Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Aura.exe

Overview

General Information

Sample name:Aura.exe
Analysis ID:1543669
MD5:d4c99337bc1f8e9ba7c0cf81dd01c39d
SHA1:e34e7fc7d3f41fe73dc5735b9ee7ed41f198543f
SHA256:714d338600b157fe68e58271223bc1387e1e63f8c3511e4e76faa774269e30a6
Tags:exeuser-4k95m
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Found potential dummy code loops (likely to delay analysis)
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Aura.exe (PID: 7576 cmdline: "C:\Users\user\Desktop\Aura.exe" MD5: D4C99337BC1F8E9BA7C0CF81DD01C39D)
    • conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Aura.exeReversingLabs: Detection: 23%
Source: Aura.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Aura.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02C008E3 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_02C008E3
Source: C:\Users\user\Desktop\Aura.exeProcess Stats: CPU usage > 49%
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_00615FC00_2_00615FC0
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_000730400_2_00073040
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02C173EC0_2_02C173EC
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BF43DF0_2_02BF43DF
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BF33200_2_02BF3320
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BF40800_2_02BF4080
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02C110600_2_02C11060
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BF51FC0_2_02BF51FC
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02C106E00_2_02C106E0
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BD26890_2_02BD2689
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BFD62E0_2_02BFD62E
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BF36710_2_02BF3671
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BF473D0_2_02BF473D
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BF55FF0_2_02BF55FF
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BF4AAA0_2_02BF4AAA
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BF39B30_2_02BF39B3
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BF4E080_2_02BF4E08
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BF2FDE0_2_02BF2FDE
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02C10C100_2_02C10C10
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BF3D120_2_02BF3D12
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_032302D90_2_032302D9
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_0322F7690_2_0322F769
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_032434390_2_03243439
Source: C:\Users\user\Desktop\Aura.exeCode function: String function: 02BD2400 appears 48 times
Source: Aura.exeStatic PE information: invalid certificate
Source: Aura.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: Aura.exe, 00000000.00000002.4198306856.00000000008AA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGypsite.exe0 vs Aura.exe
Source: Aura.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal52.evad.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
Source: Aura.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Aura.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Aura.exeReversingLabs: Detection: 23%
Source: Aura.exeString found in binary or memory: kelxU/Add0J82/ih1W
Source: unknownProcess created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"
Source: C:\Users\user\Desktop\Aura.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Aura.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Aura.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Aura.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Aura.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\Aura.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\Aura.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Aura.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Aura.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Aura.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Aura.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Aura.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Aura.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\Aura.exeSection loaded: iphlpapi.dllJump to behavior
Source: Aura.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: Aura.exeStatic file information: File size 9910848 > 1048576
Source: Aura.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x627800
Source: Aura.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1c7600
Source: Aura.exeStatic PE information: Raw size of .reloc is bigger than: 0x100000 < 0x117600
Source: Aura.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Aura.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Aura.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Aura.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Aura.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Aura.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Aura.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Aura.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Aura.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Aura.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Aura.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Aura.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Aura.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BED0F0 pushfd ; retn 0001h0_2_02BED0F3
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BD80CF push edi; ret 0_2_02BD80D8
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BD2450 push ecx; ret 0_2_02BD2463
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02C18E1B push ecx; ret 0_2_02C18E2E
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_030D2BE7 push BA00000Dh; retf 0045h0_2_030D2BEC
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_030D4A0B push ecx; ret 0_2_030D4A0E
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_030D2667 push BA00000Bh; retf 0045h0_2_030D266C
Source: C:\Users\user\Desktop\Aura.exeAPI coverage: 2.0 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02C008E3 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_02C008E3
Source: Aura.exe, 00000000.00000000.1736682099.0000000000679000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 0bFFEavMX868V1V
Source: Aura.exeBinary or memory string: 7xe0UmVMCiEVpz69WTVnv/v
Source: Aura.exe, 00000000.00000002.4198269188.000000000085A000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: ME55ko1LvmcIW74D5zFCUY

Anti Debugging

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Aura.exeProcess Stats: CPU usage > 42% for more than 60s
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BD21A6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_02BD21A6
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_030D0225 mov eax, dword ptr fs:[00000030h]0_2_030D0225
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BD10B0 GetProcessHeap,RtlAllocateHeap,0_2_02BD10B0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BD2336 SetUnhandledExceptionFilter,0_2_02BD2336
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BD21A6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_02BD21A6
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BFF6A6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_02BFF6A6
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_02BD29D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_02BD29D0
Source: C:\Users\user\Desktop\Aura.exeCode function: EnumSystemLocalesW,0_2_02C0725D
Source: C:\Users\user\Desktop\Aura.exeCode function: EnumSystemLocalesW,0_2_02C070BE
Source: C:\Users\user\Desktop\Aura.exeCode function: EnumSystemLocalesW,0_2_02C067D4
Source: C:\Users\user\Desktop\Aura.exeCode function: GetLocaleInfoW,0_2_02C07BA4
Source: C:\Users\user\Desktop\Aura.exeCode function: GetLocaleInfoW,0_2_02C06BB6
Source: C:\Users\user\Desktop\Aura.exeCode function: EnumSystemLocalesW,0_2_02C068D8
Source: C:\Users\user\Desktop\Aura.exeCode function: EnumSystemLocalesW,0_2_02C0683D
Source: C:\Users\user\Desktop\Aura.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_02C06963
Source: C:\Users\user\Desktop\Aura.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_02C06EBB
Source: C:\Users\user\Desktop\Aura.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_02C06CDF
Source: C:\Users\user\Desktop\Aura.exeCode function: GetLocaleInfoW,0_2_02C06DE5
Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_0062F4BD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0062F4BD

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		11
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory121
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets12
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543669 Sample: Aura.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 52 11 Multi AV Scanner detection for submitted file 2->11 6 Aura.exe 1 2->6         started        process3 signatures4 13 Found potential dummy code loops (likely to delay analysis) 6->13 9 conhost.exe 6->9         started        process5

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Aura.exe24%ReversingLabsWin32.Trojan.Sonbokli

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1543669
Start date and time:2024-10-28 08:30:13 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 8m 48s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Aura.exe
Detection:MAL
Classification:mal52.evad.winEXE@2/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Override analysis time to 240s for sample files taking high CPU consumption

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: Aura.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):6.66267330776498
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.53%
  • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
  • Win16/32 Executable Delphi generic (2074/23) 0.02%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
File name:Aura.exe
File size:9'910'848 bytes
MD5:d4c99337bc1f8e9ba7c0cf81dd01c39d
SHA1:e34e7fc7d3f41fe73dc5735b9ee7ed41f198543f
SHA256:714d338600b157fe68e58271223bc1387e1e63f8c3511e4e76faa774269e30a6
SHA512:bdf076559bcde714f35fadae3947082fb54dc76f7122707494eb87f7b9a1e272a2fd41ffed15edbd94e7a14df1cdd7dd8970527c3fc4ef6a9f5c7e3e956ee5a4
SSDEEP:196608:0Hgu5w3LPmN5EYGXr77Mnd5ZoTJKnxr0K4fU9vxZk9/l+HsMmkulCnRUEiNWVb6x:0Hj5w3LPmN5EYGXr77MVM0nxr03fU6Ik
TLSH:42A6ED4E680E9C44A5606217D4865F6A1CC9AD81BF3A0BEBFC95B2FF01241D59C33A7F
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...............).xb..v4.....<.].......b...@..........................0............@................................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x9df13c
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x671BE2EF [Fri Oct 25 18:26:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:eb7c8e2246ed8f21359fbcfc99aed6c5

Authenticode Signature

Signature Valid:false
Signature Issuer:CN=GlobalSign GCC R45 CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:The digital signature of the object did not verify
Error Number:-2146869232
Not Before, Not After
  • 06/01/2023 06:40:04 06/01/2026 06:40:04
Subject Chain
  • CN="Shenzhen Aidapu Network Technology Co.,Ltd.", O="Shenzhen Aidapu Network Technology Co.,Ltd.", L=Shenzhen, S=Guangdong, C=CN
Version:3
Thumbprint MD5:E73E5DE59BCF7048F89CC01100EA4DEA
Thumbprint SHA-1:A2A2F6DEE997A68AF86C9D6BA0F3B1BCFE57D5EF
Thumbprint SHA-256:397028C1215AD56E4C8D1907AC3D4EB09E0B03E160FA1E2DF50157284B020090
Serial:55622ADD814777B21B1A1D31

