Malware analysis Aurora_Install.zip Malicious activity

Add for printing

File name:	Aurora_Install.zip
Full analysis:	https://app.any.run/tasks/ee9258f8-b28d-45e9-9a05-53f5bacb5923
Verdict:	Malicious activity
Analysis date:	July 04, 2024, 14:21:00
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	C90E775B0FB4E589D10267141EEE994B
SHA1:	A0C27EFBF30587FDF2E13BDB3FA2915AC9A39EBB
SHA256:	592FD8B1513102016C6FFB1C0ABE2833B8BDCDC75D0FE9B43A35D8CED5C63C63
SSDEEP:	49152:p6uDPZsvQnlPZ05QUsqO1sLENQtWGlTCaFfK/OF3aWO304X+fkiM8ZRcbESzOp1G:p6uy4lPZ0qrqMs4iheaFy/O1ap3NOfkZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - Aurora Installation.exe (PID: 3836)
  - Aurora Installation.exe (PID: 992)
  - WinRAR.exe (PID: 5396)
  - Aurora Installation.tmp (PID: 3832)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Aurora Installation.exe (PID: 3836)
  - Aurora Installation.exe (PID: 992)
  - Aurora Installation.tmp (PID: 3832)
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 5396)
  - Aurora Installation.tmp (PID: 1956)
  - Aurora Installation.tmp (PID: 3832)
  - Aurora.exe (PID: 4628)
  - Aurora.exe (PID: 5992)
- Reads the date of Windows installation
  - Aurora Installation.tmp (PID: 1956)
  - Aurora.exe (PID: 4628)
  - Aurora.exe (PID: 5992)
- Reads the Windows owner or organization settings
  - Aurora Installation.tmp (PID: 3832)
- Process drops legitimate windows executable
  - Aurora Installation.tmp (PID: 3832)
- The process drops C-runtime libraries
  - Aurora Installation.tmp (PID: 3832)
- The process creates files with name similar to system file names
  - Aurora Installation.tmp (PID: 3832)
- Searches for installed software
  - Aurora.exe (PID: 4628)
  - Aurora.exe (PID: 5992)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 5396)
- Process checks computer location settings
  - Aurora Installation.tmp (PID: 1956)
  - Aurora.exe (PID: 4628)
  - Aurora.exe (PID: 5992)
- Checks supported languages
  - Aurora Installation.exe (PID: 992)
  - Aurora Installation.tmp (PID: 1956)
  - Aurora.exe (PID: 4628)
  - Aurora Installation.exe (PID: 3836)
  - Aurora.exe (PID: 4632)
  - Aurora.exe (PID: 5992)
  - Aurora Installation.tmp (PID: 3832)
- Create files in a temporary directory
  - Aurora Installation.exe (PID: 3836)
  - Aurora Installation.tmp (PID: 3832)
  - Aurora Installation.exe (PID: 992)
- Reads the computer name
  - Aurora Installation.tmp (PID: 1956)
  - Aurora Installation.tmp (PID: 3832)
  - Aurora.exe (PID: 4632)
  - Aurora.exe (PID: 5992)
  - Aurora.exe (PID: 4628)
- Checks proxy server information
  - Aurora Installation.tmp (PID: 3832)
  - slui.exe (PID: 4836)
  - Aurora.exe (PID: 4628)
  - Aurora.exe (PID: 5992)
- Creates files in the program directory
  - Aurora Installation.tmp (PID: 3832)
  - Aurora.exe (PID: 4628)
- Creates a software uninstall entry
  - Aurora Installation.tmp (PID: 3832)
- Reads the software policy settings
  - Aurora Installation.tmp (PID: 3832)
  - slui.exe (PID: 7028)
  - Aurora.exe (PID: 4628)
  - slui.exe (PID: 4836)
  - Aurora.exe (PID: 5992)
- Manual execution by a user
  - Aurora.exe (PID: 3164)
  - Aurora.exe (PID: 4632)
  - Aurora.exe (PID: 5992)
  - Aurora.exe (PID: 6616)
- Creates files or folders in the user directory
  - Aurora.exe (PID: 4628)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2023:11:02 19:44:38
ZipCRC:	0x55be0979
ZipCompressedSize:	1247470
ZipUncompressedSize:	1797088
ZipFileName:	Aurora Installation.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

