf2522da31e24118712d533d08609aecb0dde0f8c351f0cc76065fc91f4feb674de5a58fc11b2d21682aa820ecd175bbddd19ccc9dcc8cbb701304 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 08d43938063466d13791891ec0dd3592 |
| SHA1 | d60c57129cd4c9a712758441471c04b647633459 |
| SHA256 | 290e1c5dc6b63eb05d83e4c1553495a572c6cba9429ba8a5bb97cde704521f84 |
| SHA512 | 73b63b16f520018407195f3f342a348b67f9a1f354c5254b33809f57246949cfdaa630138063efbe20c2091f28c33df4f85c1a340dba4774bac7a1dc285ec258 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b4b7275c929f42909182e0f4c8c3f772 |
| SHA1 | d6fea1bd0bb0d6d552bb87c274d9b0f5cc8a7abc |
| SHA256 | 5e9269a6201121611486795f0c8058a760f0724a3ba027f3c98a7854dfcd69b7 |
| SHA512 | 641496b219fd1e5a32acea19e4fb1eb6089e8c5b40a3987feab831f52662be3afd8ddcacd956c784b485559b95a557d3428e0937ba73725dbf558eda6de9c7c5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | ae911057c3ba9eacc3ae6459138a8786 |
| SHA1 | 3ca47d09830ac498e3db83c7ef67909cfab0db9d |
| SHA256 | e5bc3a8471d9920d59b66c5ffa77a0e29f409acc7fe23b99d11abbac24db48e1 |
| SHA512 | 77b2ce29f14d502eed2d1b725a240929bc29bcf68533c451ab84617298b409a907e48379881e411fa155a2ce6f93e60ea6394e31d6e89cedebd5971e133c454d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 8397b430687efc698b216fdf7e34c563 |
| SHA1 | 027df3e061198d59b7723d300aa6bdd29f7cbd31 |
| SHA256 | f9fd6cfe54a1feba98eacf08b4076ee2be8899ac93a05a500008b1786e5a2e01 |
| SHA512 | f7418098d3a20bd0acc42831412af33e55a7ef372de79f173fd6614f1da13924d1d1f8bcc5899fd441a652102c0c37fd87f61fd90a41347602a210dccca04163 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c
| MD5 | 4923a7479f3522cbe9389d7a4862ac07 |
| SHA1 | 1bc1eb916c29c8cb05f5e46deb5740b2c5e992ed |
| SHA256 | 6d83cc91996c474cc23c3a20d6cc27b91e34117d0e15277512711efb9a6080be |
| SHA512 | 3d0dda89630f837e20956edd8ec1a083c79f5934f10adfffb116dc499d3b78418929f5c557c395cd78ef58d8a23ed2ce3af302a549a9d2aabae333c3857c8cd8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old
| MD5 | f01924fb1ebcfca1ac5e1ccb09a2a786 |
| SHA1 | f98791801bb5378b1336a42d82473c23a4ae6849 |
| SHA256 | a49c2dead6bb6bce2e4b7b04d49cb7c5f60137803ee33a856cbf08803de81fb9 |
| SHA512 | ca2e0fd7f2c311f4d98c55e9d2ec487e842dfc51998e1b35611d03ab009eb4a6aad18adbe256508cf5f222c187926124514092b840a66e5f27fa81fac41ce3ac |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003a
| MD5 | 588ee33c26fe83cb97ca65e3c66b2e87 |
| SHA1 | 842429b803132c3e7827af42fe4dc7a66e736b37 |
| SHA256 | bbc4044fe46acd7ab69d8a4e3db46e7e3ca713b05fa8ecb096ebe9e133bba760 |
| SHA512 | 6f7500b12fc7a9f57c00711af2bc8a7c62973f9a8e37012b88a0726d06063add02077420bc280e7163302d5f3a005ac8796aee97042c40954144d84c26adbd04 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 8bdd58c75d1266f4cf0ff0feca97b136 |
| SHA1 | 5d537125096ad3af6cd08ffda584523f9dcf323d |
| SHA256 | 82887c755cc389a06d344a19391e6ce82ca3bdbd10b04e74cdc419d29f577d20 |
| SHA512 | 8c9a0d08700762c8a01cbd38fef182684470cec857215a9e295cd80c97c5bbc0e0c9d003d4e2a592842248f4f6e3b458e95286c080a64a09a102d0aaa5381053 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\000012.log
| MD5 | efc901fb0facdca4b7b4983a3c4f3b22 |
