aurora | 832654398d6aaecf7213b9b15c7c527054dd8d2a4ff14d368a657a5a1c53b2c3

Analysis

max time kernel
463s
max time network
566s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
13-04-2023 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AURORA_STEALER.zip
Size

35.2MB
MD5

57a4cb4284a9526aa5875947dfdd56e4
SHA1

4681de896c1af6de355e1e0642dbf4d61d0788eb
SHA256

832654398d6aaecf7213b9b15c7c527054dd8d2a4ff14d368a657a5a1c53b2c3
SHA512

bfbb0cff672316002a3eb7f4078075f761771ffe4e14dd61d3aabb584c55803d275bd3d3ece9528848228c89d222f696dc704661326ff8f81cd7adfabf619f60
SSDEEP

786432:w8+Eux5uyUMvBkHoldwxUMD31bdJp1e0aiEs1UkjGW/u:w6k5uyT2oleUo3TJ7eADUkjtu

Score

10^/10

aurora shurk infostealer stealer

Malware Config

Extracted

Family

aurora

:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 20 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023354-1271.dat	shurk_stealer
behavioral2/files/0x0006000000023354-1272.dat	shurk_stealer
behavioral2/memory/4504-1274-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp	shurk_stealer
behavioral2/memory/4504-1275-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp	shurk_stealer
behavioral2/memory/4504-1276-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp	shurk_stealer
behavioral2/memory/4504-1288-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp	shurk_stealer
behavioral2/memory/4504-1366-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp	shurk_stealer
behavioral2/memory/4504-1374-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp	shurk_stealer
behavioral2/memory/4504-1377-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp	shurk_stealer
behavioral2/memory/4504-1424-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp	shurk_stealer
behavioral2/memory/4504-1452-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp	shurk_stealer
behavioral2/memory/4504-1457-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp	shurk_stealer
behavioral2/memory/4504-1458-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp	shurk_stealer
behavioral2/memory/4504-1460-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp	shurk_stealer
behavioral2/memory/4504-1461-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp	shurk_stealer
behavioral2/memory/4504-1462-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp	shurk_stealer
behavioral2/memory/4504-1481-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp	shurk_stealer
behavioral2/memory/4504-1487-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp	shurk_stealer
behavioral2/memory/4504-1488-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp	shurk_stealer
behavioral2/memory/4504-1489-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp	shurk_stealer

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	electron.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	electron.exe

Executes dropped EXE 6 IoCs

pid	Process
4504	Aurora.exe
3492	electron.exe
888	electron.exe
3524	electron.exe
4296	electron.exe
1524	electron.exe

Loads dropped DLL 8 IoCs

pid	Process
3492	electron.exe
888	electron.exe
3524	electron.exe
888	electron.exe
888	electron.exe
888	electron.exe
4296	electron.exe
1524	electron.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3524	electron.exe
3524	electron.exe
4296	electron.exe
4296	electron.exe
1524	electron.exe
1524	electron.exe
1524	electron.exe
1524	electron.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1412	7zG.exe
Token: 35	1412	7zG.exe
Token: SeSecurityPrivilege	1412	7zG.exe
Token: SeSecurityPrivilege	1412	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1412	7zG.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 3492	4504	Aurora.exe	101
PID 4504 wrote to memory of 3492	4504	Aurora.exe	101
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 888	3492	electron.exe	102
PID 3492 wrote to memory of 3524	3492	electron.exe	103
PID 3492 wrote to memory of 3524	3492	electron.exe	103
PID 3492 wrote to memory of 4296	3492	electron.exe	104
PID 3492 wrote to memory of 4296	3492	electron.exe	104
PID 3492 wrote to memory of 1524	3492	electron.exe	106
PID 3492 wrote to memory of 1524	3492	electron.exe	106

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\AURORA_STEALER.zip
1⤵
PID:4920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3164

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\AURORA_STEALER\" -spe -an -ai#7zMap25817:86:7zEvent21907
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1412