Entrypoint Preview

Instruction
call 00007F656CB6D15Eh
jmp 00007F656CB6CBACh
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F656CB6CDABh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F656CB6CD9Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F656CB6CD9Eh
add edx, 28h
cmp edx, esi
jne 00007F656CB6CD7Ch
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F656CB6CD8Bh
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
test eax, eax
je 00007F656CB6CDB7h
mov ecx, 00005A4Dh
cmp word ptr [eax], cx
jne 00007F656CB6CDADh
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
cmp dword ptr [ecx], 00004550h
jne 00007F656CB6CDA0h
mov eax, 0000010Bh
cmp word ptr [ecx+18h], ax
sete al
pop ebp
ret
xor al, al
pop ebp
ret
mov eax, dword ptr fs:[00000018h]
ret
push esi
call 00007F656CB6D9D1h
test eax, eax
je 00007F656CB6CDB2h
mov eax, dword ptr fs:[00000018h]
mov esi, 00C57FB4h
mov edx, dword ptr [eax+04h]
jmp 00007F656CB6CD96h
cmp edx, eax
je 00007F656CB6CDA2h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F656CB6CD82h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
call 00007F656CB6D9A0h
test eax, eax
je 00007F656CB6CD99h
call 00007F656CB6D66Ah

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x7ef1940xa0.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x85a0000x4d5.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x96de000x5c40
IMAGE_DIRECTORY_ENTRY_BASERELOC0x85b0000x1175c0.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x7edf200x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x7ede600x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x6290000x358.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x62769f0x62780056755bbeb2aa8ae435fbfde593ebbb8bunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x6290000x1c74aa0x1c7600d61ab7402d75b80cec30b8173101fbfcFalse0.7442585738059292data5.917949947136093IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x7f10000x682680x67000f4bcd7746021d590ec2308b36652d92aFalse0.7477363660497572data5.878707487767622IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x85a0000x4d50x6007aee915e6de36af820411a29e1aa5102False0.3880208333333333data3.621108244312337IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x85b0000x1175c00x117600d7e671631b8a68184d70c7456de52578False0.19583857662192394data6.6587668751390305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x85a0a00x2b8COM executable for DOSEnglishUnited States0.46120689655172414
RT_MANIFEST0x85a3580x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

Imports

DLLImport
KERNEL32.dllSetFilePointerEx, WriteFile, IsDebuggerPresent, EncodePointer, DecodePointer, CloseHandle, DuplicateHandle, SetHandleInformation, RaiseException, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetLastError, SetLastError, CreatePipe, PeekNamedPipe, HeapAlloc, HeapFree, HeapSize, GetProcessHeap, EnterCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, ReleaseMutex, WaitForSingleObject, WaitForSingleObjectEx, CreateEventA, CreateEventW, SignalObjectAndWait, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, GetCurrentProcess, GetCurrentProcessId, ExitProcess, TerminateProcess, GetExitCodeProcess, CreateThread, GetCurrentThreadId, GetThreadPriority, TerminateThread, TlsAlloc, TlsGetValue, CreateProcessA, GetStartupInfoW, SetPriorityClass, GetThreadTimes, IsProcessorFeaturePresent, GetLocalTime, GetTickCount, GetVersionExW, GetLogicalProcessorInformation, VirtualAlloc, VirtualProtect, VirtualFree, ChangeTimerQueueTimer, ReadFile, FreeLibrary, FreeLibraryAndExitThread, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetProcAddress, LoadLibraryExW, LoadLibraryA, LoadLibraryW, LocalAlloc, LocalFree, GetProcessAffinityMask, CreateSemaphoreA, CreateFileMappingA, RegisterWaitForSingleObject, UnregisterWait, CompareStringW, GetStringTypeW, MultiByteToWideChar, WideCharToMultiByte, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, LCMapStringW, AllocConsole, AttachConsole, GetConsoleCP, GetConsoleMode, WriteConsoleW, GetFileSizeEx, ReadConsoleW, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, SetConsoleCtrlHandler, GetTimeFormatW, GetDateFormatW, GetTempPathW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, SetStdHandle, SetEnvironmentVariableW, FindNextFileW, FindFirstFileExW, OutputDebugStringW, GetCurrentThread, GetModuleHandleExW, TlsFree, TlsSetValue, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, RtlUnwind, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetFileType, GetFileAttributesExW, GetFileAttributesA, FindNextFileA, FindFirstFileExA, FindClose, DeleteFileA, CreateFileW, SetEnvironmentVariableA, SetEndOfFile, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, DeleteTimerQueueTimer, GetStdHandle
USER32.dllEnumDisplayMonitors, LoadCursorA, GetCursorPos, MessageBoxA, GetWindowRect, GetWindowTextA, SetWindowTextA, RemovePropA, FindWindowA, SetPropA, RedrawWindow, InvalidateRect, EndPaint, BeginPaint, ReleaseDC, SetActiveWindow, GetMenuItemInfoA, TrackPopupMenu, GetParent, SetWindowLongA, GetWindowLongA, FrameRect, GetSysColorBrush, GetPropA, GetSysColor, GetMessageA, DispatchMessageA, PostMessageA, ModifyMenuA, AppendMenuA, EnableMenuItem, DestroyMenu, CreatePopupMenu, CreateMenu, SetMenu, TranslateAcceleratorA, LoadAcceleratorsA, KillTimer, IsDlgButtonChecked, CheckRadioButton, CheckDlgButton, GetDlgItem, EndDialog, DialogBoxParamA, CreateDialogParamA, SetWindowPos, ShowWindow, DestroyWindow, CreateWindowExA, CallWindowProcA, PostQuitMessage, LoadStringA
GDI32.dllSelectObject, Rectangle, DeleteObject, CreateFontIndirectA, GetObjectA, CreateSolidBrush
COMDLG32.dllGetSaveFileNameA, GetOpenFileNameA
ADVAPI32.dllAdjustTokenPrivileges, InitiateSystemShutdownA, RegOpenKeyExA, LookupPrivilegeValueA, OpenProcessToken
SHELL32.dllSHGetMalloc, ShellExecuteA, DragAcceptFiles, DragQueryFileA, SHGetPathFromIDListA, SHBrowseForFolderA
ole32.dllCoCreateInstance, CoInitialize

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Oct 28, 2024 08:31:29.880203009 CET53509561.1.1.1192.168.2.4

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:03:31:11
Start date:28/10/2024
Path:C:\Users\user\Desktop\Aura.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\Aura.exe"
Imagebase:0x50000
File size:9'910'848 bytes
MD5 hash:D4C99337BC1F8E9BA7C0CF81DD01C39D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