| SHA1 | 68ca1837e06186fb1c56f935acba481a0927c05e |
| SHA256 | c9d82f431c31d1a5b967f620116c533d9b1fbd70ca2ed2db0287a49b88682851 |
| SHA512 | 7f814fb483ffa80f4d9ebd7d6ae7821f9319c31b64af8182f925c72f45af732da9209da5b22eca7a6465e0d60e03b41e29730609379fc57f82e1065a47bd4e84 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f6d458ff5884cd3939d24e246d4b9496 |
| SHA1 | d81e2b87b66e730479786d62348ecb85c6a843d8 |
| SHA256 | 03bec58cff87ee55532efcec9944ae5c6cc2e1a6b164d6148a0a26ec833380b7 |
| SHA512 | a12e46bb356289dce3d8ccde9a8c2c9bb2b0c83780223d50c30541d72f91fc99952c6cb4d199690b8522add328fd55bcd3a165fdea6e73d747162145892dde7c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 74766b2943b17242a3353097b9e1d2b6 |
| SHA1 | 51c352bdd62bf7c4fe3d38300753c1a3cc76e155 |
| SHA256 | 8094e5d752cbfccf77b60b742ad74ecf607cd81bb442da42fac97d985a422cfc |
| SHA512 | 32fac349b6135bebd8221113041ca43a6c7294f2f02731c71ce3b12ba89aa69c3cd67ad880e388a9506b3cde03160fbfbc243277d6b93c96901a683494482116 |
C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe
| MD5 | 884f182558478768a43de12bbb5bd168 |
| SHA1 | 831ce37ca2289cf123733306077b936c9407319d |
| SHA256 | bb4fa744d72612edd395213bba74efe233464cc8707ec55aa85052b6211757b4 |
| SHA512 | 665e957a508547a673ec354ef8008e16058e7aa50f1520e0539940c99beb35b9375c9546efa3dab58ced01a80c95a68ed17c76350efde3472da625ea877043ff |
C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe
| MD5 | 10cf53cd838a1913242e134965a426d2 |
| SHA1 | b328750ac3d286672e3ae7472c6ba0b2672f3bc2 |
| SHA256 | 927da2af17da25b97df86c29948204c42b506bc948a3652e55440c30f6ea42ec |
| SHA512 | d172e1fb62fe0cbab3b14e67ae22cfe67b11f499d67ec56e0d4d318712e83d6366a4dd28b2d60a1a66843c48d6506d74d7bd61afb385c644f8b911d15cf5b5bd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2ad392405e93cd7236f04792f72b5494 |
| SHA1 | 114b1d6e50b3824f0d06c9ca5bd686a3ced62725 |
| SHA256 | a5c20b2747b8ea34a9437a74ac7ede194afd98e373ed36474a44985e383b51d8 |
| SHA512 | e1d24be88899f1922a8d58234e6d529a0a75b488c58845610bcf6e9549d6ce360593f46924888dcb7ad374fd3d4762eeceabd88a95c3b1344e1579b3a2eb338b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | dc300e1da24414f881d1de5b77812e55 |
| SHA1 | f703a52e453a8a5f8ecd9f56a100cc3e08a1f563 |
| SHA256 | 957508825206c226aff9ce952ddfb0465281f57f1906f32f0c496b7962a70253 |
| SHA512 | 9fb6e6426899af76fcb0eea21145d99198477cab497f3788e640f1d1d338aef1416d64333fedd3f55b808aafe848e85030b2f6a07054bd1e1d432e3d61800db6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 91ee94e44ce18f82d3bd3d16fddc13a0 |
| SHA1 | e24ea9195538bb04e1d4274042ecb19302aa83da |
| SHA256 | 690ae170568fb6e11db03b4f68968d6e4d1b9f40106ac0fb2443a05073cd9800 |
| SHA512 | 344253879a29196d9f16ebd01740b34acec25995cbd1107816abfe70d2f53b31e6964b4e58c762c3914b0d27e07c32920de41803f07ab49aef9d4f5fe01b1826 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 4a4ba4f966ee7cba34303d17f6af9246 |
| SHA1 | c71209d16e5c55baa7d67b82ab4aa35909370213 |
| SHA256 | be301cda4e7b575e2bd3983076f34d5ebc6d2940de237b1740a41e75f7d085a8 |