C:\Users\Admin\Desktop\AURORA_STEALER\Aurora.exe
"C:\Users\Admin\Desktop\AURORA_STEALER\Aurora.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\electron.exe
  C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\electron.exe C:\Users\Admin\AppData\Roaming\Aurora\vendor\astilectron\main.js 127.0.0.1:50996 false
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\electron.exe
    "C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\electron.exe" --type=gpu-process --field-trial-handle=1620,7792791795229374241,13407128016358822421,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1644 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:888
- - C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\electron.exe
    "C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\electron.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,7792791795229374241,13407128016358822421,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=es --service-sandbox-type=network --mojo-platform-channel-handle=2240 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3524
- - C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\electron.exe
    "C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\electron.exe" --type=renderer --field-trial-handle=1620,7792791795229374241,13407128016358822421,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=es --app-user-model-id=electron.app.Electron --app-path="C:\Users\Admin\AppData\Roaming\Aurora\vendor\astilectron" --node-integration --no-sandbox --no-zygote --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2428 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4296
- - C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\electron.exe
    "C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\electron.exe" --type=gpu-process --field-trial-handle=1620,7792791795229374241,13407128016358822421,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1148 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Aurora\vendor\astilectron\index.js

Filesize
28KB

MD5
7a1b9fadbb6684407f674bab429446a0

SHA1
58ae43daf1e87440984bbf392d4d1165113af22e

SHA256
35f8881bca3165559b38cf9467af4ee3f77b37e414c67862a87cb4b05d4b677a

SHA512
9cce7731de8cb4d285921fc192fb2f34e1a2799fcb421c21f2831510ad31c21b0dfc46278e352c98356a3ee013f159096dbcdc1db1530115a963947cea9ef50a

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\astilectron\main.js

Filesize
1KB

MD5
7e2b884e5467c63f06960939ca860f7f

SHA1
475933cff8525463ef2a140bc085e5730d9a696e

SHA256
e944a8adddfd05327a6a76ff863c13dff79f73f444f4fc3c31a09452df2a632d

SHA512
84eb87c03950c8f8da8cc1d26915679e3224717870c7c16759ad8c775a826a8e656f65f786015a73510b0bec1e8b7b3ecffc4b2c9b5f558f9f8f3b462f1b8cb3

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\astilectron\package.json

Filesize
610B

MD5
f6feaaae3fdfb3839df655f7a10f3e96

SHA1
1bfae8d8f85870116faaf1d475346f3aa0b3fe28

SHA256
27c7f23600154b141240b296336b7a738f01a328507b88a113d3f9acedc2c0d3

SHA512
32cc0e7f644806a2c44b03000eab60f1d0a1f41a950d5ecc418ed34f239397073a0acf1f681806e1285772be060519da4da330131d3aac6279e32ad798a3a530

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\astilectron\src\client.js

Filesize
905B

MD5
6de951ff2d0e3e5c86cb0a7765a99b37

SHA1
ddb676f65c1aed1975535ceb17bd016b067a70f3

SHA256
8357cb1b31c736d96f150e7f6654cd7731a6d90b7994afb47fc2407598b8925e

SHA512
401ca46872c5cf72baa3cc7cedbf82b200032b97a0a320e76bddfb22444b1a19eceee3e07097bac1a25f4e719cee2874d9ae3ae19da50c1a8d377ca54f9199cf

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\astilectron\src\consts.js

Filesize
7KB

MD5
dc561fcafdd902451363951d33ca1c30

SHA1
8863187746b2ad3daec0b3eb1d94590ffadece86

SHA256
a4496709a64abf3d7b0ac7a3684b159d270c78367f91d9f2558666668d13a69f

SHA512
0976c801359cceb64d08249ca970d9fc5f909fbbf33bc6a593979a476d240256482be2e79fea33803c493fad00ade5583fc86367120da1d36dce52bb492d85b7

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\D3DCompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\chrome_100_percent.pak

Filesize
121KB

MD5
06baf0ad34e0231bd76651203dba8326

SHA1
a5f99ecdcc06dec9d7f9ce0a8c66e46969117391

SHA256
5ae14147992a92548bcad76867dd88cdfcdb69d951c8720920cce6fb135e3189

SHA512
aff6616e56781ebb925a0ca146245ad3b2827250b32261c0c7c0d5b10b20a343a17fc3761c95d93104163e77b2eae3f1f9cbd3cb2b377f49b42bea39bdd09b91

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\chrome_200_percent.pak

Filesize
181KB

MD5
57c27201e7cd33471da7ec205fe9973c

SHA1
a8e7bce09c4cbdae2797611b2be8aeb5491036f9

SHA256
dd8146b2ee289e4d54a4a0f1fd3b2f61b979c6a2baaba96a406d96c3f4fdb33b

SHA512
57258aa169bec66abf0f45a3e026bb68751fb970b74bd0cb465607fa3b2a89967e832d92d8f675f0449bb6662fcb7786d05f0597124cc8e18bb99a47245779b4

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\electron.exe

Filesize
120.4MB

MD5
c76ce1b16b3402f40739a85f2a72405b

SHA1
e3926b28c6c907d4ac0c09d1d8cd816c3fc0cb8d

SHA256
3795e2992a135b3179eb4b8d77e1fe2694008c65b6c608ae3b4ae053fd52ae86

SHA512
3e8a874a33e613d4d82c2bde4fd5e69860b3e9234bdc7ea8b6c0c8e50d376d4b76070585bba562dfdaab66ce62574bcdf5f2bba9412cb475dafc562c8c86484f

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\electron.exe

Filesize
120.4MB

MD5
c76ce1b16b3402f40739a85f2a72405b

SHA1
e3926b28c6c907d4ac0c09d1d8cd816c3fc0cb8d

SHA256
3795e2992a135b3179eb4b8d77e1fe2694008c65b6c608ae3b4ae053fd52ae86

SHA512
3e8a874a33e613d4d82c2bde4fd5e69860b3e9234bdc7ea8b6c0c8e50d376d4b76070585bba562dfdaab66ce62574bcdf5f2bba9412cb475dafc562c8c86484f

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\electron.exe

Filesize
120.4MB

MD5
c76ce1b16b3402f40739a85f2a72405b

SHA1
e3926b28c6c907d4ac0c09d1d8cd816c3fc0cb8d

SHA256
3795e2992a135b3179eb4b8d77e1fe2694008c65b6c608ae3b4ae053fd52ae86

SHA512
3e8a874a33e613d4d82c2bde4fd5e69860b3e9234bdc7ea8b6c0c8e50d376d4b76070585bba562dfdaab66ce62574bcdf5f2bba9412cb475dafc562c8c86484f

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\electron.exe

Filesize
120.4MB

MD5
c76ce1b16b3402f40739a85f2a72405b

SHA1
e3926b28c6c907d4ac0c09d1d8cd816c3fc0cb8d

SHA256
3795e2992a135b3179eb4b8d77e1fe2694008c65b6c608ae3b4ae053fd52ae86

SHA512
3e8a874a33e613d4d82c2bde4fd5e69860b3e9234bdc7ea8b6c0c8e50d376d4b76070585bba562dfdaab66ce62574bcdf5f2bba9412cb475dafc562c8c86484f

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\electron.exe

Filesize
120.4MB

MD5
c76ce1b16b3402f40739a85f2a72405b

SHA1
e3926b28c6c907d4ac0c09d1d8cd816c3fc0cb8d

SHA256
3795e2992a135b3179eb4b8d77e1fe2694008c65b6c608ae3b4ae053fd52ae86

SHA512
3e8a874a33e613d4d82c2bde4fd5e69860b3e9234bdc7ea8b6c0c8e50d376d4b76070585bba562dfdaab66ce62574bcdf5f2bba9412cb475dafc562c8c86484f

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\electron.exe

Filesize
120.4MB

MD5
c76ce1b16b3402f40739a85f2a72405b

SHA1
e3926b28c6c907d4ac0c09d1d8cd816c3fc0cb8d

SHA256
3795e2992a135b3179eb4b8d77e1fe2694008c65b6c608ae3b4ae053fd52ae86

SHA512
3e8a874a33e613d4d82c2bde4fd5e69860b3e9234bdc7ea8b6c0c8e50d376d4b76070585bba562dfdaab66ce62574bcdf5f2bba9412cb475dafc562c8c86484f

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\ffmpeg.dll

Filesize
2.7MB

MD5
9753450af3141c1a213836f402e89fdf

SHA1
7c2c0e3edd1a17cc2f4b01d3ac0fdde32a9fdaef

SHA256
f91350c71864cbbb7cfbbd538f293176565431f52557c921b94361142e7bdfe6

SHA512
55689b09f07a284b0d217becad3ad8bdc2d18f0e721cb75dc42cd5f6e09061af304198ce95ba2f622751c5d2b57227862a887a08eee5f382a4271b1c55faf9da

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\ffmpeg.dll

Filesize
2.7MB

MD5
9753450af3141c1a213836f402e89fdf

SHA1
7c2c0e3edd1a17cc2f4b01d3ac0fdde32a9fdaef

SHA256
f91350c71864cbbb7cfbbd538f293176565431f52557c921b94361142e7bdfe6

SHA512
55689b09f07a284b0d217becad3ad8bdc2d18f0e721cb75dc42cd5f6e09061af304198ce95ba2f622751c5d2b57227862a887a08eee5f382a4271b1c55faf9da