161

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

992

"C:\Users\admin\AppData\Local\Temp\Rar$EXa5396.17919\Aurora Installation.exe" /SPAWNWND=$801E2 /NOTIFYWND=$902CE

C:\Users\admin\AppData\Local\Temp\Rar$EXa5396.17919\Aurora Installation.exe

Aurora Installation.tmp

User:

admin

Company:

Cheat Happens

Integrity Level:

HIGH

Description:

Aurora Setup

Exit code:

Version:

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa5396.17919\aurora installation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

1956

"C:\Users\admin\AppData\Local\Temp\is-D0U7N.tmp\Aurora Installation.tmp" /SL5="$902CE,841216,841216,C:\Users\admin\AppData\Local\Temp\Rar$EXa5396.17919\Aurora Installation.exe"

C:\Users\admin\AppData\Local\Temp\is-D0U7N.tmp\Aurora Installation.tmp

—

Aurora Installation.exe

User:

admin

Company:

Cheat Happens

Integrity Level:

MEDIUM

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-d0u7n.tmp\aurora installation.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\msvcrt.dll

3164

"C:\Program Files\Aurora\Aurora.exe"

C:\Program Files\Aurora\Aurora.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Version:

1.9.9.6

Modules

Images
c:\program files\aurora\aurora.exe
c:\windows\system32\ntdll.dll

3832

"C:\Users\admin\AppData\Local\Temp\is-TN3DV.tmp\Aurora Installation.tmp" /SL5="$60346,841216,841216,C:\Users\admin\AppData\Local\Temp\Rar$EXa5396.17919\Aurora Installation.exe" /SPAWNWND=$801E2 /NOTIFYWND=$902CE

C:\Users\admin\AppData\Local\Temp\is-TN3DV.tmp\Aurora Installation.tmp

Aurora Installation.exe

User:

admin

Company:

Cheat Happens

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-tn3dv.tmp\aurora installation.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll

3836

"C:\Users\admin\AppData\Local\Temp\Rar$EXa5396.17919\Aurora Installation.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa5396.17919\Aurora Installation.exe

WinRAR.exe

User:

admin

Company:

Cheat Happens

Integrity Level:

MEDIUM

Description:

Aurora Setup

Exit code:

Version:

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa5396.17919\aurora installation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

4628

"C:\Program Files\Aurora\Aurora.exe"

C:\Program Files\Aurora\Aurora.exe

Aurora Installation.tmp

User:

admin

Integrity Level:

HIGH

Exit code:

4294967295

Version:

1.9.9.6

Modules

Images
c:\program files\aurora\aurora.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

4632

"C:\Program Files\Aurora\Aurora.exe"

C:\Program Files\Aurora\Aurora.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Version:

1.9.9.6

Modules

Images
c:\program files\aurora\aurora.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

4836

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

5396

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Aurora_Install.zip

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

5992

"C:\Program Files\Aurora\Aurora.exe"

C:\Program Files\Aurora\Aurora.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

4294967295

Version:

1.9.9.6

Modules

Images
c:\program files\aurora\aurora.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

45 923

Read events

45 829

Write events

Delete events

Modification events


(PID) Process:	(5396) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(5396) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(5396) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(5396) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Aurora_Install.zip
(PID) Process:	(5396) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5396) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5396) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5396) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5396) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(5396) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