| SHA512 | 986bc33a62b88f5db21af80e3cad3c94773bbf6c3973ac5a12079d2d5b99c11f873a8741d9d4e059b27e49b4a66ce7338dee857a75d418c998180dbadb393df5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 027ee8ce43e35901637763266f5b69f3 |
| SHA1 | 85cd6cf10ee1034a254e26daa45d4ce856e307dd |
| SHA256 | 449c1163a31ffc4c01ba9f82121ea058395c5a74fa66819d8b5019f51d9b32c9 |
| SHA512 | 0a8fd586a887cc82d495d0a0498146bd1b323e825bb1d4643306929ac698203f9acdae4b91f597aa498b9915c5c66c00d97d84512972d42c77cbde74dfd05867 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 062deb05cf184272bad5c8f23902442c |
| SHA1 | 3820806fde5d39667faddee261696dd4f3608fa5 |
| SHA256 | 50fbeeed5110fb2fb66ee7b607c18769d9c6756fea3314d3f442e0e29875de47 |
| SHA512 | ed441e760277ebffb2fef0a5ae534b448c09723bac875b657ad636d28299ad82f5f354193f3c4012873c871beeb0b5bfb7386b41b8fd4e123399d4ea27d905dc |
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
| MD5 | 4dc57ab56e37cd05e81f0d8aaafc5179 |
| SHA1 | 494a90728d7680f979b0ad87f09b5b58f16d1cd5 |
| SHA256 | 87c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718 |
| SHA512 | 320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b |
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
| MD5 | 60be3730f80b023f63c3f2b8cd9752be |
| SHA1 | 338d6e3d9a651ac0baaa00217e91a00b2c2ecb0a |
| SHA256 | c524026457dceffbdf271e3201f0e117d114611cee08eaaf7da0b6a16194eabe |
| SHA512 | 9e96963ab599a2565c4af991a42d4bc10ff14feb13075d8541e69ac61105f60257d797af7425db13b10ec75605b4dca09901fe52b8208d22922d707088e44b3b |
memory/2296-2338-0x00000000001D0000-0x00000000001D1000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | f0545f7ee4018b5915763221f4b13107 |
| SHA1 | a6337e7fbbf7f294533442bd75f2b60566469703 |
| SHA256 | 2eb152b4852988ef704d41ef5a98e12e03c7234e48220b12a8265a2c9f8ed586 |
| SHA512 | ea8e1290068c8ad9b553597fd5755885808dd306eb6c8f637bed436230c9a22b264a741fb50ac605111a4877c3e9f27b7aab3844b66d90660926ad707af40599 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2f58b85d5c821055b50e21c755148d6 |
| SHA1 | 9af1f6c5fa2546102806b600a667f04cc697b75e |
| SHA256 | a1cde542f54b99fd6cd46de714f792086b70bacc40270f0cd622673bd15877f3 |
| SHA512 | 84a3bb1e00561d352965313744078aacf29bee328fde27433996814da309edd0c240f95d39d4a6481092b98675c3c6c674b7710816fad968f257120c187ca073 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5841e252c1df16a92eb9fe76c3f51acc |
| SHA1 | 63034904df18437a50fc348d66dab32c459dd01d |
| SHA256 | fd430bf74c5aa648924947c5cc2c329a120899113d18681b7d72e7d811871abc |
| SHA512 | 30a75dc6ea100f18d021311a63288a1288a4007b452eb008cd4623365d2ca06cab3d4633e5ee79ba7fe84692780528eab0bebaf1a2492633246f3606c442e6e5 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9b1c32fe96a533ef18fbfd6c7e54c703 |
| SHA1 | 249a08c0d053f6d37ab83473fd4220da9b290ef5 |
| SHA256 | 2a851617cf56c3dd9ba4f48b5b3e78eefd136b6aeabb62db77bd8477c9630640 |
| SHA512 | 7c0b499299142c80652888b737bef5a174f1a89a606d2027d84a997aaf9ecb6a3965c8a40a7447f5392646594e163bc2929d2ff5ce3d5a201c128abfad45a79f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | d4d23a40af9edbb58348094ad7317780 |
| SHA1 | fe96ebdfe83f6fa7f0de5ed9e41de156c1765e10 |
| SHA256 | f483ddc8cadccc12d9b024fe602b994a8c8b5f54b7b635b563215b28897aaaaa |