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\ffmpeg.dll

Filesize
2.7MB

MD5
9753450af3141c1a213836f402e89fdf

SHA1
7c2c0e3edd1a17cc2f4b01d3ac0fdde32a9fdaef

SHA256
f91350c71864cbbb7cfbbd538f293176565431f52557c921b94361142e7bdfe6

SHA512
55689b09f07a284b0d217becad3ad8bdc2d18f0e721cb75dc42cd5f6e09061af304198ce95ba2f622751c5d2b57227862a887a08eee5f382a4271b1c55faf9da

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\ffmpeg.dll

Filesize
2.7MB

MD5
9753450af3141c1a213836f402e89fdf

SHA1
7c2c0e3edd1a17cc2f4b01d3ac0fdde32a9fdaef

SHA256
f91350c71864cbbb7cfbbd538f293176565431f52557c921b94361142e7bdfe6

SHA512
55689b09f07a284b0d217becad3ad8bdc2d18f0e721cb75dc42cd5f6e09061af304198ce95ba2f622751c5d2b57227862a887a08eee5f382a4271b1c55faf9da

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\ffmpeg.dll

Filesize
2.7MB

MD5
9753450af3141c1a213836f402e89fdf

SHA1
7c2c0e3edd1a17cc2f4b01d3ac0fdde32a9fdaef

SHA256
f91350c71864cbbb7cfbbd538f293176565431f52557c921b94361142e7bdfe6

SHA512
55689b09f07a284b0d217becad3ad8bdc2d18f0e721cb75dc42cd5f6e09061af304198ce95ba2f622751c5d2b57227862a887a08eee5f382a4271b1c55faf9da

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\ffmpeg.dll

Filesize
2.7MB

MD5
9753450af3141c1a213836f402e89fdf

SHA1
7c2c0e3edd1a17cc2f4b01d3ac0fdde32a9fdaef

SHA256
f91350c71864cbbb7cfbbd538f293176565431f52557c921b94361142e7bdfe6

SHA512
55689b09f07a284b0d217becad3ad8bdc2d18f0e721cb75dc42cd5f6e09061af304198ce95ba2f622751c5d2b57227862a887a08eee5f382a4271b1c55faf9da

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\icudtl.dat

Filesize
10.0MB

MD5
ad2988770b8cb3281a28783ad833a201

SHA1
94b7586ee187d9b58405485f4c551b55615f11b5

SHA256
df876c7af43ed93eec6aea4d2d55c805009c219653cdeb368f1d048f4922b108

SHA512
f27e542a9c6c60fa28c5b7cc2818079341ef93aef3bbcadecad2dc11aff5b1592b19c7ebfa543ea42a3cbfec26a668641b255545fb0912056e25e852c2dedd01

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\locales\es.pak

Filesize
99KB

MD5
06a2c6940def84d9327083aee446f446

SHA1
a542fd511568ae5f90e86259d427b7792ec52d03

SHA256
eb22282dbf211f64142ef4dfac2c1d811d65decd617c4a3d1c892967dc72ac07

SHA512
23d0547ca962419bd6013f094de67a6f20779440674fef3bd38ae613c72daef6072a217d7832e1c62dd68bdfdb1eeba241ac302f72cb710015d8924f8e6797c1

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\resources.pak

Filesize
4.8MB

MD5
d13873f6fb051266deb3599b14535806

SHA1
143782c0ce5a5773ae0aae7a22377c8a6d18a5b2

SHA256
7b953443e3cd54a0a4775528b52fbfe5ebecbc2c71731600ed0999d227969506

SHA512
1ab38fcb70d1958c74da2493459532b52a04b884009509a1ac8dd39f6e9e670658a52f4d19ef57f1bc71dccfdd6ceedbc18034bbcad0b500d75a97c74aac6939

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\resources\default_app.asar

Filesize
103KB

MD5
66edd71d92a50049e720426cba500b9d

SHA1
9f9a54b662e10017b8396c1cad9678c210addf85

SHA256
94657e6bfad3ead2265366876a3089a217f6a3fba3713558d645fbe6b3c16eb4

SHA512
b5e980d98553bf197c7287c9c46ef715e400791de7bb21e66394f2e2d096deb6c53577319521b296db15a4b05739c5dd12bd23c0770da1bd9667f08ce0c95109