Add for printing

Executable files

287

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3832	Aurora Installation.tmp	C:\Users\admin\AppData\Local\Temp\is-K12IP.tmp\is-IM4H2.tmp		—
		MD5:—	SHA256:—
3832	Aurora Installation.tmp	C:\Users\admin\AppData\Local\Temp\is-K12IP.tmp\Aurora.zip		—
		MD5:—	SHA256:—
3832	Aurora Installation.tmp	C:\Program Files\Aurora\audio\please wait.mp3		mp3
		MD5:DE40712B34492EBA152848BB395C3A7D	SHA256:807E5A10308B26164860A2C87603A42C3A413A4C0E4493CBFF9F7095623449BC
3832	Aurora Installation.tmp	C:\Program Files\Aurora\audio\savegame protection enabled.mp3		mp3
		MD5:4B1AD88857BA46DA24845019802352F5	SHA256:C46D48D6B145C0EB803DF97FB8D52E0FF3026FD41699E76FB988185844ED2AA7
3832	Aurora Installation.tmp	C:\Program Files\Aurora\audio\trainer activated.mp3		mp3
		MD5:22B2BE5858786122337589D024221D98	SHA256:C4A76483E47289BB48B8F255FDA68A3CAF1E6E782D2C0B84D02CC1E34C0C211B
3832	Aurora Installation.tmp	C:\Program Files\Aurora\audio\a new trainer update is available.mp3		mp3
		MD5:B694CAFE2380784861D147E46B3F1651	SHA256:A604DAA41820EDEA760C16B46A229290840D57015DAA706AE4D4AE5A74863478
3832	Aurora Installation.tmp	C:\Program Files\Aurora\Assembler.dll		executable
		MD5:EB4CE9252CB6B53A35A7B2343E103A5B	SHA256:54E7081252F7004608C6F8FC91CA7B8D054A97461CD6893E1BBB33F067B7625D
3832	Aurora Installation.tmp	C:\Program Files\Aurora\audio\savegame protected.mp3		mp3
		MD5:FA59E566B86A0EAC2E7931D2F48FBB5F	SHA256:D2363FCEDAF02EDC7442C0E666830CE4A207136E6E7D9E47BA0F3D75FAA19862
3832	Aurora Installation.tmp	C:\Program Files\Aurora\audio\failed.mp3		mp3
		MD5:2C0D142262BEE0FA849DA0EF912AE6FE	SHA256:4C2C444BC8AFF4766B35F9D50015365716BEBD8EFE4F838FE51844046C6FCAE3
3832	Aurora Installation.tmp	C:\Program Files\Aurora\audio\female\a new trainer update is available.mp3		mp3
		MD5:3794F1B3A6B7E7BF29E3AC8CFA6F4441	SHA256:AAF0A3125B9B581B5D182AD699ACAA0181248767CD4E10F979C95E88B314AFBB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2064	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
648	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	unknown
2064	svchost.exe	GET	200	2.16.164.106:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
2764	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	unknown
7088	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	unknown
3688	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown
3040	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	unknown
7088	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
3580	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1888	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
2064	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
2064	svchost.exe	2.16.164.106:80	crl.microsoft.com	Akamai International B.V.	NL	unknown
2064	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3832	Aurora Installation.tmp	95.101.111.132:443	cheathappens.com	TELXIUS TELXIUS Cable	NL	unknown
3832	Aurora Installation.tmp	2.16.100.40:443	www.cheathappens.com	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
crl.microsoft.com	2.16.164.106 2.16.164.9	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
cheathappens.com	95.101.111.132 95.101.111.168	whitelisted
www.cheathappens.com	2.16.100.40 2.16.101.113 2.19.97.104 2.19.97.51 23.53.43.26 23.53.43.16	whitelisted
login.live.com	40.126.31.69 20.190.159.0 20.190.159.23 20.190.159.73 20.190.159.75 20.190.159.68 20.190.159.71 20.190.159.2	whitelisted
go.microsoft.com	23.43.62.58	whitelisted
settings-win.data.microsoft.com	40.127.240.158	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
arc.msn.com	20.199.58.43	whitelisted
fd.api.iris.microsoft.com	20.74.19.45	whitelisted

Threats

No threats detected

Add for printing

Process	Message
Aurora.exe	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

Aurora_Install.zip

C90E775B0FB4E589D10267141EEE994B

A0C27EFBF30587FDF2E13BDB3FA2915AC9A39EBB

592FD8B1513102016C6FFB1C0ABE2833B8BDCDC75D0FE9B43A35D8CED5C63C63

49152:p6uDPZsvQnlPZ05QUsqO1sLENQtWGlTCaFfK/OF3aWO304X+fkiM8ZRcbESzOp1G:p6uy4lPZ0qrqMs4iheaFy/O1ap3NOfkZ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the date of Windows installation

Reads the Windows owner or organization settings

Process drops legitimate windows executable

The process drops C-runtime libraries

The process creates files with name similar to system file names

Searches for installed software

INFO

Executable content was dropped or overwritten

Process checks computer location settings

Checks supported languages

Create files in a temporary directory

Reads the computer name

Checks proxy server information

Creates files in the program directory

Creates a software uninstall entry

Reads the software policy settings

Manual execution by a user

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings