Malware Analysis Report

2024-10-16 05:21

Sample ID 240229-cgq8gsah5w
Target Aurora [by Ryosx].zip
SHA256 b405c6851a96d513518fa906328f07f9468bf2142baba0059ee286888d2a77ea
Tags
cryptone packer discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b405c6851a96d513518fa906328f07f9468bf2142baba0059ee286888d2a77ea

Threat Level: Known bad

The file Aurora [by Ryosx].zip was found to be: Known bad.

Malicious Activity Summary

cryptone packer discovery spyware stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

CryptOne packer

Downloads MZ/PE file

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Runs ping.exe

Suspicious use of SetWindowsHookEx

Enumerates processes with tasklist

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 02:03

Signatures

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-29 02:03

Reported

2024-02-29 02:34

Platform

win10v2004-20240226-en

Max time kernel

1789s

Max time network

1799s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AuroraV2\scripts\scripts.dll

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AuroraV2\\scripts\\scripts.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\Extension = ".spl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.15 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ = "IFlashAccessibility" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.22 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\ = "MacromediaFlashPaper.MacromediaFlashPaper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.22\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.18\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "ShockwaveFlash.ShockwaveFlash" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\ = "{57A0E746-3863-4D20-A811-950C84F1DB9B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ = "IFlashObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.spl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4168 wrote to memory of 3124 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4168 wrote to memory of 3124 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4168 wrote to memory of 3124 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AuroraV2\scripts\scripts.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\AuroraV2\scripts\scripts.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3968 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5108 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
IE 209.85.203.95:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 95.203.85.209.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 02:03

Reported

2024-02-29 02:10

Platform

win7-20240221-en

Max time kernel

150s

Max time network

348s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2552 created 1184 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif C:\Windows\Explorer.EXE

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2052 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2052 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2052 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2052 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2052 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2052 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2052 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2052 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2052 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2052 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2052 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2052 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2052 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2052 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2052 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2052 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif
PID 2052 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif
PID 2052 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif
PID 2052 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif
PID 2052 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2052 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2052 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2052 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2552 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe
PID 2552 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe
PID 2552 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe
PID 2552 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe
PID 2552 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe
PID 2552 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe
PID 2552 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe
PID 2552 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe
PID 2552 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe
PID 2620 wrote to memory of 2656 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2620 wrote to memory of 2656 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2620 wrote to memory of 2656 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2620 wrote to memory of 2004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2620 wrote to memory of 2004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2620 wrote to memory of 2004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2620 wrote to memory of 2004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2620 wrote to memory of 2004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2620 wrote to memory of 2004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2620 wrote to memory of 2004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2620 wrote to memory of 2004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2620 wrote to memory of 2004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2620 wrote to memory of 2004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2620 wrote to memory of 2004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2620 wrote to memory of 2004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe

"C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Approve Approve.bat & Approve.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 31206

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Nuclear + Plasma + Proper + Merger 31206\Expressions.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Practice 31206\z

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif

31206\Expressions.pif 31206\z

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5bf9758,0x7fef5bf9768,0x7fef5bf9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1092 --field-trial-handle=1392,i,13808282240714328226,1492664619194990585,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1644 --field-trial-handle=1392,i,13808282240714328226,1492664619194990585,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1536 --field-trial-handle=1392,i,13808282240714328226,1492664619194990585,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1392,i,13808282240714328226,1492664619194990585,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1392,i,13808282240714328226,1492664619194990585,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef3389758,0x7fef3389768,0x7fef3389778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2328 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1504 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3180 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3652 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3652 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3944 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2572 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2468 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3972 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3772 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1744 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\AuroraV2.rar"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\AuroraV2.rar"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4256 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4372 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4508 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=1108 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3972 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=668 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1880 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4408 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2708 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4412 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=788 --field-trial-handle=1144,i,14551013619960801077,8287128098323009793,131072 /prefetch:8

C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe

"C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"

C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe

MicrosoftEdgeWebview2Setup.exe /silent /install

C:\Program Files (x86)\Microsoft\Temp\EUE82D.tmp\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\Temp\EUE82D.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTk1MENEM0MtMTIxMy00MkNDLUFBOTEtMDNBQzIwN0REMDdBfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins5QkYwNjFEQy04QTkwLTRCQzYtQjA2OC02NkM2NTY5QUYxNTl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxIiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ0ODU4ODAwMDAiIGluc3RhbGxfdGltZV9tcz0iNzU2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{E950CD3C-1213-42CC-AA91-03AC207DD07A}" /silent

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTk1MENEM0MtMTIxMy00MkNDLUFBOTEtMDNBQzIwN0REMDdBfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins2QTI2NDk5My1EOUNBLTQ1NEUtQkUyOS03Mzg1M0UzMDA4OTl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxIiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBuZXh0dmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIzIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NDkxNDgwMDAwIi8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Users\Admin\Desktop\AuroraV2\Aurora X.exe

"C:\Users\Admin\Desktop\AuroraV2\Aurora X.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Approve Approve.bat & Approve.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 32032

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Nuclear + Plasma + Proper + Merger 32032\Expressions.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Practice 32032\z

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\32032\Expressions.pif

32032\Expressions.pif 32032\z

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\Desktop\AuroraV2\Aurora X.exe

"C:\Users\Admin\Desktop\AuroraV2\Aurora X.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Approve Approve.bat & Approve.bat & exit

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Users\Admin\Desktop\AuroraV2\Aurora X.exe

"C:\Users\Admin\Desktop\AuroraV2\Aurora X.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Approve Approve.bat & Approve.bat & exit

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\32032\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\32032\RegAsm.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 32052

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Nuclear + Plasma + Proper + Merger 32052\Expressions.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Practice 32052\z

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\32052\Expressions.pif

32052\Expressions.pif 32052\z

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

cmd /c md 32068

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Nuclear + Plasma + Proper + Merger 32068\Expressions.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Practice 32068\z

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\32068\Expressions.pif

32068\Expressions.pif 32068\z

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\32052\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\32052\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\32068\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\32068\RegAsm.exe

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{89C46C0B-E3B2-4538-9E3B-947B29EF6721}\MicrosoftEdge_X64_109.0.1518.140.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{89C46C0B-E3B2-4538-9E3B-947B29EF6721}\MicrosoftEdge_X64_109.0.1518.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{89C46C0B-E3B2-4538-9E3B-947B29EF6721}\EDGEMITMP_6EC7A.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{89C46C0B-E3B2-4538-9E3B-947B29EF6721}\EDGEMITMP_6EC7A.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{89C46C0B-E3B2-4538-9E3B-947B29EF6721}\MicrosoftEdge_X64_109.0.1518.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level