| SHA512 | a8bb0c3c56dbfa70b940d8335596011666efb2fe41b49b630c98bdde1258f836a802e4cc73dc34bbb4efbcebf0814fe4151407b1409d2696705e82c50ab9baf7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 0bb3b1eb7e3a450a900dd5dd8f67daba |
| SHA1 | 8432f89c6e2363fc74314d34aa582c25b0653411 |
| SHA256 | 9aafd461b0a47191b24c533da544eb236c204bf7f1ee946034fc6d69b8f9be01 |
| SHA512 | a0bf659944e42e8c2bbbbefb2b312d667e7642611ea10872a5c55a4313073b474121b8999ca36583e30165c01ed9a74a73a1ee8483441a867e889ac5077e9d14 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 669cfa55e356f1673709ea4a67e57e71 |
| SHA1 | 8d4101b1986b06fcb569d94099fe3ff47fb514bb |
| SHA256 | fdd669b8fa2e34aa125543e2a21f0cfb2cc14cbab35f4420449757ffe10ea666 |
| SHA512 | 1e758c23bd826347efb06f7fcf6babe711970c539ba6e28725df4cda1d022fa1358b5b56e861110c7f37c8cfdda148f86133bef4602014f3dcf133767015d7e2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d638c7f7e2fb459504f5c542d7bd6e63 |
| SHA1 | 48b9cb3f4988848a2b16f560fe90099dc14a2230 |
| SHA256 | 80abd371abf997acc77eecad6f8199b724e5a20a656a2da1c91019cf1c5a8a23 |
| SHA512 | cb49f573947faeb91d118dff2d930c14bb192715d73ce59136052b6ba4173a8f16351028a7edb84fd1bc6df69afd0026761e1b72eec4d610ab3ba722d016b9d7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 43b241d78013bafa7da0c8da1170f7b1 |
| SHA1 | 9f2885741a1988a492c9c006bee53477fcae8bd3 |
| SHA256 | 6983c55e48339cec15702cab420cdf01332a227f77f577548e47afb63865e7a4 |
| SHA512 | b62839289d9f67805eddb55dd45ac9174b2a6b77c24582b45de34d330c24c0af096f0b17ca063f90b69b7c90857da20d5bf8fa05f8392503d9fdcb19579d73c8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9d6dbc8989694559eafbf5ff6fa0f001 |
| SHA1 | 07c90465581769b92cf6e82683d2f434c55e7369 |
| SHA256 | 2559af3d3a7630e20cd5e8e041d380b3e86d212b4c0e64dd10dfcca818549f25 |
| SHA512 | ea7b3b5ac7fb1ef25a07773cddd8379b830f7df8c358cbacbda6b20940c264ac3d5f94071edf9f8f055ad74a5b87d9e3de7824c5dc761a38f5d88a3005e9b140 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 5ca9e62ca1710a688b038c84f3847412 |
| SHA1 | cebe22921a99c35c73b277539eb5ea57655c7b73 |
| SHA256 | 22927519d58dd3e72fd8549c05c41c8c16c45701b0ff9c9877fc976afe16fa8b |
| SHA512 | d5330b3588acc55d6b7bdfeba962535ea0b180b677530c6e9b427bab5cda6dc5badbc39992cc6e065b0772c1d1f05a5ab13d8628a44086b4fabd1b3492f6b398 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1c70f2fbeb3339ece005033f6e50dc30 |
| SHA1 | 357ba4ef8f10c50886134fac564dca170ae681ef |
| SHA256 | 7333c50fe73e5a553e3c3cc73595ad5f35d7d6a26dabdef83504bf69428ebd05 |
| SHA512 | 136dcdd3d999d5096188206bc637476db94b67bc57910db5e024b97cda72a256f80df71dbca5d1c3020dd5a74a40f732e12728df6a8dc212b26efeb7f8d0f5f8 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a9ce622815b2013afde1b0ad49a21b59 |
| SHA1 | b436a6762d3ec9b17c527727faa9bdf693f4a182 |
| SHA256 | 713a1bf0d46836ba2332480c075b7e06c43424bcb80db60722e8609579ad2502 |
| SHA512 | ca6d39251eb9ad8a14ce2120c0a67705ddbdd3afcc6255cdd9fe0d348f6feca03c98acb561cfbe6c482c39d68483ed17ed40e634d3fc11d541ca87f1f29cd320 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4fd5b396731fa0f878db69fa385e96cf |
| SHA1 | 34407f3342477383b6b96fdf045865c1de9b7c13 |
| SHA256 | b6b45dfdde4b3122086fe8d1442bb0f93e84ceb2e1319b39d0d6b16eea389575 |
| SHA512 | c4af02c77163b3df456369c399d5e329e470b1454a8bf4fafeed9650e0e0de81ff0652a227eb74eb327505e80353cd7d5d70eb25f095694df5713549eac425c4 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 42c9559b99330e254ebdeddc4e89efa4 |
| SHA1 | 9360b1a6492c61be89348198e6404e22ef44bd2d |
| SHA256 | cd0ab733c1b71c05a18683f95c5efaba1fa78e6448dcfd0dce1512a82f7c56d1 |
| SHA512 | fd14d789cdf247624c6f4f6eccd4527616d515e0cb6df514a99c11648dbe654fd2e6a3f550dd99d9d54e68836a4c2b7390e366092e61bd4722155e9d05cd0bb0 |
memory/2156-3422-0x0000000000090000-0x0000000000128000-memory.dmp
memory/2156-3425-0x0000000000090000-0x0000000000128000-memory.dmp
memory/2784-3444-0x0000000000090000-0x0000000000128000-memory.dmp
memory/2784-3442-0x0000000000090000-0x0000000000128000-memory.dmp
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\109.0.1518.140\MicrosoftEdge_X64_109.0.1518.140.exe
| MD5 | e79c52c0042c75419649519268251dde |
| SHA1 | abe2c173a751d54e3cc88691a811a7501628d23b |
| SHA256 | 1eec90c71e482e7e1c6b8929f038603315b175bffe096e35106f8203361d4379 |
| SHA512 | f94a018ce1e6495ce68fb413cd9fb97905fdc04563fc8ba3e958afd39b0304ba81c2eb60cad9b12b6d3fadd8017b8590b7eab66d189466a13134488959f14d67 |
C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source3028_1576754369\109.0.1518.140\Installer\setup.exe
| MD5 | 3a92a61a6e01c80ecc7d9499abb901b7 |
| SHA1 | d89d05802d937f9c71ced14282b8a19623fca7c8 |
| SHA256 | b70b2ed82c7afde8003983992b74f8182f55080b43da3d96dd29e8c0c7e8b47e |
| SHA512 | 3867efbd984ddd1eec084c70a42104cbc0057c3bed222af8963051779b612b46bf4cea3311452f6564513d7558d49a1e66a9473ad53f1b2fb4c43a9d7d0fb47d |
C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source3028_1576754369\109.0.1518.140\Installer\msedge_7z.data
| MD5 | bd70ed26e6e6f3193043ac09c58c6a1c |
| SHA1 | d733a65e17f2851d5116598dd80533efc1656468 |
| SHA256 | 7a474217d20b9a6fe3c3a46c0d6d5b2d2040fa790663f6da9202ee7cb07bb448 |
| SHA512 | 3e2ecade6d687b0736d5eafd7527b24095b9c51f0c8ba99398b23da2d8843c49fc8c1fa37190d385b504d8224c8c517d78d44ae32e10e45d54b19477a6970756 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-29 02:03
Reported
2024-02-29 02:34
Platform
win10v2004-20240226-en
Max time kernel
1734s
Max time network
1482s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2928 created 3440 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif | C:\Windows\Explorer.EXE |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe
"C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Approve Approve.bat & Approve.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 31216
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Nuclear + Plasma + Proper + Merger 31216\Expressions.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Practice 31216\z
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif
31216\Expressions.pif 31216\z
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | GcIcVSqBZYfPLer.GcIcVSqBZYfPLer | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| NL | 45.15.156.186:29975 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.156.15.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Approve
| MD5 | 4849b374e88e174f9b35b5e5e9269ae6 |
| SHA1 | 6199bff5bad3b5088685aeb08686ad303f4f6c29 |
| SHA256 | 1deef19e64390b8d41481acd973405e9ce23cfabdcac203f684532de244ac073 |
| SHA512 | 1c079cb1d8f78e1833945967fc0daf3bd8250196fe430bea1db8522385e0b193e1ee488b821c760e1f12f4c8d61b653871df4675e73c115964857ed3d2cc0ff9 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nuclear
| MD5 | 62a7e75d1df779e6169adb0cfa905694 |
| SHA1 | 3f855dc814432bd0cd6e793c5a5bb2776b838602 |
| SHA256 | 7fa7da730c634c4a21832d2d35cbe4a6d1484fcfadbae988e2e97a9ad76f73db |
| SHA512 | 1f22866bfe4c6186b77c05aca2e4088c30e7ea1fe6057782a2a7aefda9221c78be2fe2cc5c673fd266e12218e91a66b254e90ff1d94f9ba6b8552c1e6bbc1698 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Plasma
| MD5 | 65b274e03e99948cbb03a0464e66ba89 |
| SHA1 | 129196df7c9cc04f868f66e0f8fad494a6c4e379 |
| SHA256 | 4bfaa5267e22645c0cdacc3154902d9ca2ea3559f47d6acf6813aa20ee1bb75d |
| SHA512 | 2fcb83966b7c9d1709124c9efc5bd24aa1135e91a74d2c92e344465de1ab4b42811a8f2e264e801acbe4f3080e575a0730a38e87564c9f5c74a9d5f71b7a8bc4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Merger
| MD5 | 7196d7109e4b363cd13654db907ffea4 |
| SHA1 | 21f016d6c8e5bde1c23e48e9cb811dce3227eb7b |
| SHA256 | 9eacfcb6381b4e19513707811960b233337460e57a798e053d6cd0b4e1c3a7e4 |
| SHA512 | 41ab7e0411dcb7b378a2068756a403f0092b19dac52f244f871e871abee10b78d29b54a89b411a9b841777a5e4d47def9c60f40cdbbd60bc2f3690c739fd4b02 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Proper
| MD5 | 5047c62efa1d3a7319f3495137cb8224 |
| SHA1 | 0d0d3d840d2d484d8e4db23fd72aff6a0c514aed |
| SHA256 | 76c8d934bd2c8abae1b4cc482c45cf910935411ab643f8c0e54be92c2f63849a |
| SHA512 | 66cfc6656cd6f18fea5fba95d0403664b188acf21a53d76eda5f6692d41950f69ccf2b0ae8e7aeefb0e50c068acf4f61357109983ff2c6db8e1efc076bd9ecfc |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Practice
| MD5 | 02c12a95e4fcbadc9cd8c35c8a6b5b45 |
| SHA1 | 3f9f0e5680497727ff7f6a3a3a245087ec668a79 |
| SHA256 | d3cd709f6751e6f167b3e04706f45542528088af51454a6cfde05041523b0e72 |
| SHA512 | 5cb441debcb4a68dbe2ad07576452bb7bbdc2630b711a9ef2a2d9068216c48d00e9a063d52fce2bdb274b7872d842c91e84318da31d6d7c8d2d41a4e72204a2c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
memory/2928-24-0x0000000076EA1000-0x0000000076FC1000-memory.dmp
memory/2928-27-0x0000000005470000-0x0000000005471000-memory.dmp
memory/3696-29-0x0000000001300000-0x0000000001398000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe
| MD5 | 0d5df43af2916f47d00c1573797c1a13 |
| SHA1 | 230ab5559e806574d26b4c20847c368ed55483b0 |
| SHA256 | c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc |
| SHA512 | f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2 |
memory/3696-32-0x0000000072980000-0x0000000073130000-memory.dmp
memory/3696-33-0x0000000005920000-0x0000000005930000-memory.dmp
memory/3696-34-0x0000000005F50000-0x0000000006568000-memory.dmp
memory/3696-35-0x0000000005930000-0x0000000005A3A000-memory.dmp
memory/3696-36-0x0000000005800000-0x0000000005812000-memory.dmp
memory/3696-37-0x0000000005860000-0x000000000589C000-memory.dmp
memory/3696-38-0x00000000058B0000-0x00000000058FC000-memory.dmp
memory/3696-39-0x0000000005C80000-0x0000000005CE6000-memory.dmp
memory/3696-40-0x0000000006C20000-0x00000000071C4000-memory.dmp
memory/3696-41-0x0000000006760000-0x00000000067F2000-memory.dmp
memory/3696-42-0x0000000006800000-0x0000000006876000-memory.dmp
memory/3696-43-0x0000000006940000-0x000000000695E000-memory.dmp
memory/3696-44-0x00000000075D0000-0x0000000007620000-memory.dmp
memory/3696-45-0x0000000007E80000-0x0000000008042000-memory.dmp
memory/3696-46-0x0000000008580000-0x0000000008AAC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
memory/5044-59-0x0000000000870000-0x0000000000878000-memory.dmp
memory/3696-60-0x0000000072980000-0x0000000073130000-memory.dmp
memory/5044-61-0x00007FFC944E0000-0x00007FFC94FA1000-memory.dmp
memory/5044-62-0x00007FFC944E0000-0x00007FFC94FA1000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-29 02:03
Reported
2024-02-29 02:34
Platform
win7-20240221-en
Max time kernel
1560s
Max time network
1561s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AuroraV2\\scripts\\scripts.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\ = "Macromedia Flash Paper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer\ = "FlashFactory.FlashFactory.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\Content Type = "application/x-shockwave-flash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.15\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ = "Macromedia Flash Factory Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.sor\Content Type = "text/plain" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AuroraV2\\scripts\\scripts.dll, 1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID\ = "ShockwaveFlash.ShockwaveFlash.23" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.20\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID\ = "FlashFactory.FlashFactory.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "FlashFactory.FlashFactory" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.swf\ = "ShockwaveFlash.ShockwaveFlash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.swf\Content Type = "application/x-shockwave-flash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer\ = "ShockwaveFlash.ShockwaveFlash.23" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AuroraV2\\scripts\\scripts.dll, 1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2864 wrote to memory of 2912 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2864 wrote to memory of 2912 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2864 wrote to memory of 2912 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2864 wrote to memory of 2912 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2864 wrote to memory of 2912 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2864 wrote to memory of 2912 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2864 wrote to memory of 2912 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AuroraV2\scripts\scripts.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\AuroraV2\scripts\scripts.dll