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\swiftshader\libEGL.dll

Filesize
460KB

MD5
93cc46883438cc03b07a79b7feb18897

SHA1
292c719281aed682de5b67d82412e3028857351d

SHA256
bc373113024f34ecd00fb01dea69c4d3bc7026996f685b143794cf01576b6b56

SHA512
98db3714b41bf1dc963f2abb0abc6e3e7d781c9487c7ea28f9e9fec8ce278689f855dd855f8696227596cabf8c6a8fad56033a23d1cb774376285e7b0ae3a7ca

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\swiftshader\libGLESv2.dll

Filesize
3.1MB

MD5
14832225e4e49ed1636624cc1eea0ab5

SHA1
6d4cc0673e129e6b8271d179018bb170f5aea88b

SHA256
cd92f6c1c6e36ff3072a21d5786ff769fe12c0003f38f3228faef98466868289

SHA512
b44e6918978499e0582d92421cfc84182e685f507111797803d48acaf1b805b4d80c225d1d387025701c5d08a9112c39a034c108333f44f005c6221e34841eba

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\swiftshader\libegl.dll

Filesize
460KB

MD5
93cc46883438cc03b07a79b7feb18897

SHA1
292c719281aed682de5b67d82412e3028857351d

SHA256
bc373113024f34ecd00fb01dea69c4d3bc7026996f685b143794cf01576b6b56

SHA512
98db3714b41bf1dc963f2abb0abc6e3e7d781c9487c7ea28f9e9fec8ce278689f855dd855f8696227596cabf8c6a8fad56033a23d1cb774376285e7b0ae3a7ca

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\swiftshader\libglesv2.dll

Filesize
3.1MB

MD5
14832225e4e49ed1636624cc1eea0ab5

SHA1
6d4cc0673e129e6b8271d179018bb170f5aea88b

SHA256
cd92f6c1c6e36ff3072a21d5786ff769fe12c0003f38f3228faef98466868289

SHA512
b44e6918978499e0582d92421cfc84182e685f507111797803d48acaf1b805b4d80c225d1d387025701c5d08a9112c39a034c108333f44f005c6221e34841eba

Download Submit
C:\Users\Admin\AppData\Roaming\Aurora\vendor\electron-windows-amd64\v8_context_snapshot.bin

Filesize
168KB

MD5
c2208c06c8ff81bca3c092cc42b8df1b

SHA1
f7b9faa9ba0e72d062f68642a02cc8f3fed49910

SHA256
4a67de195878d290f49b503b83e415917b8bbcbd9936b07a5d33b48e9bc6e0a3

SHA512
6c3c370dd086a976c44d4059a315bd3bcbb50961aa34734e65a40d861cffca9090d47cec74575afe23952e394e4845bda2d8798eebe01fb54a7a6288bce238f5

Download Submit
C:\Users\Admin\AppData\Roaming\Electron\Network Persistent State

Filesize
521B

MD5
9c3218934417104b41130430e55cba3c

SHA1
e7adc6ded2de1ddd33237aff3e756e241ecfaba5

SHA256
477446fdb7181d5bda80fa6360ce2f960909fc6bb11418d904d56abb14805e56

SHA512
5688b3296372b84137eb542f831dcb55821d56459f773e8b883b6dd5d71f55bd786ef55801ea8d34fb6f9b2ae45a86e4bfd5ab51c8e4828692a493e39d45ee64

Download Submit
C:\Users\Admin\AppData\Roaming\Electron\Network Persistent State~RFe5b71a2.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\Desktop\AURORA_STEALER\Aurora.exe

Filesize
25.2MB

MD5
1504c863a05885816d2c8874137ae7a7

SHA1
5b16d440a7e9b5887886549f016f252900b5c0ac

SHA256
33fc61e81efa609df51277aef261623bb291e2dd5359362d50070f7a441df0ad

SHA512
055d2650ac996443130c05a742bcaabc576dbde29cc21ea956f66132f7e6da8a5771beb9cd51ff2384b2230ebe68990b35d8b14611613db2b8d2764846a487f9

Download Submit
C:\Users\Admin\Desktop\AURORA_STEALER\Aurora.exe

Filesize
25.2MB

MD5
1504c863a05885816d2c8874137ae7a7

SHA1
5b16d440a7e9b5887886549f016f252900b5c0ac

SHA256
33fc61e81efa609df51277aef261623bb291e2dd5359362d50070f7a441df0ad

SHA512
055d2650ac996443130c05a742bcaabc576dbde29cc21ea956f66132f7e6da8a5771beb9cd51ff2384b2230ebe68990b35d8b14611613db2b8d2764846a487f9

Download Submit
C:\Users\Admin\Desktop\AURORA_STEALER\geo\geo.Aurora

Filesize
388.6MB

MD5
d16c2761ced19883cb118cc751655cb9

SHA1
6ec2d6148b04037c628718ea9de36a855bced076

SHA256
33b61eb5f84cb65f1744bd08d09ac2535fe5f9b087eef37826612b5016e21990

SHA512
8377d5a8bef0146eeae1b5cfe263ade6b64eba46e72a946741903d9ef724de1597bd832637d468c588466e178e73f1416cd80636597e5717138ad86edb3b6ba6

Download Submit
C:\Users\Admin\Desktop\AURORA_STEALER\gui\Auth.css

Filesize
1KB

MD5
331fa13417d7037cdb25c6222b2d903f

SHA1
f41109e14078d7a46dba73945291ad61e02bec05

SHA256
23df05d376d330fb73f853ddbf1fb613c3dff830c1d408de9f85600fc3e551eb

SHA512
2dcdbf27e48c6c434fdc370e1ee49401202cb03ae60eed2136d31c7a60fc260a79f8ad27bfa41a6e9cb5612a0ee3898f416216b89da640528d6f103abd784a1b

Download Submit
C:\Users\Admin\Desktop\AURORA_STEALER\gui\inlog.html

Filesize
6KB

MD5
b2b90afba457e3ebd4098dfa49ddcb09

SHA1
e2480663992878a2c5942e8396840b207dab4175

SHA256
0a7ff9068f0f60cd2fafb298fee177ca93453665f5ed973503a86f1ea88fe110

SHA512
909a1727f068f094801f90e213449b738ed56c02c4a49a44da556f8d1368d90da2f2ec9ac8bc031c8d1ed2e45ce0b3bf53c97ea397e9efb3a5daa3275057ad75

Download Submit
C:\Users\Admin\Desktop\AURORA_STEALER\gui\jquery.js

Filesize
87KB

MD5
dc5e7f18c8d36ac1d3d4753a87c98d0a

SHA1
c8e1c8b386dc5b7a9184c763c88d19a346eb3342

SHA256
f7f6a5894f1d19ddad6fa392b2ece2c5e578cbf7da4ea805b6885eb6985b6e3d

SHA512
6cb4f4426f559c06190df97229c05a436820d21498350ac9f118a5625758435171418a022ed523bae46e668f9f8ea871feab6aff58ad2740b67a30f196d65516

Download Submit
C:\Users\Admin\Desktop\AURORA_STEALER\gui\nicepage.css

Filesize
1.3MB

MD5
262523f7246437e78483f65616f57dd7

SHA1
678eb3742cc417abd7ddd1752f7d8f9a825a765a

SHA256
a937297ba441a1019afcb1511b41c9515afa31eb0841fb33c2ddc9c1739b9025

SHA512
0ed91d16d7aba3c7bb0f1272716d368d134a54cea4b8c2483f0ebf648cac9629e1f94ef5179ecdbe42ed5d3a5c506359314b88c5217e6d940238059b3f750105

Download Submit
memory/888-1389-0x00007FF8CEBD0000-0x00007FF8CEBD1000-memory.dmp

Filesize
4KB

Download
memory/4504-1276-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp

Filesize
24.8MB

Download
memory/4504-1462-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp

Filesize
24.8MB

Download
memory/4504-1274-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp

Filesize
24.8MB

Download
memory/4504-1275-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp

Filesize
24.8MB

Download
memory/4504-1452-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp

Filesize
24.8MB

Download
memory/4504-1457-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp

Filesize
24.8MB

Download
memory/4504-1458-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp

Filesize
24.8MB

Download
memory/4504-1460-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp

Filesize
24.8MB

Download
memory/4504-1461-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp

Filesize
24.8MB

Download
memory/4504-1424-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp

Filesize
24.8MB

Download
memory/4504-1377-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp

Filesize
24.8MB

Download
memory/4504-1288-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp

Filesize
24.8MB

Download
memory/4504-1366-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp

Filesize
24.8MB

Download
memory/4504-1374-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp

Filesize
24.8MB

Download
memory/4504-1481-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp

Filesize
24.8MB

Download
memory/4504-1487-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp

Filesize
24.8MB

Download
memory/4504-1488-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp

Filesize
24.8MB

Download
memory/4504-1489-0x00007FF679610000-0x00007FF67AEDF000-memory.dmp

Filesize
24.8MB

Download