Network

Country Destination Domain Proto
US 8.8.8.8:53 GcIcVSqBZYfPLer.GcIcVSqBZYfPLer udp
NL 45.15.156.186:29975 tcp
US 8.8.8.8:53 www.google.com udp
IE 74.125.193.103:443 www.google.com udp
IE 74.125.193.103:443 www.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ryosx.lol udp
US 198.54.116.91:443 ryosx.lol tcp
US 198.54.116.91:443 ryosx.lol tcp
US 198.54.116.91:443 ryosx.lol tcp
US 8.8.8.8:53 href.li udp
US 192.0.78.27:443 href.li tcp
US 192.0.78.27:443 href.li tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 www.mediafire.com udp
US 104.16.113.74:443 www.mediafire.com tcp
US 104.16.113.74:443 www.mediafire.com tcp
US 8.8.8.8:53 translate.google.com udp
US 8.8.8.8:53 static.mediafire.com udp
US 8.8.8.8:53 cdn.amplitude.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
IE 74.125.193.102:443 translate.google.com tcp
FR 18.161.108.4:443 cdn.amplitude.com tcp
US 104.16.56.101:443 static.cloudflareinsights.com tcp
US 8.8.8.8:53 translate.googleapis.com udp
IE 74.125.193.95:443 translate.googleapis.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
IE 209.85.202.95:443 content-autofill.googleapis.com tcp
IE 209.85.203.156:443 stats.g.doubleclick.net tcp
IE 209.85.203.156:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 translate-pa.googleapis.com udp
US 8.8.8.8:53 www.google.co.uk udp
US 216.239.32.36:443 region1.analytics.google.com tcp
IE 209.85.202.95:443 translate-pa.googleapis.com udp
US 8.8.8.8:53 download2329.mediafire.com udp
US 199.91.155.70:443 download2329.mediafire.com tcp
US 199.91.155.70:443 download2329.mediafire.com tcp
US 8.8.8.8:53 api.amplitude.com udp
US 52.39.244.51:443 api.amplitude.com tcp
IE 74.125.193.95:443 translate-pa.googleapis.com udp
US 216.239.32.36:443 region1.analytics.google.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
DE 172.217.16.131:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 roblox.com udp
US 128.116.102.4:443 roblox.com tcp
US 128.116.102.4:443 roblox.com tcp
US 8.8.8.8:53 www.roblox.com udp
NL 128.116.21.4:443 www.roblox.com tcp
US 8.8.8.8:53 css.rbxcdn.com udp
US 8.8.8.8:53 static.rbxcdn.com udp
US 8.8.8.8:53 js.rbxcdn.com udp
FR 3.160.196.46:443 static.rbxcdn.com tcp
FR 52.222.144.78:443 js.rbxcdn.com tcp
FR 52.222.144.78:443 js.rbxcdn.com tcp
FR 52.222.144.78:443 js.rbxcdn.com tcp
FR 52.222.144.78:443 js.rbxcdn.com tcp
FR 52.222.144.78:443 js.rbxcdn.com tcp
FR 52.222.144.78:443 js.rbxcdn.com tcp
FR 216.137.52.35:443 css.rbxcdn.com tcp
FR 216.137.52.35:443 css.rbxcdn.com tcp
FR 216.137.52.35:443 css.rbxcdn.com tcp
FR 216.137.52.35:443 css.rbxcdn.com tcp
FR 216.137.52.35:443 css.rbxcdn.com tcp
FR 216.137.52.35:443 css.rbxcdn.com tcp
US 8.8.8.8:53 roblox-api.arkoselabs.com udp
US 104.18.33.170:443 roblox-api.arkoselabs.com tcp
US 8.8.8.8:53 metrics.roblox.com udp
US 104.18.33.170:443 roblox-api.arkoselabs.com udp
US 8.8.8.8:53 apis.roblox.com udp
NL 128.116.21.4:443 apis.roblox.com tcp
US 8.8.8.8:53 apis.rbxcdn.com udp
GB 104.77.160.204:443 apis.rbxcdn.com tcp
US 8.8.8.8:53 locale.roblox.com udp
US 8.8.8.8:53 images.rbxcdn.com udp
FR 216.137.52.35:443 css.rbxcdn.com tcp
FR 18.161.97.44:443 images.rbxcdn.com tcp
FR 18.161.97.44:443 images.rbxcdn.com tcp
FR 18.161.97.44:443 images.rbxcdn.com tcp
FR 18.161.97.44:443 images.rbxcdn.com tcp
FR 18.161.97.44:443 images.rbxcdn.com tcp
FR 18.161.97.44:443 images.rbxcdn.com tcp
US 8.8.8.8:53 auth.roblox.com udp
US 8.8.8.8:53 ecsv2.roblox.com udp
NL 128.116.21.3:443 ecsv2.roblox.com tcp
IE 209.85.202.95:443 translate-pa.googleapis.com udp
NL 128.116.21.3:443 ecsv2.roblox.com udp
US 8.8.8.8:53 assetgame.roblox.com udp
US 8.8.8.8:53 tr.rbxcdn.com udp
GB 88.221.134.11:443 tr.rbxcdn.com tcp
GB 88.221.134.11:443 tr.rbxcdn.com tcp
FR 3.160.196.46:443 static.rbxcdn.com tcp
DE 172.217.16.131:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 lms.roblox.com udp
US 8.8.8.8:53 realtime-signalr.roblox.com udp
US 8.8.8.8:53 thumbnails.roblox.com udp
US 8.8.8.8:53 accountsettings.roblox.com udp
US 8.8.8.8:53 economy.roblox.com udp
US 8.8.8.8:53 friends.roblox.com udp
US 8.8.8.8:53 privatemessages.roblox.com udp
US 8.8.8.8:53 trades.roblox.com udp
US 8.8.8.8:53 chat.roblox.com udp
US 8.8.8.8:53 contacts.roblox.com udp
US 8.8.8.8:53 notifications.roblox.com udp
US 8.8.8.8:53 aws-us-west-1c-lms.rbx.com udp
US 8.8.8.8:53 c0ak.rbxcdn.com udp
US 8.8.8.8:53 waw1-128-116-124-3.roblox.com udp
US 8.8.8.8:53 c0aws.rbxcdn.com udp
US 8.8.8.8:53 lga2-128-116-32-3.roblox.com udp
US 8.8.8.8:53 aws-us-west-1a-lms.rbx.com udp
US 8.8.8.8:53 roblox-poc.global.ssl.fastly.net udp
US 8.8.8.8:53 ord2-128-116-101-3.roblox.com udp
US 8.8.8.8:53 robloxcorp.s.llnwi.net udp
US 8.8.8.8:53 fra2-128-116-123-3.roblox.com udp
US 52.9.213.88:443 aws-us-west-1c-lms.rbx.com tcp
PL 128.116.124.3:443 waw1-128-116-124-3.roblox.com tcp
FR 3.160.196.81:443 c0aws.rbxcdn.com tcp
US 54.215.222.157:443 aws-us-west-1a-lms.rbx.com tcp
US 128.116.32.3:443 lga2-128-116-32-3.roblox.com tcp
US 128.116.101.3:443 ord2-128-116-101-3.roblox.com tcp
US 151.101.1.194:443 roblox-poc.global.ssl.fastly.net tcp
DE 128.116.123.3:443 fra2-128-116-123-3.roblox.com tcp
GB 87.248.205.1:443 robloxcorp.s.llnwi.net tcp
US 128.116.101.3:443 ord2-128-116-101-3.roblox.com tcp
US 8.8.8.8:53 presence.roblox.com udp
NL 128.116.21.4:443 presence.roblox.com tcp
DE 128.116.123.3:443 fra2-128-116-123-3.roblox.com udp
PL 128.116.124.3:443 waw1-128-116-124-3.roblox.com udp
US 128.116.32.3:443 lga2-128-116-32-3.roblox.com udp
FR 52.222.144.78:443 js.rbxcdn.com tcp
FR 3.160.196.46:443 static.rbxcdn.com tcp
FR 216.137.52.35:443 css.rbxcdn.com tcp
GB 104.77.160.221:443 c0ak.rbxcdn.com tcp
FR 3.160.196.81:443 c0aws.rbxcdn.com tcp
FR 18.161.97.44:443 images.rbxcdn.com tcp
US 8.8.8.8:53 js.stripe.com udp
US 151.101.0.176:443 js.stripe.com tcp
GB 88.221.134.11:443 tr.rbxcdn.com tcp
US 8.8.8.8:53 followings.roblox.com udp
US 8.8.8.8:53 games.roblox.com udp
US 8.8.8.8:53 atl1-128-116-99-3.roblox.com udp
US 8.8.8.8:53 iad4-128-116-102-3.roblox.com udp
US 128.116.101.3:443 ord2-128-116-101-3.roblox.com udp
US 8.8.8.8:53 mia4-128-116-45-3.roblox.com udp
US 8.8.8.8:53 sin2-128-116-97-3.roblox.com udp
PL 128.116.124.3:443 waw1-128-116-124-3.roblox.com udp
US 8.8.8.8:53 aws-us-east-2a-lms.rbx.com udp
US 8.8.8.8:53 aws-eu-central-1b-lms.rbx.com udp
US 8.8.8.8:53 cdg1-128-116-122-3.roblox.com udp
US 8.8.8.8:53 lhr2-128-116-119-3.roblox.com udp
NL 128.116.21.4:443 games.roblox.com tcp
FR 128.116.122.3:443 cdg1-128-116-122-3.roblox.com tcp
US 128.116.102.3:443 iad4-128-116-102-3.roblox.com tcp
US 128.116.99.3:443 atl1-128-116-99-3.roblox.com tcp
SG 128.116.97.3:443 sin2-128-116-97-3.roblox.com tcp
US 128.116.45.3:443 mia4-128-116-45-3.roblox.com tcp
DE 18.196.70.252:443 aws-eu-central-1b-lms.rbx.com tcp
US 3.139.126.190:443 aws-us-east-2a-lms.rbx.com tcp
GB 128.116.119.3:443 lhr2-128-116-119-3.roblox.com tcp
PL 128.116.124.3:443 waw1-128-116-124-3.roblox.com tcp
NL 128.116.21.4:443 games.roblox.com tcp
US 8.8.8.8:53 badges.roblox.com udp
US 128.116.101.3:443 ord2-128-116-101-3.roblox.com tcp
SG 128.116.97.3:443 sin2-128-116-97-3.roblox.com tcp
US 8.8.8.8:53 m.stripe.network udp
US 8.8.8.8:53 voice.roblox.com udp
US 8.8.8.8:53 m.stripe.com udp
US 44.240.51.134:443 m.stripe.com tcp
US 8.8.8.8:53 ncs.roblox.com udp
FR 128.116.122.3:443 cdg1-128-116-122-3.roblox.com udp
GB 128.116.119.3:443 lhr2-128-116-119-3.roblox.com udp
DE 18.196.70.252:443 aws-eu-central-1b-lms.rbx.com tcp
PL 128.116.124.3:443 waw1-128-116-124-3.roblox.com tcp
FR 216.137.52.35:443 css.rbxcdn.com tcp
FR 3.160.196.46:443 static.rbxcdn.com tcp
US 8.8.8.8:53 hkg1-128-116-118-3.roblox.com udp
US 128.116.99.3:443 atl1-128-116-99-3.roblox.com udp
US 8.8.8.8:53 aws-ap-northeast-1d-lms.rbx.com udp
US 8.8.8.8:53 sin4-128-116-50-3.roblox.com udp
US 8.8.8.8:53 pulsar.roblox.com udp
US 8.8.8.8:53 aws-us-west-2b-lms.rbx.com udp
US 8.8.8.8:53 lax2-128-116-116-3.roblox.com udp
US 8.8.8.8:53 aws-eu-west-2a-lms.rbx.com udp
HK 128.116.118.3:443 hkg1-128-116-118-3.roblox.com tcp
JP 52.192.127.100:443 aws-ap-northeast-1d-lms.rbx.com tcp
SG 128.116.50.3:443 sin4-128-116-50-3.roblox.com tcp
US 128.116.116.3:443 lax2-128-116-116-3.roblox.com tcp
DE 128.116.123.3:443 pulsar.roblox.com tcp
GB 18.133.19.35:443 aws-eu-west-2a-lms.rbx.com tcp
US 52.39.233.166:443 aws-us-west-2b-lms.rbx.com tcp
HK 128.116.118.3:443 hkg1-128-116-118-3.roblox.com tcp
JP 52.192.127.100:443 aws-ap-northeast-1d-lms.rbx.com tcp
US 52.39.233.166:443 aws-us-west-2b-lms.rbx.com tcp
SG 128.116.50.3:443 sin4-128-116-50-3.roblox.com tcp
US 8.8.8.8:53 cs.ns1p.net udp
DE 18.159.47.95:443 cs.ns1p.net tcp
NL 128.116.21.3:443 realtime-signalr.roblox.com tcp
NL 128.116.21.4:443 ncs.roblox.com tcp
NL 128.116.21.4:443 ncs.roblox.com tcp
NL 128.116.21.4:443 ncs.roblox.com tcp
NL 128.116.21.3:443 realtime-signalr.roblox.com tcp
US 8.8.8.8:53 setup.rbxcdn.com udp
FR 3.160.188.89:443 setup.rbxcdn.com tcp
NL 128.116.21.4:443 ncs.roblox.com tcp
US 8.8.8.8:53 client-telemetry.roblox.com udp
NL 128.116.21.3:443 client-telemetry.roblox.com tcp
NL 128.116.21.4:443 ncs.roblox.com tcp
US 8.8.8.8:53 ecsv2.roblox.com udp
NL 128.116.21.3:443 ecsv2.roblox.com tcp
US 8.8.8.8:53 clientsettingscdn.roblox.com udp
GB 104.84.73.17:443 clientsettingscdn.roblox.com tcp
US 8.8.8.8:53 setup.rbxcdn.com udp
FR 3.160.188.113:443 setup.rbxcdn.com tcp
FR 3.160.188.113:443 setup.rbxcdn.com tcp
FR 3.160.188.113:443 setup.rbxcdn.com tcp
NL 128.116.21.4:443 ncs.roblox.com tcp
NL 128.116.21.3:443 ecsv2.roblox.com tcp
NL 128.116.21.3:443 ecsv2.roblox.com tcp
NL 128.116.21.4:443 ncs.roblox.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 128.116.21.4:443 ncs.roblox.com tcp
NL 128.116.21.4:443 ncs.roblox.com tcp
NL 128.116.21.4:443 ncs.roblox.com tcp
NL 128.116.21.4:443 ncs.roblox.com tcp
NL 45.15.156.186:29975 tcp
NL 128.116.21.4:443 ncs.roblox.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 20.7.47.135:443 msedge.api.cdp.microsoft.com tcp
NL 45.15.156.186:29975 tcp
NL 45.15.156.186:29975 tcp
US 8.8.8.8:53 msedge.f.tlu.dl.delivery.mp.microsoft.com udp
GB 88.221.135.73:80 msedge.f.tlu.dl.delivery.mp.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Approve

MD5 4849b374e88e174f9b35b5e5e9269ae6
SHA1 6199bff5bad3b5088685aeb08686ad303f4f6c29
SHA256 1deef19e64390b8d41481acd973405e9ce23cfabdcac203f684532de244ac073
SHA512 1c079cb1d8f78e1833945967fc0daf3bd8250196fe430bea1db8522385e0b193e1ee488b821c760e1f12f4c8d61b653871df4675e73c115964857ed3d2cc0ff9

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nuclear

MD5 62a7e75d1df779e6169adb0cfa905694
SHA1 3f855dc814432bd0cd6e793c5a5bb2776b838602
SHA256 7fa7da730c634c4a21832d2d35cbe4a6d1484fcfadbae988e2e97a9ad76f73db
SHA512 1f22866bfe4c6186b77c05aca2e4088c30e7ea1fe6057782a2a7aefda9221c78be2fe2cc5c673fd266e12218e91a66b254e90ff1d94f9ba6b8552c1e6bbc1698

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Plasma

MD5 65b274e03e99948cbb03a0464e66ba89
SHA1 129196df7c9cc04f868f66e0f8fad494a6c4e379
SHA256 4bfaa5267e22645c0cdacc3154902d9ca2ea3559f47d6acf6813aa20ee1bb75d
SHA512 2fcb83966b7c9d1709124c9efc5bd24aa1135e91a74d2c92e344465de1ab4b42811a8f2e264e801acbe4f3080e575a0730a38e87564c9f5c74a9d5f71b7a8bc4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Proper

MD5 5047c62efa1d3a7319f3495137cb8224
SHA1 0d0d3d840d2d484d8e4db23fd72aff6a0c514aed
SHA256 76c8d934bd2c8abae1b4cc482c45cf910935411ab643f8c0e54be92c2f63849a
SHA512 66cfc6656cd6f18fea5fba95d0403664b188acf21a53d76eda5f6692d41950f69ccf2b0ae8e7aeefb0e50c068acf4f61357109983ff2c6db8e1efc076bd9ecfc

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Merger

MD5 7196d7109e4b363cd13654db907ffea4
SHA1 21f016d6c8e5bde1c23e48e9cb811dce3227eb7b
SHA256 9eacfcb6381b4e19513707811960b233337460e57a798e053d6cd0b4e1c3a7e4
SHA512 41ab7e0411dcb7b378a2068756a403f0092b19dac52f244f871e871abee10b78d29b54a89b411a9b841777a5e4d47def9c60f40cdbbd60bc2f3690c739fd4b02

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Practice

MD5 02c12a95e4fcbadc9cd8c35c8a6b5b45
SHA1 3f9f0e5680497727ff7f6a3a3a245087ec668a79
SHA256 d3cd709f6751e6f167b3e04706f45542528088af51454a6cfde05041523b0e72
SHA512 5cb441debcb4a68dbe2ad07576452bb7bbdc2630b711a9ef2a2d9068216c48d00e9a063d52fce2bdb274b7872d842c91e84318da31d6d7c8d2d41a4e72204a2c

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\Expressions.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

memory/2552-25-0x0000000077260000-0x0000000077336000-memory.dmp

memory/2552-27-0x0000000000180000-0x0000000000181000-memory.dmp

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31206\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/3060-31-0x0000000000090000-0x0000000000128000-memory.dmp

memory/3060-34-0x0000000000090000-0x0000000000128000-memory.dmp

memory/3060-36-0x0000000000090000-0x0000000000128000-memory.dmp

\??\pipe\crashpad_2620_PEZQVFNKXQUAKOES

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/1956-85-0x0000000001290000-0x0000000001298000-memory.dmp

memory/1956-86-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

memory/1956-87-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 89f4922a7587a9f92f626d7868051285
SHA1 9419dc4f12c1cafefe5a1a12997cd4c0ae5d6702
SHA256 16d4c209625f423200c0a930685ec659bdc58c7e5c7848d0008979311b945ce7
SHA512 009d7b6d168824bb8c8c15f256502673af694fec8b7fd3761567bddcb0c40500d77de42c13313fa33e7848d8380d097cdc4c14dd21e71023572de5508127f9cb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

MD5 f732dbed9289177d15e236d0f8f2ddd3
SHA1 53f822af51b014bc3d4b575865d9c3ef0e4debde
SHA256 2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93
SHA512 b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

MD5 9eae63c7a967fc314dd311d9f46a45b7
SHA1 caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA256 4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512 bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

MD5 c909c3d86f52f6e103763a631ae8e7ec
SHA1 0eb3c97783e3e2b2105c38f10333902e0f70d6c6
SHA256 ab0b140a095c3a4082d14c44f7ca70b714cebc796bb5091df9b3fff8b04e8629
SHA512 9e55f1d54cef68e12df51932fd673816def3602ab1fb4a5d3e7e806e318455888fa1c3fe906caf4649cc4d3efa553bd61e23d0839ee3f3475467da9b2eb88f7e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000007

MD5 03d881fc5a4ab4013bd1b30988abb179
SHA1 9ad861569715575d7b676e5683b14dd3cffec304
SHA256 5da7b30f55f920166ad821f532fb95bd11546bf63a228fc41357aa122fcaf5e8
SHA512 29ab8ac2c642a83086266f88ffde8d71c96cd0d98812fac526e0a0adc58d8bc7f99760ad19a71cc38c3ef5edb9ab9d642ef6b665bf4ce336260b0171411e26f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000008.ldb

MD5 fe7ac6296a783949264d5abc8d69b443
SHA1 32bca04fb95f953deb38e3bc05c0314362420b76
SHA256 ee1ac8b2768e40583cad98e8edc274ec882384c4776b3fa07b75a6070d0b6ce2
SHA512 e4f55e14469880ba92bbb61d3708d3489f56f195d0a21938c9ab14588a29172258849c84b72d3405665889f88a55dadeba6c5a02b211c44c9ded24feb76ddbfc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000007

MD5 22b937965712bdbc90f3c4e5cd2a8950
SHA1 25a5df32156e12134996410c5f7d9e59b1d6c155
SHA256 cad3bbec41899ea5205612fc1494fa7ba88847fb75437a2def22211a4003e2eb
SHA512 931427ad4609ab4ca12b2ee852d4965680f58602b00c182a2d340acf3163d888be6cfad87ca089f2b47929ddfa66be03ab13a6d24922397334d6997d4c8ede3b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

MD5 aedfb251afbb71adbdbf8985633caf28
SHA1 1382e407ac77bceb4153b3898cdda45398a67251
SHA256 fbbf7f4e5e37568015f4230c731d25cd1b9fbfd32b997ce92af3d9b661639e85
SHA512 ec2fbcb43d2d0f3c1c808a1fed3e51b6a3d5703171aa5bd438858539f899f3fe1dc452f531a651e0c6c61be87b64051ce81ea277ddb77f79e20cda53e5702dd4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

MD5 e9697730c052617e50350806dd61c257
SHA1 d26ed0473b4df7c83a262df7ed18f951cb9befc4
SHA256 f1c27d547de5716e59b2d839dbdd55666508de2750382485ec91cb18de931c0d
SHA512 1dfdf4550dc2f44ea50adb50f5e1a24ed057a968232deaa98f219611c9f448ed867c69f13164a72a0865cd87c35fa40ecbb58e2675e13904b9112a7f7682d602

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000008.ldb

MD5 58aaf15e9f7ae996de480c32c50c448c
SHA1 62d1f1d9618835eb40c32eb68679cf81404d788c
SHA256 878dbde98165f451d8a70041b6d9ca99403840f5bd3528479cbba79c85f65c25
SHA512 0327a48f54b9cccd265b29b323762ec7f408026eb324e204ddf26a69e5e053a8a20937d4ee75af191bfffbecbcee9b98b41f757678723f15edfe4d60be27f8b4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

MD5 fbdbcd13468e7072bf988a7fc10761a5
SHA1 296a987c15ee206b80e78c8a822ca8d2514939bf
SHA256 f0856ca3f71cfa9d8ec913e88f1fcf5c29c34ca94c40f2594f43cf6ce34c84be
SHA512 d2e19f547098d5126b55f2b6ae55719cc7c2c867beebbc7f026be7d7de2bb2f316315f623cd0123269b54806a396208814f17a24e6e448bcac8c2cc75ef7a04f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000009.log

MD5 e556f26df3e95c19dbaeca8f5df0c341
SHA1 247a89f0557fc3666b5173833db198b188f3aa2e
SHA256 b0a7b19404285905663876774a2176939a6ed75ef3904e44283a125824bd0bf3
SHA512 055bc4ab12feedf3245eaaf0a0109036909c44e3b69916f8a01e6c8459785317fe75ca6b28f8b339316fc2310d3e5392cd15dbdb0f84016667f304d377444e2e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000007

MD5 b6d5d86412551e2d21c97af6f00d20c3
SHA1 543302ae0c758954e222399987bb5e364be89029
SHA256 e0b2fdc217d9c571a35f41c21ed2596309f3f00a7297a8d1ded05f54f0e68191
SHA512 5b56ae73a61add9e26f77d95c9b823f82a7fcdc75eed64b388fb4967f5c6c42cb0796b0b99dc25c89f38952786176c10d173dec7862a8a5ce5f820280f72d665

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000008.ldb

MD5 c218d8230ecc27a23c94fe7231839de5
SHA1 96cb72550b246c262a8f0ed2e075e15d8be14f9b
SHA256 db9eec857cbbec11ee7d41e9cec0429ce31770e99a3f7821c97b134514718f4a
SHA512 166a3ad3a4405aabecb58f3e51ace570845a7e97a013459c06a93eefb1a0b446f27a1af0d1e5d333e2464cf85b00094ae97da0db0313562161681b9f8356ce9d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000009.log

MD5 a2f36fd75efcba856d1371d330ed4751
SHA1 fb7c3dff0fa2b47c6f0026287d12d16d05d14d8b
SHA256 561fe33b81dac187686e9e50103590f3a857f4e1b9c8ada714d43964b938ea7f
SHA512 79ca96560a074fa678cfdc06007d0e1e01718831d18c4a800c5361b8ba8091b46acada47418a8d7be3b626d2d9af5cf346abcdd88166a9d1634f81157ab1ad6a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000007

MD5 1c0c23649f958fa25b0407c289db12da
SHA1 5f6b10cd5a39fe8c30353bcf4cd4e4a60ef35574
SHA256 d5134b804a775cfb79c6166d15b5721d38ffc2da11948a6c1263595d6c2941cf
SHA512 b691e882018833a108bd286bc76c55a140d00d5a266617a3a381af1ceff01aefaef17acef29d14dec931d7051455726cde8974cd04cc07302f1c3cc452fe2f52

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

MD5 50ca69f8a964fabaeb0a099f04beab20
SHA1 c70aa2d96e4223ad9598a4db72dee6bffca40f96
SHA256 231585fb183e961536ac1773ee546a475ee400f0be81ae0209e90de7286ec253
SHA512 ddb4ec8e2b0ebfa335f31ac5607f7caa73a0c048a1ac0491bcb843b2a0f14a13dbc8ca9fe1ae6cd59393a933ac6d0e6bf31717eda2e490ec92fcb69084e0c770

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp

MD5 60e3f691077715586b918375dd23c6b0
SHA1 476d3eab15649c40c6aebfb6ac2366db50283d1b
SHA256 e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee
SHA512 d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000009.log

MD5 fe62c64b5b3d092170445d5f5230524e
SHA1 0e27b930da78fce26933c18129430816827b66d3
SHA256 1e1a9ca70503efd8c607f9bc7131f08aba0476d75f2586dadb4da5485a5315d4
SHA512 924daccfbfb0c0464b4c5fd769e01a8f2e96fe28b635aa27ab4cd91766b05b03bbf941af14c017436107673f01bad815ce1fac2a649e745c76b3c736994b4fd2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000007

MD5 382f201891d6a1aa3250f3215b5eaf26
SHA1 5d80dca0af3735dce89ba16b7eaae68fec2a24e5
SHA256 156a1b122b04baf82bbe1232c69a9cb160cfa82d4b65b3fd0a47cf09900b1098
SHA512 83fee0565fa368bd5ea3128b1754817c3230d88eee21d9ddff811e9648478f83c5fde2a80c825aedc7462daa4806b3b00f182dc0446c00854137b83400c521de

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

MD5 7d0a8b53355edc2af81d1b986de745b0
SHA1 2391106ae6cdfbed37e1bcaa7ab20d32beea680a
SHA256 2d84f53cefdfca435ed5f6d694590209800d726b343153417bccd4d6a58d4f57
SHA512 48d1a0ba59361a3bd760ddc69a1358c61bdf8c8f908572fa1af2becf24e73afa4e3e6b8c38873247a1a0312779cf591aea327209c913b2c355e674f070fe05fa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000007

MD5 1be22f40a06c4e7348f4e7eaf40634a9
SHA1 8205ec74cd32ef63b1cc274181a74b95eedf86df
SHA256 45a28788cde0d2a0232d19c391eae45777fe640790ac0674d6daa5672c444691
SHA512 b8f6f42d375e3ad8015d744fa2814994fa6e588b41cce0131fca48194dd40146b08169a8ce0da350525ff32a59a16edb503c72e0f07254955c82a0d38074856e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

MD5 cbd61b3a5990d4b3e45e7c6be7558f59
SHA1 c2e563d454cec1eecd5b6d0b761a7963b2975304
SHA256 b9cf9b092017a8302653bcef4f640dd58f4009edb0bc0c62987c5acf147d1fc5
SHA512 b321bfd2b1aeec61081e84d7cd2af24c4be45e7ae06027210fe7b552abfc9775e6e96c855a57f427ee316f392bc5a693793c723f86c8aaaec79e4dd3d9559362

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp

MD5 979c29c2917bed63ccf520ece1d18cda
SHA1 65cd81cdce0be04c74222b54d0881d3fdfe4736c
SHA256 b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53
SHA512 e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000006

MD5 78c55e45e9d1dc2e44283cf45c66728a
SHA1 88e234d9f7a513c4806845ce5c07e0016cf13352
SHA256 7b69a2bee12703825dc20e7d07292125180b86685d2d1b9fd097df76fc6791ec
SHA512 f2ad4594024871286b98a94223b8e7155c7934ef4ebb55f25a4a485a059f75b572d21bc96e9b48ed394be8a41fe0208f7bfb6e28a79d75640c5b684f0c848fe3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar5623.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57e187555dc54b8af11b6e35e126d51b
SHA1 32bdbd5c94de3d791d1f31787e4275af9f0a696d
SHA256 397ced5395a33f0a96b4a6c055408558766d2459d807c330f7678693ae9419b2
SHA512 5650d69c28ae67930f53f10cd0a6700b360bf8f59988e2dcbb5ad1f099a9dbdfc78a09556244ce3bbec975713271d2f0fba09d0e00b47dc6f95d52d03b7d4aa3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b6bbe5205b4b98764069ee9a388d939
SHA1 271e011644b8c47b0715d174ac8b04f7c4cf1c12
SHA256 4b1f6f083b40a31511c938748b9dbf363a0165fbc027b42794fd0931bb9dc7e2
SHA512 cf0f7e8567306ca3cf63c5d59a5c77e7c18db1e87ffe7d5e9d3040c5e84a226e9d73355b602cd98e1f8b3525b20d5a6ca7141d42847291577c4e305b7b8c6aaa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a889e42514b17855d1a22f412b4f04c1
SHA1 1f0b1dc0748cd7ba9ad68ab9d54dec9c514edc53
SHA256 60967a5babf9250c99b32fd6f4f03e3d17d782c9a317e4bc69c41e96f304e3f3
SHA512 09a211c6a2803038be8ef2a2babb45ebab2c0ce2aefd5e1e69c77bd807927632dac57c8792f53dd321ff2a5ac085a9db2141d25e20b97731204b5c7e617aec57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d25a0902625cc1db6570cfb0860e92ec
SHA1 907af3a9f48479eb51ac3bda6ba5a43378240607
SHA256 41f78fbbbcc6cb76091de6f0eece892db1dc46562b8d83567195a7a961c6abab
SHA512 efd01c064b7d92afb667d4e70f5e773b3c974718e98ec0c2d41070b2ae2a24c24a2985e62662c918e072b9b8dfb9c34add54d405ef330ef51490070a512ec390

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b8a00c37c72b5937fc3fa010992f8f1
SHA1 c87b7af0a8766a70f0726207f63cabc27badaa50
SHA256 56ef36d78c54788c5f082c66b74582fd8ca62e669b232f5f8ecfb00ad749fbb8
SHA512 31c1bc907230d793f2449c1f03ad3d56a2213b9abe78824d41648616d49b1f09c5e7a6c8480eb2267b7c66693e65e185b2e26e3339a34a59bd4127b920250155

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 86291e2952509de452de229144dc44c0
SHA1 d7bd363264485b9eb4d8a9096a030dfeb4052355
SHA256 b071f22b4651b7a0271d244b6633138fda107f2600e4d64bac22f8ac72d32260
SHA512 0a7f9e0e340128cf7fc92af243b0cc64d5317e5a7df63e117be412bd27945990520773eb3bb2fff4aba8d00a3e049d11828019fd21cb4990c22edae391a484ea

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 5c8aaeceb9b511e7a55707aee7f5b9e2
SHA1 5c8cad4071e956842f0398a4e3e3aecf675a4bea
SHA256 f36fc2171c1b6b7591aaea1812370e71bdb533ba7b697af7ce8f9f499d2655ff
SHA512 03b889d725ec4dc46e089cccb0d382eb401bab25d94ddee66b9a0b9750bfe57868b5a7629d237809eebb6a6ba677acfc8a67a4296dd6068a6491aac7bdce6a37

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 48889c50289e63068f71300843cc34a4
SHA1 ca6e6a49ec93d6080704cba95c488ad4263c0e2e
SHA256 b73fd6a535bcd6db99efbb690c77d5f5f3a203620780f11b53746d6c7a799120
SHA512 0b021da08fdab7b697e1f1157a6d814a60a074dc8257061e1799d7685a305f9a6b66a86f26a90bbd1b9b5db76e51175027f13f25283ab797628efcdedb74d6f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 45b1ea0c20f43e5793906d51fa83be1f
SHA1 8b8b361b0a4491bf1ce931fdbf6ec082e0b25692
SHA256 3df3421a221f10adeb25706e295832a3cdc9bf86f556235dd3d977831ee703f2
SHA512 00da291f6a2bfff35d45af3a2c26e9c644bdfcc2c5a6c332ce9b42b54a51b059f7bee2dd8ee6cef09919c096e90f437e80336ce2dd8003b3a4f621b74a3d12e5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 49c1483704362ec5947758a6717f3f12
SHA1 949627c661a55cf3acdbb13541c338bd1708d008
SHA256 1dc338ebf732ae3f6e14bdfbc772a2744e97938e88910b1ae721c102bc57b497
SHA512 339687791b5fa90f346efd28ba1c6caf1e71217a9a5148bb628d7e2d8bc23033bf33694481c0e7e7419b6242fc17547e6a247b20cdd2e0b3e246aee44e92826e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ef9030a8a67c1763688c1b0affb8a873
SHA1 f9d4f36d7037fb83d0bf5c43e50eee11b9abb596
SHA256 fc877e98237df4de89ecba26aac350b9b68cd825aec7ce749277cb32c2deb715
SHA512 5ddacc866b9bb2c27eb67ef0def47e6b01695a5690c5c8f250d0bb0527bc58fa0dfd81b22efdda0346e3d6aebb8401f4071503b8094bd17ba3fac05b9fe03289

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9dd70def1a958ebd76a452d9bcbc4c66
SHA1 4ad070e4ae4832658e200ae0017a0dddb6bf2e18
SHA256 bf3616fa286ad8739a7bea8f0e59b2098566515a5575c48bad539aa3c774d23b
SHA512 4df3035de5f88e6f33c2d2bf5410936999d52587c2e02406640954262dc66f23ebc964c50cee63ce75d06a0acf599a25ac8a42a4c6141988374e37cb4bf3a88f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 b9da6e9760a8a212dd90a8816addc149
SHA1 571a99ca28dc10b12fad81026f65ebd1fe73440a
SHA256 2ec3653c494dabe4f8ca27aa5d00a296049514a872790a38daa7f2b26e10ff34
SHA512 07f2475acdaaf5c5ad18baa27bb300b1f67bd83b5cef545f96507e453f14f33b0e995117efbad9201d9c3593fc86f8e0f8e98652864a8f9639c8e4821e67ba99

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 ccbf6f3be25c599f17e23701f727817f
SHA1 1760d349664043d22bc4253d3fc76554e7bc593e
SHA256 f2849ed4c1dfa8c64be3b88a045e0dc904947a5c3c2951455871540df7345474
SHA512 79ced623a258c19753170d3b19c1c9927829484d9adb2687204dd0e3ea2c661b2bc86b4ea6546b7f808c1236696b3e787d88f8e30e5f8f5191642257d2701ffe

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\CURRENT~RFf78e3ab.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 fbb713c19f9eefde4194efc0e175459e
SHA1 ac93255ec5919c763fd9a6ab7ec9a7a630405681
SHA256 05df84fe37fc6a5dc0283fa1e3884f7759fb57f6402e134b798a6aa9bf0fc680
SHA512 3751a280e0f5f42ebda29ea7c11c79d58ef0335a1e0eb7205a67391d22b483743e99644e9eeb69a048cc268828503fb17150a58693038ab80976152265a10f81

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\000004.dbtmp

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 6b7af3854116496f1ab3bf8d02b8b741
SHA1 65797e7d62f6f9feb289481f2d254ed494fd83a3
SHA256 26d13389df01e5b06e22fbfa83abf601618f45c773e803b34dd40f5033ed4e8b
SHA512 b2badee617bf2522da31e24118712d533d08609aecb0dde0f8c351f0cc76065fc91f4feb674de5a58fc11b2d21682aa820ecd175bbddd19ccc9dcc8cbb701304

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 08d43938063466d13791891ec0dd3592
SHA1 d60c57129cd4c9a712758441471c04b647633459
SHA256 290e1c5dc6b63eb05d83e4c1553495a572c6cba9429ba8a5bb97cde704521f84
SHA512 73b63b16f520018407195f3f342a348b67f9a1f354c5254b33809f57246949cfdaa630138063efbe20c2091f28c33df4f85c1a340dba4774bac7a1dc285ec258

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b4b7275c929f42909182e0f4c8c3f772
SHA1 d6fea1bd0bb0d6d552bb87c274d9b0f5cc8a7abc
SHA256 5e9269a6201121611486795f0c8058a760f0724a3ba027f3c98a7854dfcd69b7
SHA512 641496b219fd1e5a32acea19e4fb1eb6089e8c5b40a3987feab831f52662be3afd8ddcacd956c784b485559b95a557d3428e0937ba73725dbf558eda6de9c7c5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 ae911057c3ba9eacc3ae6459138a8786
SHA1 3ca47d09830ac498e3db83c7ef67909cfab0db9d
SHA256 e5bc3a8471d9920d59b66c5ffa77a0e29f409acc7fe23b99d11abbac24db48e1
SHA512 77b2ce29f14d502eed2d1b725a240929bc29bcf68533c451ab84617298b409a907e48379881e411fa155a2ce6f93e60ea6394e31d6e89cedebd5971e133c454d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 8397b430687efc698b216fdf7e34c563
SHA1 027df3e061198d59b7723d300aa6bdd29f7cbd31
SHA256 f9fd6cfe54a1feba98eacf08b4076ee2be8899ac93a05a500008b1786e5a2e01
SHA512 f7418098d3a20bd0acc42831412af33e55a7ef372de79f173fd6614f1da13924d1d1f8bcc5899fd441a652102c0c37fd87f61fd90a41347602a210dccca04163

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

MD5 4923a7479f3522cbe9389d7a4862ac07
SHA1 1bc1eb916c29c8cb05f5e46deb5740b2c5e992ed
SHA256 6d83cc91996c474cc23c3a20d6cc27b91e34117d0e15277512711efb9a6080be
SHA512 3d0dda89630f837e20956edd8ec1a083c79f5934f10adfffb116dc499d3b78418929f5c557c395cd78ef58d8a23ed2ce3af302a549a9d2aabae333c3857c8cd8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old

MD5 f01924fb1ebcfca1ac5e1ccb09a2a786
SHA1 f98791801bb5378b1336a42d82473c23a4ae6849
SHA256 a49c2dead6bb6bce2e4b7b04d49cb7c5f60137803ee33a856cbf08803de81fb9
SHA512 ca2e0fd7f2c311f4d98c55e9d2ec487e842dfc51998e1b35611d03ab009eb4a6aad18adbe256508cf5f222c187926124514092b840a66e5f27fa81fac41ce3ac

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003a

MD5 588ee33c26fe83cb97ca65e3c66b2e87
SHA1 842429b803132c3e7827af42fe4dc7a66e736b37
SHA256 bbc4044fe46acd7ab69d8a4e3db46e7e3ca713b05fa8ecb096ebe9e133bba760
SHA512 6f7500b12fc7a9f57c00711af2bc8a7c62973f9a8e37012b88a0726d06063add02077420bc280e7163302d5f3a005ac8796aee97042c40954144d84c26adbd04

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 8bdd58c75d1266f4cf0ff0feca97b136
SHA1 5d537125096ad3af6cd08ffda584523f9dcf323d
SHA256 82887c755cc389a06d344a19391e6ce82ca3bdbd10b04e74cdc419d29f577d20
SHA512 8c9a0d08700762c8a01cbd38fef182684470cec857215a9e295cd80c97c5bbc0e0c9d003d4e2a592842248f4f6e3b458e95286c080a64a09a102d0aaa5381053

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\000012.log

MD5 efc901fb0facdca4b7b4983a3c4f3b22
SHA1 68ca1837e06186fb1c56f935acba481a0927c05e
SHA256 c9d82f431c31d1a5b967f620116c533d9b1fbd70ca2ed2db0287a49b88682851
SHA512 7f814fb483ffa80f4d9ebd7d6ae7821f9319c31b64af8182f925c72f45af732da9209da5b22eca7a6465e0d60e03b41e29730609379fc57f82e1065a47bd4e84

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f6d458ff5884cd3939d24e246d4b9496
SHA1 d81e2b87b66e730479786d62348ecb85c6a843d8
SHA256 03bec58cff87ee55532efcec9944ae5c6cc2e1a6b164d6148a0a26ec833380b7
SHA512 a12e46bb356289dce3d8ccde9a8c2c9bb2b0c83780223d50c30541d72f91fc99952c6cb4d199690b8522add328fd55bcd3a165fdea6e73d747162145892dde7c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 74766b2943b17242a3353097b9e1d2b6
SHA1 51c352bdd62bf7c4fe3d38300753c1a3cc76e155
SHA256 8094e5d752cbfccf77b60b742ad74ecf607cd81bb442da42fac97d985a422cfc
SHA512 32fac349b6135bebd8221113041ca43a6c7294f2f02731c71ce3b12ba89aa69c3cd67ad880e388a9506b3cde03160fbfbc243277d6b93c96901a683494482116

C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe

MD5 884f182558478768a43de12bbb5bd168
SHA1 831ce37ca2289cf123733306077b936c9407319d
SHA256 bb4fa744d72612edd395213bba74efe233464cc8707ec55aa85052b6211757b4
SHA512 665e957a508547a673ec354ef8008e16058e7aa50f1520e0539940c99beb35b9375c9546efa3dab58ced01a80c95a68ed17c76350efde3472da625ea877043ff

C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe

MD5 10cf53cd838a1913242e134965a426d2
SHA1 b328750ac3d286672e3ae7472c6ba0b2672f3bc2
SHA256 927da2af17da25b97df86c29948204c42b506bc948a3652e55440c30f6ea42ec
SHA512 d172e1fb62fe0cbab3b14e67ae22cfe67b11f499d67ec56e0d4d318712e83d6366a4dd28b2d60a1a66843c48d6506d74d7bd61afb385c644f8b911d15cf5b5bd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2ad392405e93cd7236f04792f72b5494
SHA1 114b1d6e50b3824f0d06c9ca5bd686a3ced62725
SHA256 a5c20b2747b8ea34a9437a74ac7ede194afd98e373ed36474a44985e383b51d8
SHA512 e1d24be88899f1922a8d58234e6d529a0a75b488c58845610bcf6e9549d6ce360593f46924888dcb7ad374fd3d4762eeceabd88a95c3b1344e1579b3a2eb338b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 dc300e1da24414f881d1de5b77812e55
SHA1 f703a52e453a8a5f8ecd9f56a100cc3e08a1f563
SHA256 957508825206c226aff9ce952ddfb0465281f57f1906f32f0c496b7962a70253
SHA512 9fb6e6426899af76fcb0eea21145d99198477cab497f3788e640f1d1d338aef1416d64333fedd3f55b808aafe848e85030b2f6a07054bd1e1d432e3d61800db6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 91ee94e44ce18f82d3bd3d16fddc13a0
SHA1 e24ea9195538bb04e1d4274042ecb19302aa83da
SHA256 690ae170568fb6e11db03b4f68968d6e4d1b9f40106ac0fb2443a05073cd9800
SHA512 344253879a29196d9f16ebd01740b34acec25995cbd1107816abfe70d2f53b31e6964b4e58c762c3914b0d27e07c32920de41803f07ab49aef9d4f5fe01b1826

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 4a4ba4f966ee7cba34303d17f6af9246
SHA1 c71209d16e5c55baa7d67b82ab4aa35909370213
SHA256 be301cda4e7b575e2bd3983076f34d5ebc6d2940de237b1740a41e75f7d085a8
SHA512 986bc33a62b88f5db21af80e3cad3c94773bbf6c3973ac5a12079d2d5b99c11f873a8741d9d4e059b27e49b4a66ce7338dee857a75d418c998180dbadb393df5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 027ee8ce43e35901637763266f5b69f3
SHA1 85cd6cf10ee1034a254e26daa45d4ce856e307dd
SHA256 449c1163a31ffc4c01ba9f82121ea058395c5a74fa66819d8b5019f51d9b32c9
SHA512 0a8fd586a887cc82d495d0a0498146bd1b323e825bb1d4643306929ac698203f9acdae4b91f597aa498b9915c5c66c00d97d84512972d42c77cbde74dfd05867

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 062deb05cf184272bad5c8f23902442c
SHA1 3820806fde5d39667faddee261696dd4f3608fa5
SHA256 50fbeeed5110fb2fb66ee7b607c18769d9c6756fea3314d3f442e0e29875de47
SHA512 ed441e760277ebffb2fef0a5ae534b448c09723bac875b657ad636d28299ad82f5f354193f3c4012873c871beeb0b5bfb7386b41b8fd4e123399d4ea27d905dc

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

MD5 4dc57ab56e37cd05e81f0d8aaafc5179
SHA1 494a90728d7680f979b0ad87f09b5b58f16d1cd5
SHA256 87c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718
SHA512 320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

MD5 60be3730f80b023f63c3f2b8cd9752be
SHA1 338d6e3d9a651ac0baaa00217e91a00b2c2ecb0a
SHA256 c524026457dceffbdf271e3201f0e117d114611cee08eaaf7da0b6a16194eabe
SHA512 9e96963ab599a2565c4af991a42d4bc10ff14feb13075d8541e69ac61105f60257d797af7425db13b10ec75605b4dca09901fe52b8208d22922d707088e44b3b

memory/2296-2338-0x00000000001D0000-0x00000000001D1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 f0545f7ee4018b5915763221f4b13107
SHA1 a6337e7fbbf7f294533442bd75f2b60566469703
SHA256 2eb152b4852988ef704d41ef5a98e12e03c7234e48220b12a8265a2c9f8ed586
SHA512 ea8e1290068c8ad9b553597fd5755885808dd306eb6c8f637bed436230c9a22b264a741fb50ac605111a4877c3e9f27b7aab3844b66d90660926ad707af40599

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2f58b85d5c821055b50e21c755148d6
SHA1 9af1f6c5fa2546102806b600a667f04cc697b75e
SHA256 a1cde542f54b99fd6cd46de714f792086b70bacc40270f0cd622673bd15877f3
SHA512 84a3bb1e00561d352965313744078aacf29bee328fde27433996814da309edd0c240f95d39d4a6481092b98675c3c6c674b7710816fad968f257120c187ca073

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5841e252c1df16a92eb9fe76c3f51acc
SHA1 63034904df18437a50fc348d66dab32c459dd01d
SHA256 fd430bf74c5aa648924947c5cc2c329a120899113d18681b7d72e7d811871abc
SHA512 30a75dc6ea100f18d021311a63288a1288a4007b452eb008cd4623365d2ca06cab3d4633e5ee79ba7fe84692780528eab0bebaf1a2492633246f3606c442e6e5

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b1c32fe96a533ef18fbfd6c7e54c703
SHA1 249a08c0d053f6d37ab83473fd4220da9b290ef5
SHA256 2a851617cf56c3dd9ba4f48b5b3e78eefd136b6aeabb62db77bd8477c9630640
SHA512 7c0b499299142c80652888b737bef5a174f1a89a606d2027d84a997aaf9ecb6a3965c8a40a7447f5392646594e163bc2929d2ff5ce3d5a201c128abfad45a79f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 d4d23a40af9edbb58348094ad7317780
SHA1 fe96ebdfe83f6fa7f0de5ed9e41de156c1765e10
SHA256 f483ddc8cadccc12d9b024fe602b994a8c8b5f54b7b635b563215b28897aaaaa
SHA512 a8bb0c3c56dbfa70b940d8335596011666efb2fe41b49b630c98bdde1258f836a802e4cc73dc34bbb4efbcebf0814fe4151407b1409d2696705e82c50ab9baf7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 0bb3b1eb7e3a450a900dd5dd8f67daba
SHA1 8432f89c6e2363fc74314d34aa582c25b0653411
SHA256 9aafd461b0a47191b24c533da544eb236c204bf7f1ee946034fc6d69b8f9be01
SHA512 a0bf659944e42e8c2bbbbefb2b312d667e7642611ea10872a5c55a4313073b474121b8999ca36583e30165c01ed9a74a73a1ee8483441a867e889ac5077e9d14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 669cfa55e356f1673709ea4a67e57e71
SHA1 8d4101b1986b06fcb569d94099fe3ff47fb514bb
SHA256 fdd669b8fa2e34aa125543e2a21f0cfb2cc14cbab35f4420449757ffe10ea666
SHA512 1e758c23bd826347efb06f7fcf6babe711970c539ba6e28725df4cda1d022fa1358b5b56e861110c7f37c8cfdda148f86133bef4602014f3dcf133767015d7e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d638c7f7e2fb459504f5c542d7bd6e63
SHA1 48b9cb3f4988848a2b16f560fe90099dc14a2230
SHA256 80abd371abf997acc77eecad6f8199b724e5a20a656a2da1c91019cf1c5a8a23
SHA512 cb49f573947faeb91d118dff2d930c14bb192715d73ce59136052b6ba4173a8f16351028a7edb84fd1bc6df69afd0026761e1b72eec4d610ab3ba722d016b9d7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 43b241d78013bafa7da0c8da1170f7b1
SHA1 9f2885741a1988a492c9c006bee53477fcae8bd3
SHA256 6983c55e48339cec15702cab420cdf01332a227f77f577548e47afb63865e7a4
SHA512 b62839289d9f67805eddb55dd45ac9174b2a6b77c24582b45de34d330c24c0af096f0b17ca063f90b69b7c90857da20d5bf8fa05f8392503d9fdcb19579d73c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d6dbc8989694559eafbf5ff6fa0f001
SHA1 07c90465581769b92cf6e82683d2f434c55e7369
SHA256 2559af3d3a7630e20cd5e8e041d380b3e86d212b4c0e64dd10dfcca818549f25
SHA512 ea7b3b5ac7fb1ef25a07773cddd8379b830f7df8c358cbacbda6b20940c264ac3d5f94071edf9f8f055ad74a5b87d9e3de7824c5dc761a38f5d88a3005e9b140

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 5ca9e62ca1710a688b038c84f3847412
SHA1 cebe22921a99c35c73b277539eb5ea57655c7b73
SHA256 22927519d58dd3e72fd8549c05c41c8c16c45701b0ff9c9877fc976afe16fa8b
SHA512 d5330b3588acc55d6b7bdfeba962535ea0b180b677530c6e9b427bab5cda6dc5badbc39992cc6e065b0772c1d1f05a5ab13d8628a44086b4fabd1b3492f6b398

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c70f2fbeb3339ece005033f6e50dc30
SHA1 357ba4ef8f10c50886134fac564dca170ae681ef
SHA256 7333c50fe73e5a553e3c3cc73595ad5f35d7d6a26dabdef83504bf69428ebd05
SHA512 136dcdd3d999d5096188206bc637476db94b67bc57910db5e024b97cda72a256f80df71dbca5d1c3020dd5a74a40f732e12728df6a8dc212b26efeb7f8d0f5f8

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9ce622815b2013afde1b0ad49a21b59
SHA1 b436a6762d3ec9b17c527727faa9bdf693f4a182
SHA256 713a1bf0d46836ba2332480c075b7e06c43424bcb80db60722e8609579ad2502
SHA512 ca6d39251eb9ad8a14ce2120c0a67705ddbdd3afcc6255cdd9fe0d348f6feca03c98acb561cfbe6c482c39d68483ed17ed40e634d3fc11d541ca87f1f29cd320

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4fd5b396731fa0f878db69fa385e96cf
SHA1 34407f3342477383b6b96fdf045865c1de9b7c13
SHA256 b6b45dfdde4b3122086fe8d1442bb0f93e84ceb2e1319b39d0d6b16eea389575
SHA512 c4af02c77163b3df456369c399d5e329e470b1454a8bf4fafeed9650e0e0de81ff0652a227eb74eb327505e80353cd7d5d70eb25f095694df5713549eac425c4

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42c9559b99330e254ebdeddc4e89efa4
SHA1 9360b1a6492c61be89348198e6404e22ef44bd2d
SHA256 cd0ab733c1b71c05a18683f95c5efaba1fa78e6448dcfd0dce1512a82f7c56d1
SHA512 fd14d789cdf247624c6f4f6eccd4527616d515e0cb6df514a99c11648dbe654fd2e6a3f550dd99d9d54e68836a4c2b7390e366092e61bd4722155e9d05cd0bb0

memory/2156-3422-0x0000000000090000-0x0000000000128000-memory.dmp

memory/2156-3425-0x0000000000090000-0x0000000000128000-memory.dmp

memory/2784-3444-0x0000000000090000-0x0000000000128000-memory.dmp

memory/2784-3442-0x0000000000090000-0x0000000000128000-memory.dmp

C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\109.0.1518.140\MicrosoftEdge_X64_109.0.1518.140.exe

MD5 e79c52c0042c75419649519268251dde
SHA1 abe2c173a751d54e3cc88691a811a7501628d23b
SHA256 1eec90c71e482e7e1c6b8929f038603315b175bffe096e35106f8203361d4379
SHA512 f94a018ce1e6495ce68fb413cd9fb97905fdc04563fc8ba3e958afd39b0304ba81c2eb60cad9b12b6d3fadd8017b8590b7eab66d189466a13134488959f14d67

C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source3028_1576754369\109.0.1518.140\Installer\setup.exe

MD5 3a92a61a6e01c80ecc7d9499abb901b7
SHA1 d89d05802d937f9c71ced14282b8a19623fca7c8
SHA256 b70b2ed82c7afde8003983992b74f8182f55080b43da3d96dd29e8c0c7e8b47e
SHA512 3867efbd984ddd1eec084c70a42104cbc0057c3bed222af8963051779b612b46bf4cea3311452f6564513d7558d49a1e66a9473ad53f1b2fb4c43a9d7d0fb47d

C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source3028_1576754369\109.0.1518.140\Installer\msedge_7z.data

MD5 bd70ed26e6e6f3193043ac09c58c6a1c
SHA1 d733a65e17f2851d5116598dd80533efc1656468
SHA256 7a474217d20b9a6fe3c3a46c0d6d5b2d2040fa790663f6da9202ee7cb07bb448
SHA512 3e2ecade6d687b0736d5eafd7527b24095b9c51f0c8ba99398b23da2d8843c49fc8c1fa37190d385b504d8224c8c517d78d44ae32e10e45d54b19477a6970756

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 02:03

Reported

2024-02-29 02:34

Platform

win10v2004-20240226-en

Max time kernel

1734s

Max time network

1482s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2928 created 3440 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif C:\Windows\Explorer.EXE

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1840 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1840 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1840 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1840 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1840 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1840 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1840 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1840 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1840 wrote to memory of 732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1840 wrote to memory of 732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1840 wrote to memory of 732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1840 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif
PID 1840 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif
PID 1840 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif
PID 1840 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1840 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1840 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2928 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe
PID 2928 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe
PID 2928 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe
PID 2928 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe
PID 2928 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe
PID 3696 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
PID 3696 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe

"C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Approve Approve.bat & Approve.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 31216

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Nuclear + Plasma + Proper + Merger 31216\Expressions.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Practice 31216\z

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif

31216\Expressions.pif 31216\z

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 GcIcVSqBZYfPLer.GcIcVSqBZYfPLer udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
NL 45.15.156.186:29975 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 186.156.15.45.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Approve

MD5 4849b374e88e174f9b35b5e5e9269ae6
SHA1 6199bff5bad3b5088685aeb08686ad303f4f6c29
SHA256 1deef19e64390b8d41481acd973405e9ce23cfabdcac203f684532de244ac073
SHA512 1c079cb1d8f78e1833945967fc0daf3bd8250196fe430bea1db8522385e0b193e1ee488b821c760e1f12f4c8d61b653871df4675e73c115964857ed3d2cc0ff9

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nuclear

MD5 62a7e75d1df779e6169adb0cfa905694
SHA1 3f855dc814432bd0cd6e793c5a5bb2776b838602
SHA256 7fa7da730c634c4a21832d2d35cbe4a6d1484fcfadbae988e2e97a9ad76f73db
SHA512 1f22866bfe4c6186b77c05aca2e4088c30e7ea1fe6057782a2a7aefda9221c78be2fe2cc5c673fd266e12218e91a66b254e90ff1d94f9ba6b8552c1e6bbc1698

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Plasma

MD5 65b274e03e99948cbb03a0464e66ba89
SHA1 129196df7c9cc04f868f66e0f8fad494a6c4e379
SHA256 4bfaa5267e22645c0cdacc3154902d9ca2ea3559f47d6acf6813aa20ee1bb75d
SHA512 2fcb83966b7c9d1709124c9efc5bd24aa1135e91a74d2c92e344465de1ab4b42811a8f2e264e801acbe4f3080e575a0730a38e87564c9f5c74a9d5f71b7a8bc4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Merger

MD5 7196d7109e4b363cd13654db907ffea4
SHA1 21f016d6c8e5bde1c23e48e9cb811dce3227eb7b
SHA256 9eacfcb6381b4e19513707811960b233337460e57a798e053d6cd0b4e1c3a7e4
SHA512 41ab7e0411dcb7b378a2068756a403f0092b19dac52f244f871e871abee10b78d29b54a89b411a9b841777a5e4d47def9c60f40cdbbd60bc2f3690c739fd4b02

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Proper

MD5 5047c62efa1d3a7319f3495137cb8224
SHA1 0d0d3d840d2d484d8e4db23fd72aff6a0c514aed
SHA256 76c8d934bd2c8abae1b4cc482c45cf910935411ab643f8c0e54be92c2f63849a
SHA512 66cfc6656cd6f18fea5fba95d0403664b188acf21a53d76eda5f6692d41950f69ccf2b0ae8e7aeefb0e50c068acf4f61357109983ff2c6db8e1efc076bd9ecfc

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Practice

MD5 02c12a95e4fcbadc9cd8c35c8a6b5b45
SHA1 3f9f0e5680497727ff7f6a3a3a245087ec668a79
SHA256 d3cd709f6751e6f167b3e04706f45542528088af51454a6cfde05041523b0e72
SHA512 5cb441debcb4a68dbe2ad07576452bb7bbdc2630b711a9ef2a2d9068216c48d00e9a063d52fce2bdb274b7872d842c91e84318da31d6d7c8d2d41a4e72204a2c

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

memory/2928-24-0x0000000076EA1000-0x0000000076FC1000-memory.dmp

memory/2928-27-0x0000000005470000-0x0000000005471000-memory.dmp

memory/3696-29-0x0000000001300000-0x0000000001398000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

memory/3696-32-0x0000000072980000-0x0000000073130000-memory.dmp

memory/3696-33-0x0000000005920000-0x0000000005930000-memory.dmp

memory/3696-34-0x0000000005F50000-0x0000000006568000-memory.dmp

memory/3696-35-0x0000000005930000-0x0000000005A3A000-memory.dmp

memory/3696-36-0x0000000005800000-0x0000000005812000-memory.dmp

memory/3696-37-0x0000000005860000-0x000000000589C000-memory.dmp

memory/3696-38-0x00000000058B0000-0x00000000058FC000-memory.dmp

memory/3696-39-0x0000000005C80000-0x0000000005CE6000-memory.dmp

memory/3696-40-0x0000000006C20000-0x00000000071C4000-memory.dmp

memory/3696-41-0x0000000006760000-0x00000000067F2000-memory.dmp

memory/3696-42-0x0000000006800000-0x0000000006876000-memory.dmp

memory/3696-43-0x0000000006940000-0x000000000695E000-memory.dmp

memory/3696-44-0x00000000075D0000-0x0000000007620000-memory.dmp

memory/3696-45-0x0000000007E80000-0x0000000008042000-memory.dmp

memory/3696-46-0x0000000008580000-0x0000000008AAC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/5044-59-0x0000000000870000-0x0000000000878000-memory.dmp

memory/3696-60-0x0000000072980000-0x0000000073130000-memory.dmp

memory/5044-61-0x00007FFC944E0000-0x00007FFC94FA1000-memory.dmp

memory/5044-62-0x00007FFC944E0000-0x00007FFC94FA1000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-29 02:03

Reported

2024-02-29 02:34

Platform

win7-20240221-en

Max time kernel

1560s

Max time network

1561s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AuroraV2\scripts\scripts.dll

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AuroraV2\\scripts\\scripts.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\ = "Macromedia Flash Paper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer\ = "FlashFactory.FlashFactory.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\Content Type = "application/x-shockwave-flash" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.15\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ = "Macromedia Flash Factory Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sor\Content Type = "text/plain" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AuroraV2\\scripts\\scripts.dll, 1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID\ = "ShockwaveFlash.ShockwaveFlash.23" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.20\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID\ = "FlashFactory.FlashFactory.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "FlashFactory.FlashFactory" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.swf\ = "ShockwaveFlash.ShockwaveFlash" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.swf\Content Type = "application/x-shockwave-flash" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer\ = "ShockwaveFlash.ShockwaveFlash.23" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AuroraV2\\scripts\\scripts.dll, 1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 2912 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2864 wrote to memory of 2912 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2864 wrote to memory of 2912 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2864 wrote to memory of 2912 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2864 wrote to memory of 2912 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2864 wrote to memory of 2912 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2864 wrote to memory of 2912 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AuroraV2\scripts\scripts.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\AuroraV2\scripts\scripts.dll

Network

N/A

Files

N/A