General

Target ID:1
Start time:03:31:11
Start date:28/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0.6%
    Dynamic/Decrypted Code Coverage:77.3%
    Signature Coverage:30.3%
    Total number of Nodes:66
    Total number of Limit Nodes:2
    execution_graph 28628 615fc0 28632 6160da 28628->28632 28629 6164c9 MessageBoxA 28633 73040 28629->28633 28632->28629 28637 730fe 28633->28637 28634 731c9 28635 73279 28634->28635 28638 73200 GetSysColor 28634->28638 28639 7336f TlsAlloc 28635->28639 28641 733ef 28635->28641 28636 7315f GetLogicalProcessorInformation 28636->28637 28637->28634 28637->28636 28638->28634 28639->28635 28640 73622 28643 73520 28641->28643 28644 734ff LookupPrivilegeValueA 28641->28644 28642 7361b DecodePointer 28642->28640 28643->28640 28643->28642 28644->28643 28645 2bd1b0b 28673 2bd20c2 28645->28673 28647 2bd1b10 __FrameHandler3::FrameUnwindToState 28677 2bd1e77 28647->28677 28649 2bd1b28 28650 2bd1c81 28649->28650 28656 2bd1b52 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 28649->28656 28691 2bd21a6 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _vsnprintf 28650->28691 28652 2bd1c88 28692 2bdec61 21 API calls 28652->28692 28654 2bd1c8e 28693 2bdec1e 21 API calls 28654->28693 28658 2bd1b71 28656->28658 28659 2bd1bf2 28656->28659 28661 2bd1beb 28656->28661 28657 2bd1c96 28686 2bde6f1 47 API calls 28659->28686 28685 2bdec3b 16 API calls 2 library calls 28661->28685 28663 2bd1bf8 28687 2bd1a10 12 API calls 28663->28687 28665 2bd1c0f 28688 2bd22f4 GetModuleHandleW 28665->28688 28667 2bd1c19 28667->28652 28668 2bd1c1d 28667->28668 28669 2bd1c26 28668->28669 28689 2bdec0f 21 API calls 28668->28689 28690 2bd1fe8 69 API calls ___scrt_uninitialize_crt 28669->28690 28672 2bd1c2f 28672->28658 28674 2bd20d8 28673->28674 28676 2bd20e1 28674->28676 28694 2bd2075 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 28674->28694 28676->28647 28678 2bd1e80 28677->28678 28695 2bd2689 IsProcessorFeaturePresent 28678->28695 28680 2bd1e8c 28696 2bd2e8e 10 API calls 2 library calls 28680->28696 28682 2bd1e91 28683 2bd1e95 28682->28683 28697 2bd2ec0 7 API calls 2 library calls 28682->28697 28683->28649 28685->28659 28686->28663 28687->28665 28688->28667 28689->28669 28690->28672 28691->28652 28692->28654 28693->28657 28694->28676 28695->28680 28696->28682 28697->28683 28698 30d0445 28699 30d04c3 28698->28699 28707 30d0225 28699->28707 28701 30d05e5 28702 30d060e VirtualAlloc 28701->28702 28703 30d0695 28702->28703 28704 30d06a9 VirtualProtect 28703->28704 28705 30d06c9 VirtualProtect 28704->28705 28706 30d06ec 28705->28706 28711 30d0195 28707->28711 28709 30d0234 GetPEB 28710 30d0270 28709->28710 28710->28701 28712 30d01a7 28711->28712 28712->28709

    Executed Functions

    Function 00615FC0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 341windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 89 615fc0-61613a call 6f820 92 616140-616167 89->92 93 616224-61622b 89->93 92->93 94 61616d-616197 92->94 95 616231-616262 93->95 96 6164c9-6164eb MessageBoxA call 73040 93->96 94->93 97 61619d-6161d7 94->97 99 6163a2-6163de 95->99 100 616268-61629b 95->100 102 6164f0-6164f6 96->102 97->93 101 6161d9-616207 97->101 104 6164c4 99->104 105 6163e4-61642c 99->105 100->99 103 6162a1-6162d8 100->103 101->93 106 616209-616221 101->106 103->99 107 6162de-61633b 103->107 104->93 105->104 108 616432-616473 105->108 106->93 107->99 109 61633d-616382 107->109 108->104 110 616475-6164c1 108->110 109->99 111 616384-61639f 109->111 110->104 111->99
    APIs
    • MessageBoxA.USER32(00000000,00000000,00000000,0000DFCE), ref: 006164DC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4197622188.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
    • Associated: 00000000.00000002.4197565375.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198096655.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198200757.0000000000841000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198214492.0000000000849000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198225849.000000000084A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198236609.000000000084B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198246560.000000000084C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198258510.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198269188.000000000085A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198294388.00000000008A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198306856.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_50000_Aura.jbxd
    Similarity
    • API ID: Message
    • String ID: S0$3u$T0
    • API String ID: 2030045667-1701336102
    • Opcode ID: f43265cb211c2cf0493b3d91200028e97a5ec094df28f8034017333b7bed2e27
    • Instruction ID: fec6769470d41a07e36ad631e46bc969384748dacc1fc4271036346e712dc504
    • Opcode Fuzzy Hash: f43265cb211c2cf0493b3d91200028e97a5ec094df28f8034017333b7bed2e27
    • Instruction Fuzzy Hash: BB0258B0D012599FCB08CFD9D995AEEBBB2FF88304F248169E419BB304D7786A45CB54
    Function 030D0445 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 196memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 030D0669
    • VirtualProtect.KERNELBASE(?,?,00000020,?), ref: 030D06BD
    • VirtualProtect.KERNELBASE(?,?,00000020,?), ref: 030D06DA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198744411.00000000030D0000.00000020.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_30d0000_Aura.jbxd
    Similarity
    • API ID: Virtual$Protect$Alloc
    • String ID: VirtualAlloc$VirtualProtect$data$entrypoint$kernel32.dll$shell$text
    • API String ID: 2541858876-1818510656
    • Opcode ID: be7a6e1042b72d336361a32cedf384822ad5c32e6a9e10eb7333297f1f351802
    • Instruction ID: 2f3d354bc97d95931c807481a51b251ab2ca0ca4bc42da6b01321fb45114e886
    • Opcode Fuzzy Hash: be7a6e1042b72d336361a32cedf384822ad5c32e6a9e10eb7333297f1f351802
    • Instruction Fuzzy Hash: 1FA1E770D083C8DAEF11CBE8D848BDDBFB56F56304F184198D1886B282D7BA5658CB66
    Function 02BD1B0B Relevance: 7.6, APIs: 5, Instructions: 119COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • ___security_init_cookie.LIBCMT ref: 02BD1B0B
      • Part of subcall function 02BD20C2: ___get_entropy.LIBCMT ref: 02BD20DC
    • ___scrt_release_startup_lock.LIBCMT ref: 02BD1BA7
    • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 02BD1BBB
    • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 02BD1BE1
    • ___scrt_uninitialize_crt.LIBCMT ref: 02BD1C2A
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: ___scrt_is_nonwritable_in_current_image$___get_entropy___scrt_release_startup_lock___scrt_uninitialize_crt___security_init_cookie
    • String ID:
    • API String ID: 2539496024-0
    • Opcode ID: 7baf70f89fbd3e5ea679976efdc65b3b728baf2d532e1eaf3fb7387379ddaee7
    • Instruction ID: b84eb666623c834a7e2d868365701f7202a121451a69513eda481c177ca92dbc
    • Opcode Fuzzy Hash: 7baf70f89fbd3e5ea679976efdc65b3b728baf2d532e1eaf3fb7387379ddaee7
    • Instruction Fuzzy Hash: 26314631A942419BEB257B7C9C01BDD33629F02764F2809E9E44A6F1D1FF618441EB64

    Non-executed Functions

    Function 02C06CDF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 02C06D78
    • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 02C06DA1
    • GetACP.KERNEL32 ref: 02C06DB6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID: ACP$OCP
    • API String ID: 2299586839-711371036
    • Opcode ID: e61529f23036c77b45f2e9ee1b21dcfc3f10744425b212b5fb84feac4da0791b
    • Instruction ID: 96b7b1e79a72459ce80ec41b66a689b9126d3cce9126a6543817601cb17fbdc9
    • Opcode Fuzzy Hash: e61529f23036c77b45f2e9ee1b21dcfc3f10744425b212b5fb84feac4da0791b
    • Instruction Fuzzy Hash: 7D21A432600301EADB348F27C981B9777AEFB90E54B668468E94AD7184F732DF61C790
    Function 00073040 Relevance: 7.9, APIs: 5, Instructions: 391memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.4197622188.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
    • Associated: 00000000.00000002.4197565375.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198096655.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198200757.0000000000841000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198214492.0000000000849000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198225849.000000000084A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198236609.000000000084B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198246560.000000000084C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198258510.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198269188.000000000085A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198294388.00000000008A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4198306856.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_50000_Aura.jbxd
    Similarity
    • API ID: AllocColorInformationLogicalProcessor
    • String ID:
    • API String ID: 2227743531-0
    • Opcode ID: c06755a1ab349223febfecfd06f4d577e089db5470d7fcf29f258023203d73d2
    • Instruction ID: 3395b7b04480ed78b808e9cc052921697c5606c60c941288d2394fd2519a62a6
    • Opcode Fuzzy Hash: c06755a1ab349223febfecfd06f4d577e089db5470d7fcf29f258023203d73d2
    • Instruction Fuzzy Hash: BA2247B0D01619DFDB08CFD9D9959AEBBB1FF88304F20816AD419BB204D7386A45DF58
    Function 02C06EBB Relevance: 7.7, APIs: 5, Instructions: 182COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 02BFF302: GetLastError.KERNEL32(?,?,02C05D2C,02C2A818,0000000C,02C0A365,00000000,?,02BF966D,00000000,00000000,00000000,00000000,?,?,?), ref: 02BFF306
      • Part of subcall function 02BFF302: SetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,?,?,02C09138,?,02C08C40,00000000,?,00000000,02C08C40), ref: 02BFF3A8
    • GetUserDefaultLCID.KERNEL32 ref: 02C06FC3
    • IsValidCodePage.KERNEL32(00000000), ref: 02C07001
    • IsValidLocale.KERNEL32(?,00000001), ref: 02C07014
    • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 02C0705C
    • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 02C07077
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
    • String ID:
    • API String ID: 415426439-0
    • Opcode ID: b08515faba0968a0444e8e7f6edfed2f520e99fb13c07c3444ee0b0e97a83a64
    • Instruction ID: 7d2748ff6ac4be24a01e12e4fad7c5c075d036b1a74fca5bf8abfc0646f58351
    • Opcode Fuzzy Hash: b08515faba0968a0444e8e7f6edfed2f520e99fb13c07c3444ee0b0e97a83a64
    • Instruction Fuzzy Hash: 57515D71A00215ABEF10EFA5CC81FBAB7BDBF48704F244569E915E71C0E771AA14CBA1
    Function 032302D9 Relevance: 6.9, Strings: 5, Instructions: 636COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198744411.00000000030D0000.00000020.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_30d0000_Aura.jbxd
    Similarity
    • API ID:
    • String ID: !K$/5$:}$j|$uR
    • API String ID: 0-181933845
    • Opcode ID: c41641d6fb2284d34f79b02710a976b43663cc47193f69a05fc1110f9a6e53bd
    • Instruction ID: 34790525ebe17db700be803648a353c69f41fe23b196ea9b6e770682f9f75f15
    • Opcode Fuzzy Hash: c41641d6fb2284d34f79b02710a976b43663cc47193f69a05fc1110f9a6e53bd
    • Instruction Fuzzy Hash: 166259B0D11619DFCB08CFA9D9959EEBBB2FF88304F24816AE415BB204D7786A41CF54
    Function 02C106E0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2b0d6a36d3e9bb07e292145b0f16b39c2ac231c0c763a01576220bd12188bc9c
    • Instruction ID: 21b26acf96241810ee612bc91b201734df41a4744ba7c3657d3558a49b4c7919
    • Opcode Fuzzy Hash: 2b0d6a36d3e9bb07e292145b0f16b39c2ac231c0c763a01576220bd12188bc9c
    • Instruction Fuzzy Hash: 6F022C71E012199BDB14CFA9C8917AEBBF1FF89314F248269D919E7380D731AA41DB90
    Function 02C008E3 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 02C0097E
    • FindNextFileW.KERNEL32(00000000,?), ref: 02C009F9
    • FindClose.KERNEL32(00000000), ref: 02C00A1B
    • FindClose.KERNEL32(00000000), ref: 02C00A3E
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: Find$CloseFile$FirstNext
    • String ID:
    • API String ID: 1164774033-0
    • Opcode ID: cc9d12012340c03b08d764140dc1f74db546c71a2f86cb108fa7b336e49bb3ce
    • Instruction ID: fcd7e7a3f170725dd4ddd52e4ce939a3af6da8d0e7320b273349f47f175d9891
    • Opcode Fuzzy Hash: cc9d12012340c03b08d764140dc1f74db546c71a2f86cb108fa7b336e49bb3ce
    • Instruction Fuzzy Hash: F841B031D00229AEEB20DF69DCC8BAAB3B9EBC5305F014295E509931C0EB309F80CB60
    Function 02BD21A6 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 02BD21B2
    • IsDebuggerPresent.KERNEL32 ref: 02BD227E
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02BD2297
    • UnhandledExceptionFilter.KERNEL32(?), ref: 02BD22A1
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
    • String ID:
    • API String ID: 254469556-0
    • Opcode ID: 944760e7f2de8e497d4517051bf08a67f14ecc61004f8cfc7ad2360d77554471
    • Instruction ID: 885eb797bd880cc7e1908d9ff3f037641e9bb6b6bdb7e13b2c96ff5bd10da32c
    • Opcode Fuzzy Hash: 944760e7f2de8e497d4517051bf08a67f14ecc61004f8cfc7ad2360d77554471
    • Instruction Fuzzy Hash: 0D31F975D052189BDF20DF64D9897CDBBB8FF08300F1041EAE80DAB240EB719A858F45
    Function 02C06963 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 02BFF302: GetLastError.KERNEL32(?,?,02C05D2C,02C2A818,0000000C,02C0A365,00000000,?,02BF966D,00000000,00000000,00000000,00000000,?,?,?), ref: 02BFF306
      • Part of subcall function 02BFF302: SetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,?,?,02C09138,?,02C08C40,00000000,?,00000000,02C08C40), ref: 02BFF3A8
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02C069B7
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02C06A01
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02C06AC7
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: InfoLocale$ErrorLast
    • String ID:
    • API String ID: 661929714-0
    • Opcode ID: 07423a638dea961562e192d1d56fcf9cf69cfadd15ade31f3b23811ade65dd10
    • Instruction ID: 1143d8ec82e5d39f58018276de1a419413da33d13d596a84ac64a22ef83773d8
    • Opcode Fuzzy Hash: 07423a638dea961562e192d1d56fcf9cf69cfadd15ade31f3b23811ade65dd10
    • Instruction Fuzzy Hash: EE6163715502179FDB24AF25CCC1BAA77ADEF44304F2081A9D906C61C4E774EAA5DB60
    Function 02BFF6A6 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 02BFF79E
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 02BFF7A8
    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 02BFF7B5
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: ac6d6b49f6b5359898edb7c381472954c29c63a1d13c2b92d5f07c40288ccff7
    • Instruction ID: 34db486724e30fa3f15b4e76bbb07b11dce93a9427456094fc6b6b4d1cf5dfc4
    • Opcode Fuzzy Hash: ac6d6b49f6b5359898edb7c381472954c29c63a1d13c2b92d5f07c40288ccff7
    • Instruction Fuzzy Hash: EF31C774D41228ABCB61DF24D9897DCB7B4FF08310F5046DAE50CA7290EB709B858F44
    Function 0322F769 Relevance: 3.3, Strings: 2, Instructions: 800COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198744411.00000000030D0000.00000020.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_30d0000_Aura.jbxd
    Similarity
    • API ID:
    • String ID: 2d$P(
    • API String ID: 0-922858389
    • Opcode ID: 992f08189d0e8994fbc4e007d8f936bfd28dd1767db4d31037ea3e6158472c97
    • Instruction ID: 0ab7337d2df58a24bbf6d0f5c3e54c1e9f1eb85734b82cdf013a84c548984cd8
    • Opcode Fuzzy Hash: 992f08189d0e8994fbc4e007d8f936bfd28dd1767db4d31037ea3e6158472c97
    • Instruction Fuzzy Hash: 459246B4D11619AFCB08CFA9D9959EEBBB2FF88304F24816AD415BB304D7386A41CF54
    Function 02BD10B0 Relevance: 3.0, APIs: 2, Instructions: 15memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32 ref: 02BD10BC
    • RtlAllocateHeap.NTDLL(02C2CA7C,?,?), ref: 02BD10D6
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: Heap$AllocateProcess
    • String ID:
    • API String ID: 1357844191-0
    • Opcode ID: 31995febb853ef48b02075a9b07f3466ee80b4ac11f7812e88889ba2cca72747
    • Instruction ID: 72713fcf0de6214f10a892b1b1e293d6b12be1be259a985e7da922782173a96e
    • Opcode Fuzzy Hash: 31995febb853ef48b02075a9b07f3466ee80b4ac11f7812e88889ba2cca72747
    • Instruction Fuzzy Hash: DED0177A890908EFD710DFA8E444B5D37E8F74E204F028A06F61D82600CB3095388F90
    Function 02C173EC Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,02C173E7,?,?,00000008,?,?,02C13B50,00000000), ref: 02C17619
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID:
    • API String ID: 3997070919-0
    • Opcode ID: 1c2ca294dbe57cd4cdd43a8edc8fa7b8f5da3779b3c95b47f875c785bf646231
    • Instruction ID: 1068eda429354e51db529cf37843ce1fca1e359f0c5cc244e4ac56bf3744a792
    • Opcode Fuzzy Hash: 1c2ca294dbe57cd4cdd43a8edc8fa7b8f5da3779b3c95b47f875c785bf646231
    • Instruction Fuzzy Hash: 50B14E31510609DFD715CF2CC48AB64BBE0FF46368F258698E89ACF2A1C335EA95DB40
    Function 02BD2689 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 02BD269F
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: FeaturePresentProcessor
    • String ID:
    • API String ID: 2325560087-0
    • Opcode ID: 0a154504c8fa96414c91c86b755f62402d03860f8ec56e3f3e904362c630a7ac
    • Instruction ID: 766b98daad0401ba3fe387644d08895d8d2e34ed9db84085e8c179d165d1235b
    • Opcode Fuzzy Hash: 0a154504c8fa96414c91c86b755f62402d03860f8ec56e3f3e904362c630a7ac
    • Instruction Fuzzy Hash: B2A1BE72D607418FDB28CF58D48179DBBB1FB48318F16866AD905E7241E7389A58CFD0
    Function 02BF51FC Relevance: 1.6, Strings: 1, Instructions: 389COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: b53d47f0204cfc103b95a5067522361f2413de0e2f8d6a3e1bad5fed7db53018
    • Instruction ID: f9c7b003318ddaee7c26755097c054d9579f29fff1d1ad6f158865cb9cab2316
    • Opcode Fuzzy Hash: b53d47f0204cfc103b95a5067522361f2413de0e2f8d6a3e1bad5fed7db53018
    • Instruction Fuzzy Hash: AFD1FF74A006068FCBB4CF68C484B7EB7F2FF45314F94869DD6969B291D730A94ACB50
    Function 02BF55FF Relevance: 1.6, Strings: 1, Instructions: 385COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: ad203dfe155a5448c90b9677c3cd6554d4ba48aebff7b7d04d7062e873b9cce9
    • Instruction ID: eff0e5bb64ee1960781447d7dd8b3f93f16fa5f7b0e2f0118f9de21ad19b3c2a
    • Opcode Fuzzy Hash: ad203dfe155a5448c90b9677c3cd6554d4ba48aebff7b7d04d7062e873b9cce9
    • Instruction Fuzzy Hash: 4BD1CF74A00606DFCBB8CF68C484A6EB7F1FF44318F948699D7669B690D730A949CF50
    Function 02BF4E08 Relevance: 1.6, Strings: 1, Instructions: 385COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 6f7afd7aada09468e1eda25d6b9ec48f5e0bcf6dfcd11de35a0e3fab66f97160
    • Instruction ID: 1f5db05ae71f2b095a81b91398c233498f727c890aa2951288c3b308d05b4091
    • Opcode Fuzzy Hash: 6f7afd7aada09468e1eda25d6b9ec48f5e0bcf6dfcd11de35a0e3fab66f97160
    • Instruction Fuzzy Hash: 69D1AE30A006068FCBB8CF68C584A6BB7B1FF45318F55469DD75A9B690D730AA8ACB50
    Function 03243439 Relevance: 1.6, Strings: 1, Instructions: 342COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198744411.00000000030D0000.00000020.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_30d0000_Aura.jbxd
    Similarity
    • API ID:
    • String ID: _I
    • API String ID: 0-3349887086
    • Opcode ID: acce168d14894613b9d9174a1472a1ec99c19a3a187001f6b8f94f35c3df8a4a
    • Instruction ID: 99790fba00a4acaecfe1c3e7fa108a7eeaae111d353004e2d2cc48c2567fa6a3
    • Opcode Fuzzy Hash: acce168d14894613b9d9174a1472a1ec99c19a3a187001f6b8f94f35c3df8a4a
    • Instruction Fuzzy Hash: 500288B4D112199FCB08CF98D985AEEBBB1FF88304F24816AD515BB304D7786A91CB54
    Function 02BF3D12 Relevance: 1.6, Strings: 1, Instructions: 337COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: d5a77919566b0b439d0c23568d53ce5fd56f9d36693d02631bf2d91c82f49963
    • Instruction ID: 5f84364223f7db2037778cd18cce396d02d022fb059f79d79f2d3113c6c58ba7
    • Opcode Fuzzy Hash: d5a77919566b0b439d0c23568d53ce5fd56f9d36693d02631bf2d91c82f49963
    • Instruction Fuzzy Hash: 18C1E1359006868FCBA4CF38C58467ABBF2EF45308F0446D9E752976A1D331E98DCB61
    Function 02BF4080 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 185f03f0fef698da4187451675d121ffbc970d4b22c1c439f089313b8940ea05
    • Instruction ID: c17dcfb719e3e5642bee55ba7bd63b9c27cfff8f3012f9e2468e9619f0fa919e
    • Opcode Fuzzy Hash: 185f03f0fef698da4187451675d121ffbc970d4b22c1c439f089313b8940ea05
    • Instruction Fuzzy Hash: 8AC1D3709007068FCBA4CF68C58467BBBB2FF45318F0446A9D792A7691D730EA8DCB50
    Function 02C06BB6 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 02BFF302: GetLastError.KERNEL32(?,?,02C05D2C,02C2A818,0000000C,02C0A365,00000000,?,02BF966D,00000000,00000000,00000000,00000000,?,?,?), ref: 02BFF306
      • Part of subcall function 02BFF302: SetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,?,?,02C09138,?,02C08C40,00000000,?,00000000,02C08C40), ref: 02BFF3A8
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02C06C0A
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: ErrorLast$InfoLocale
    • String ID:
    • API String ID: 3736152602-0
    • Opcode ID: 1c877c0e59d123583d6349eff5ba5c1b48d38ed795d2a87c7228d23290f0bc64
    • Instruction ID: ce9d0e4a1f7f7b9394735b41d58a4da74daee84781dc1b0d79d9b2260c0d802b
    • Opcode Fuzzy Hash: 1c877c0e59d123583d6349eff5ba5c1b48d38ed795d2a87c7228d23290f0bc64
    • Instruction Fuzzy Hash: D9219272610606ABDB289F65DC81FBA77ACEF45318B20417AED02C61C0EB74EA54DB50
    Function 02BF39B3 Relevance: 1.6, Strings: 1, Instructions: 333COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 74ad830288a6c344ab1b4817c89fbcd12e971006b8b4c8038f83493a03e87d37
    • Instruction ID: 827e9905fce9e66c74fed61e7e4290d70fe240b1857e200afa614c9c763071db
    • Opcode Fuzzy Hash: 74ad830288a6c344ab1b4817c89fbcd12e971006b8b4c8038f83493a03e87d37
    • Instruction Fuzzy Hash: 0FC1DC746007CA8FCBA4CE69C5A467EBBF1FF05308F0446D9DAA297691C731A98DCB50
    Function 02BF473D Relevance: 1.6, Strings: 1, Instructions: 332COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 0f904b7b0ffe9b446c9e6773dbf6a67af60d3a6f5f69abb9257b8b81ef1a0520
    • Instruction ID: c94a01b43d982f644c7fb6f8cb7e83b77545e2d69fe32e71e5d07a7de0f9ee54
    • Opcode Fuzzy Hash: 0f904b7b0ffe9b446c9e6773dbf6a67af60d3a6f5f69abb9257b8b81ef1a0520
    • Instruction Fuzzy Hash: 4AB1C070A0064A9BCBA4CFA8C584ABFB7F5FF45308F044A99D75697690D730A94DCB50
    Function 02BF43DF Relevance: 1.6, Strings: 1, Instructions: 328COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: f7b6c6ecb30bdc43b05c871b37020782d5c99156464b811da9216fb2dd1efdc7
    • Instruction ID: ef0b9ec8d48fbac2fdce76246e848c16f184f3501a485dd6d0b1874b1a49d823
    • Opcode Fuzzy Hash: f7b6c6ecb30bdc43b05c871b37020782d5c99156464b811da9216fb2dd1efdc7
    • Instruction Fuzzy Hash: 2EB1C030A0060A9BCBA4DF68C594ABFB7F1EF44314F084699D796A7690DB31AA4DCB50
    Function 02BF4AAA Relevance: 1.6, Strings: 1, Instructions: 328COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 0090561b604dea0fff3df3ebd76d71978271bd9f5b6e9ed4551ea89b069f8866
    • Instruction ID: 702d39552ced21748d514e7653b8493f522fb41904e2e8135ce7b29e8e38c8fd
    • Opcode Fuzzy Hash: 0090561b604dea0fff3df3ebd76d71978271bd9f5b6e9ed4551ea89b069f8866
    • Instruction Fuzzy Hash: D3B1D239A0060A8BCBA4CF68C994BBFB7F1EF44318F04459DD756A7652D730A94ECB60
    Function 02BF3320 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 48cb26964f72b3b97a43a60cfad79df1823d54a270df05950d543b9ad61b9bf4
    • Instruction ID: 099a661ddfd93c0e8c9ab8891179accd6bf7774cfc08b5c3f89ab41339518bd6
    • Opcode Fuzzy Hash: 48cb26964f72b3b97a43a60cfad79df1823d54a270df05950d543b9ad61b9bf4
    • Instruction Fuzzy Hash: BBB1F17090468A9BCBA5CE68C494ABEBBF1EF40308F0846DECB5297790CB30D64DCB51
    Function 02BF3671 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 5b033051db1c52b99680b240cf6d825db93defbdb381f30fa840ebad506cb4db
    • Instruction ID: 58f6bebdf6716f8bdfb3277439db9a42767928d96f6695b2ff803a1a602cae69
    • Opcode Fuzzy Hash: 5b033051db1c52b99680b240cf6d825db93defbdb381f30fa840ebad506cb4db
    • Instruction Fuzzy Hash: A8B1F2B090468A8BCBA8CF68C554ABEBBE1EF00308F1446D9DB9397790C735A64DCB51
    Function 02BF2FDE Relevance: 1.6, Strings: 1, Instructions: 318COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: d9ba2d5f7536d4d68e0ad64ddd30dc4a58f495a33c174da1d491ad6c990c0e92
    • Instruction ID: 7e356f7c246b5179e7b8fe97625a73f5058b147b81e7108d216282197d9ed17b
    • Opcode Fuzzy Hash: d9ba2d5f7536d4d68e0ad64ddd30dc4a58f495a33c174da1d491ad6c990c0e92
    • Instruction Fuzzy Hash: 06B1A470A0068A8BCBA4CF78C9547BEBBE1EF45308F1446DED79297B90CB319649CB51
    Function 02C0683D Relevance: 1.6, APIs: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 02BFF302: GetLastError.KERNEL32(?,?,02C05D2C,02C2A818,0000000C,02C0A365,00000000,?,02BF966D,00000000,00000000,00000000,00000000,?,?,?), ref: 02BFF306
      • Part of subcall function 02BFF302: SetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,?,?,02C09138,?,02C08C40,00000000,?,00000000,02C08C40), ref: 02BFF3A8
    • EnumSystemLocalesW.KERNEL32(02C06963,00000001), ref: 02C068AF
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem
    • String ID:
    • API String ID: 2417226690-0
    • Opcode ID: 66f17ec2d7aa6bf221f3b8b67bc351fc623d154d1b4e835f8812a876ccab4ca4
    • Instruction ID: 91868d48b6858103d688f584865e70dd213e3d0ee66629f1df56d8414f0b8f80
    • Opcode Fuzzy Hash: 66f17ec2d7aa6bf221f3b8b67bc351fc623d154d1b4e835f8812a876ccab4ca4
    • Instruction Fuzzy Hash: B51129366047019FEB189F38C8D167AB796FF80328B24452CD98747A80D371A552CB40
    Function 02C06DE5 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 02BFF302: GetLastError.KERNEL32(?,?,02C05D2C,02C2A818,0000000C,02C0A365,00000000,?,02BF966D,00000000,00000000,00000000,00000000,?,?,?), ref: 02BFF306
      • Part of subcall function 02BFF302: SetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,?,?,02C09138,?,02C08C40,00000000,?,00000000,02C08C40), ref: 02BFF3A8
    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,02C06B7F,00000000,00000000,?), ref: 02C06E11
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: ErrorLast$InfoLocale
    • String ID:
    • API String ID: 3736152602-0
    • Opcode ID: 53128821d2dcd418b970f4c6f94308196c70d7548ef122a74741d29618ccaff7
    • Instruction ID: 179c81e6dd7c1bdacf9644ac4f7fe43c882ba8151cd0693e941f75806cd32184
    • Opcode Fuzzy Hash: 53128821d2dcd418b970f4c6f94308196c70d7548ef122a74741d29618ccaff7
    • Instruction Fuzzy Hash: 5201F932A00252BBDF185F35C886BBB3B5DEB80B58F254429DD26A71C0EB74FE51C694
    Function 02C068D8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 02BFF302: GetLastError.KERNEL32(?,?,02C05D2C,02C2A818,0000000C,02C0A365,00000000,?,02BF966D,00000000,00000000,00000000,00000000,?,?,?), ref: 02BFF306
      • Part of subcall function 02BFF302: SetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,?,?,02C09138,?,02C08C40,00000000,?,00000000,02C08C40), ref: 02BFF3A8
    • EnumSystemLocalesW.KERNEL32(02C06BB6,00000001), ref: 02C06922
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem
    • String ID:
    • API String ID: 2417226690-0
    • Opcode ID: 77744397b7da12fc08d271dca3b230a55454cbe770a763cf7293443b38346ba0
    • Instruction ID: f8bdcbdcfb382e892f8576fecb9e7fd16b0f3363ed23c477bffc2221179cdd45
    • Opcode Fuzzy Hash: 77744397b7da12fc08d271dca3b230a55454cbe770a763cf7293443b38346ba0
    • Instruction Fuzzy Hash: 37F046722003041FDB186F38C8C1A7A7B99FF80328B28442CEA828BAC0D7B19942DB50
    Function 02C070BE Relevance: 1.5, APIs: 1, Instructions: 33COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 02C02CDE: RtlEnterCriticalSection.NTDLL(-00019CDB), ref: 02C02CED
    • EnumSystemLocalesW.KERNEL32(02C070AB,00000001,02C2A838,0000000C,02C07A15,?), ref: 02C070F6
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: CriticalEnterEnumLocalesSectionSystem
    • String ID:
    • API String ID: 1272433827-0
    • Opcode ID: 7c5a7cfa176789def6af8b6108387ea7f50d5635e3bfb64c0f051e2268388fdc
    • Instruction ID: b242b7e79c16a867e967edb862e7075d52d8d9fdaef4c2d382cf4ec65665d0b6
    • Opcode Fuzzy Hash: 7c5a7cfa176789def6af8b6108387ea7f50d5635e3bfb64c0f051e2268388fdc
    • Instruction Fuzzy Hash: 29F0AF32A44300DFEB14EF68E941B9C77F1EB04324F10422AE801DB2C0CB749909CF80
    Function 02C067D4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 02BFF302: GetLastError.KERNEL32(?,?,02C05D2C,02C2A818,0000000C,02C0A365,00000000,?,02BF966D,00000000,00000000,00000000,00000000,?,?,?), ref: 02BFF306
      • Part of subcall function 02BFF302: SetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,?,?,02C09138,?,02C08C40,00000000,?,00000000,02C08C40), ref: 02BFF3A8
    • EnumSystemLocalesW.KERNEL32(02C0672D,00000001), ref: 02C0680B
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem
    • String ID:
    • API String ID: 2417226690-0
    • Opcode ID: a664b1a740373413554a036a386f1663947f5a31398e0abc88f1560b63b2ff76
    • Instruction ID: fe71514f3f70aa90ab0a9fcd2942eb215fc151614f6a5655dbf06d66a668f919
    • Opcode Fuzzy Hash: a664b1a740373413554a036a386f1663947f5a31398e0abc88f1560b63b2ff76
    • Instruction Fuzzy Hash: 7AF0AB3A30020557CB14AF39D88577ABF98FFC1724B164058EF068B280C775E943CB50
    Function 02C07BA4 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,02BE0A8B,?,20001004,00000000,00000002,?,?,02BDFDEE), ref: 02C07BD8
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: a8e8e9da71ffa772a9135042fb2aa51819431e1243fc6e876ece24ba4a89ad91
    • Instruction ID: da3aa58e242c69cbdae42074c768c3406075e5cdcd40f0336b2347a7e31cfe74
    • Opcode Fuzzy Hash: a8e8e9da71ffa772a9135042fb2aa51819431e1243fc6e876ece24ba4a89ad91
    • Instruction Fuzzy Hash: 7FE04F3194015CBBCF162F61DC49F9EBF16EF45760F108420FC0665290DB359D31AAD5
    Function 02C0725D Relevance: 1.5, APIs: 1, Instructions: 14COMMON
    Download Yara Rule
    APIs
    • EnumSystemLocalesW.KERNEL32(Function_000360AB,00000001), ref: 02C07277
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: EnumLocalesSystem
    • String ID:
    • API String ID: 2099609381-0
    • Opcode ID: 155fbaf0ff85356e3824b54966f1e7de86d39c73420261694cc711f3b43bfda6
    • Instruction ID: de1aba8530c67d29745f266c1a1e06ea1dc2015aabd8fbbffa3e8b1c5bda4b16
    • Opcode Fuzzy Hash: 155fbaf0ff85356e3824b54966f1e7de86d39c73420261694cc711f3b43bfda6
    • Instruction Fuzzy Hash: DCD0C77199C7046BDB246F61E886F157B65E794724B110616F40A46380DEB2A865DA80
    Function 02BD2336 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00001345,02BD1AFE), ref: 02BD233B
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 98482c436a1cb267e7495365175a0b7629127b4c605dc16f6ac1495502b7c846
    • Instruction ID: 4ee97b4acfd30c8fed0669b0962c0f5cb3de68b4bdb8339854fb5fc5216b73b2
    • Opcode Fuzzy Hash: 98482c436a1cb267e7495365175a0b7629127b4c605dc16f6ac1495502b7c846
    • Instruction Fuzzy Hash:
    Function 02C11060 Relevance: .4, Instructions: 402COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: de48ee1349c268fae240558c628b4fd052ae507b213508fc3d5893cd4ea2de36
    • Instruction ID: 1ab2fb8e87f5ee795cb5194142ba44c6923ba702145afd21f336e085bdea4018
    • Opcode Fuzzy Hash: de48ee1349c268fae240558c628b4fd052ae507b213508fc3d5893cd4ea2de36
    • Instruction Fuzzy Hash: A5F19D71A002288FDB25DF08C881BAAB3B9EF86704F1941DADA4DA7341D7749F81DF81
    Function 02BFD62E Relevance: .3, Instructions: 294COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c66015ac5584c966a28adf6623fec8479daa8075245f9251e2ea36b11832dccb
    • Instruction ID: eb74cc44dd4950fdc62e8885803053a5df4389e7a59bb82c1bcaf627cdcb94d4
    • Opcode Fuzzy Hash: c66015ac5584c966a28adf6623fec8479daa8075245f9251e2ea36b11832dccb
    • Instruction Fuzzy Hash: 30B10120D6AF414DD363A6398832336B68CBFBB2D5F52DB1BFC2674D56EB2181938140
    Function 02C10C10 Relevance: .3, Instructions: 262COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 430999a96a78ad916b64029db012cae0049a5a4dae0df93d0fb36f34c21b1e1e
    • Instruction ID: 9b82423b13a17f2bbd4d54b6d53cdb99da6d829267cff1d3b0766774a13f5558
    • Opcode Fuzzy Hash: 430999a96a78ad916b64029db012cae0049a5a4dae0df93d0fb36f34c21b1e1e
    • Instruction Fuzzy Hash: 53A15A71A002698BDB24DF19C882BEDB7B5FF8A304F1541EADD49A7241D731AE85DF80
    Function 030D0225 Relevance: .0, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4198744411.00000000030D0000.00000020.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_30d0000_Aura.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c3a5f3111a928dca1ba856e3d5f62225d449739881fc9106a5ec32747a82cb43
    • Instruction ID: 262dfc934eb00ffe8e96d52b77ef1751ab8aed819c71305d73f1230ebb7d5683
    • Opcode Fuzzy Hash: c3a5f3111a928dca1ba856e3d5f62225d449739881fc9106a5ec32747a82cb43
    • Instruction Fuzzy Hash: D211B675E02209EFCB44CF98C590AAEBBF5EF88300F208599D919AB344D735AA45CB90
    Function 02BD745C Relevance: 19.8, APIs: 13, Instructions: 332COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 135 2bd745c-2bd746f 136 2bd77ee-2bd77fb call 2bd43cc 135->136 137 2bd7475-2bd7477 135->137 145 2bd77fe 136->145 139 2bd747d-2bd747f 137->139 140 2bd7479-2bd747b 137->140 142 2bd7485-2bd7495 139->142 143 2bd77ea-2bd77ec 139->143 140->139 140->142 146 2bd74bd-2bd74bf 142->146 147 2bd7497-2bd749b 142->147 144 2bd77e0-2bd77e8 call 2bd402d 143->144 144->145 150 2bd7801-2bd7805 145->150 146->143 148 2bd74c5-2bd74c8 146->148 147->136 151 2bd74a1-2bd74b1 147->151 148->143 154 2bd74ce-2bd74d1 148->154 152 2bd74b8-2bd74bb 151->152 153 2bd74b3-2bd74b6 151->153 152->154 153->152 153->154 154->143 156 2bd74d7-2bd74f2 154->156 157 2bd75df-2bd75e2 156->157 158 2bd74f8-2bd74fb 156->158 159 2bd75e4-2bd75f3 157->159 160 2bd7662-2bd7671 157->160 161 2bd759e-2bd759f 158->161 162 2bd7501-2bd753e call 2bd3f8d call 2bd4410 158->162 163 2bd75f5-2bd7623 call 2bd5b18 call 2bd43a1 call 2bd4410 159->163 164 2bd7653-2bd765d call 2bd5b18 call 2bd469a 159->164 165 2bd7695-2bd769f call 2bd6214 call 2bd469a 160->165 166 2bd7673-2bd7693 call 2bd6214 call 2bd4410 160->166 168 2bd75a5-2bd75a9 161->168 196 2bd7571-2bd7590 call 2bd402d call 2bd4410 162->196 197 2bd7540-2bd756f call 2bd8a54 call 2bd43a1 call 2bd4410 162->197 163->160 164->160 192 2bd76a4-2bd76a8 165->192 166->192 173 2bd75af-2bd75b1 168->173 174 2bd7636-2bd764e call 2bd402d call 2bd4410 168->174 173->143 180 2bd75b7-2bd75cc 173->180 174->145 189 2bd75ce-2bd75dc call 2bd9a34 180->189 190 2bd7625-2bd7634 call 2bd9a34 call 2bd469a 180->190 189->157 190->157 200 2bd76aa-2bd76d1 call 2bd43a1 call 2bd4432 192->200 201 2bd76d4-2bd76e4 call 2bd7940 192->201 225 2bd7593-2bd759c 196->225 197->225 200->201 221 2bd76ed 201->221 222 2bd76e6-2bd76eb 201->222 226 2bd76ef-2bd7734 call 2bd8a25 call 2bd5761 call 2bd43a1 call 2bd4432 call 2bd450a 221->226 222->226 225->168 238 2bd774c-2bd7758 226->238 239 2bd7736-2bd7738 226->239 241 2bd776b-2bd7775 call 2bd890c call 2bd469a 238->241 242 2bd775a-2bd7769 call 2bd890c call 2bd450a 238->242 239->238 240 2bd773a-2bd7746 call 2bd450a 239->240 240->238 252 2bd777a-2bd779d call 2bd79ca call 2bd450a 241->252 242->252 257 2bd779f-2bd77ae call 2bd9a63 call 2bd450a 252->257 258 2bd77b0-2bd77ba call 2bd9a63 call 2bd469a 252->258 265 2bd77bf-2bd77c1 257->265 258->265 267 2bd77de 265->267 268 2bd77c3-2bd77dc 265->268 267->144 268->150
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: Name::operator+$NameName::$Decorator::getReturnTypeoperator+
    • String ID:
    • API String ID: 2932655852-0
    • Opcode ID: 9c7987ee09f14100b23f3dbd8d6d1895059bff6dbfa7d1f2390294c1b26cd79a
    • Instruction ID: 574068621e3501f199460c0ea088c81ffd873e1cbc0e75399795ecf27ec737a5
    • Opcode Fuzzy Hash: 9c7987ee09f14100b23f3dbd8d6d1895059bff6dbfa7d1f2390294c1b26cd79a
    • Instruction Fuzzy Hash: 92C16F75D10209AFCB14DFA8D895AEDBBB9EF08304F1445AAE502A7280FF74AA45DF50
    Function 02BD8A54 Relevance: 19.8, APIs: 13, Instructions: 305COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 269 2bd8a54-2bd8a6a 270 2bd8a6c-2bd8a75 269->270 271 2bd8a7b-2bd8a7d 270->271 272 2bd8da4-2bd8dad 270->272 271->272 273 2bd8a83-2bd8a8a 271->273 274 2bd8daf-2bd8db1 272->274 275 2bd8dc0-2bd8dc5 272->275 280 2bd8a8c-2bd8a93 273->280 281 2bd8a99-2bd8a9c 273->281 276 2bd8e0b-2bd8e11 274->276 277 2bd8db3-2bd8dbe 274->277 278 2bd8dc7-2bd8dce call 2bd430a 275->278 279 2bd8dd0-2bd8e08 call 2bd402d call 2bd43ee call 2bd4410 275->279 277->276 278->276 279->276 280->276 280->281 284 2bd8a9e-2bd8ad1 call 2bd3f8d call 2bd4410 281->284 285 2bd8af0-2bd8af8 281->285 284->285 309 2bd8ad3-2bd8aed call 2bd43a1 284->309 287 2bd8afe-2bd8b0d 285->287 288 2bd8d72-2bd8d7f call 2bda319 285->288 291 2bd8d55-2bd8d70 call 2bda319 287->291 292 2bd8b13-2bd8b16 287->292 306 2bd8d82 288->306 291->306 297 2bd8cfc-2bd8d48 call 2bd3f04 call 2bd3f8d call 2bd4410 292->297 298 2bd8b1c-2bd8b1f 292->298 334 2bd8d9a-2bd8d9e 297->334 345 2bd8d4a-2bd8d53 call 2bd465a 297->345 304 2bd8c69-2bd8c6f 298->304 305 2bd8b25-2bd8b29 298->305 312 2bd8c71-2bd8c75 304->312 313 2bd8cc3-2bd8cf7 call 2bd6aa2 call 2bd43a1 call 2bd4432 304->313 305->297 310 2bd8b2f-2bd8b32 305->310 311 2bd8d85-2bd8d89 call 2bd4410 306->311 309->285 318 2bd8c28-2bd8c64 call 2bda319 call 2bd4432 call 2bd4410 310->318 319 2bd8b38-2bd8b3b 310->319 328 2bd8d8e-2bd8d97 311->328 312->313 321 2bd8c77-2bd8cb2 call 2bd7a6c call 2bd4410 312->321 313->311 318->328 326 2bd8b3d-2bd8b4a call 2bd789f 319->326 327 2bd8b4f-2bd8b5c 319->327 321->334 349 2bd8cb8-2bd8cbe 321->349 326->311 337 2bd8b61-2bd8b76 call 2bda319 327->337 328->334 334->270 334->272 351 2bd8b78-2bd8b7a 337->351 352 2bd8bc4-2bd8bcc 337->352 345->334 349->334 356 2bd8bbc-2bd8bc2 351->356 357 2bd8b7c-2bd8bba call 2bd44b2 call 2bd4410 351->357 359 2bd8bcd-2bd8bd2 352->359 356->359 357->359 361 2bd8c18-2bd8c23 359->361 362 2bd8bd4-2bd8bdc 359->362 361->334 362->337 364 2bd8bde-2bd8be0 362->364 364->361 366 2bd8be2-2bd8c13 call 2bd43a1 call 2bd4432 364->366 366->349
    APIs
    • DName::operator+.LIBCMT ref: 02BD8ABF
    • DName::operator+.LIBCMT ref: 02BD8C02
      • Part of subcall function 02BD44B2: shared_ptr.LIBCMT ref: 02BD44CE
    • DName::operator+.LIBCMT ref: 02BD8BAD
    • DName::operator+.LIBCMT ref: 02BD8C4E
    • DName::operator+.LIBCMT ref: 02BD8C5D
    • DName::operator+.LIBCMT ref: 02BD8D89
    • DName::operator=.LIBVCRUNTIME ref: 02BD8DC9
    • DName::DName.LIBVCRUNTIME ref: 02BD8DD3
    • DName::operator+.LIBCMT ref: 02BD8DF0
    • DName::operator+.LIBCMT ref: 02BD8DFC
      • Part of subcall function 02BDA319: Replicator::operator[].LIBCMT ref: 02BDA356
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]shared_ptr
    • String ID:
    • API String ID: 1043660730-0
    • Opcode ID: a6771b567a5648520ae0f7645a1da5d3154eb7dc16d60602ee21ca247ccc81fa
    • Instruction ID: 77c694faff2fdac6d4233aada8c6eefdde8c79aa50407b38dcfa005930c2c77d
    • Opcode Fuzzy Hash: a6771b567a5648520ae0f7645a1da5d3154eb7dc16d60602ee21ca247ccc81fa
    • Instruction Fuzzy Hash: C3C190B19012489FDB24DFA8D844BEEBBF5EF15305F0844ADE146A7280FB75A689CF50
    Function 02BFC75A Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 487COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: __aulldiv
    • String ID: :$f$f$f$p$p$p
    • API String ID: 3732870572-1434680307
    • Opcode ID: 31ee61f48bdb35299a73ee678c23193379848700d185eaefe87927cceb22a595
    • Instruction ID: 60680df675d7db6e373790a45465a1b7ca7a30caa5d7543ef95c2a20fde9e102
    • Opcode Fuzzy Hash: 31ee61f48bdb35299a73ee678c23193379848700d185eaefe87927cceb22a595
    • Instruction Fuzzy Hash: 94026D7990021C9ADBA4EFA4C4487EDBF72FF40B18F60959AD615AB294D3309ECCCB54
    Function 02BDA319 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 185COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 545 2bda319-2bda345 546 2bda347-2bda35d call 2bd433c 545->546 547 2bda362-2bda366 545->547 555 2bda524-2bda531 call 2bd29c2 546->555 549 2bda368-2bda38a call 2bd93e0 547->549 550 2bda3b3-2bda3c5 call 2bda82e 547->550 557 2bda38c-2bda392 549->557 558 2bda397-2bda3ae call 2bd430a 549->558 559 2bda3da-2bda3ec call 2bda82e 550->559 560 2bda3c7-2bda3d8 550->560 562 2bda4e9-2bda4ed 557->562 558->562 573 2bda4bc-2bda4c0 559->573 574 2bda3f2-2bda3fc 559->574 564 2bda403-2bda41d call 2bd8f07 560->564 567 2bda4ef-2bda4f8 562->567 568 2bda51b-2bda523 562->568 579 2bda49c-2bda4ba call 2bd3f8d call 2bd4410 564->579 580 2bda41f-2bda426 564->580 567->568 572 2bda4fa-2bda4fc 567->572 568->555 572->568 576 2bda4fe-2bda50c call 2bd7940 572->576 577 2bda4d5-2bda4df call 2bd3f04 573->577 578 2bda4c2-2bda4c6 573->578 574->564 576->568 591 2bda50e-2bda517 576->591 589 2bda4e4-2bda4e7 577->589 578->577 584 2bda4c8-2bda4d3 578->584 596 2bda48f-2bda49a call 2bd4432 579->596 580->579 581 2bda428-2bda45d call 2bd8f96 call 2bfd37e 580->581 601 2bda45f-2bda46f call 2bd3ad1 581->601 602 2bda471-2bda48c call 2bd3f8d call 2bd4410 581->602 584->562 589->562 591->568 596->589 601->589 602->596
    APIs
    • Replicator::operator[].LIBCMT ref: 02BDA356
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: Replicator::operator[]
    • String ID: @
    • API String ID: 3676697650-2766056989
    • Opcode ID: 1988569939b4e60e65348b2019396e29232932f1169d1a35a2bfdcd4f9edefa2
    • Instruction ID: a7fb76df45f081510ea3186b7a0577c86fe971953e4c0a9512b487a085b854a7
    • Opcode Fuzzy Hash: 1988569939b4e60e65348b2019396e29232932f1169d1a35a2bfdcd4f9edefa2
    • Instruction Fuzzy Hash: CA61E871D002499FDB24DF94D455BEEBBB9EF08310F1944AAD611A3281FB78A649CF90
    Function 02C0A4E6 Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 609 2c0a4e6-2c0a4f7 610 2c0a4f9 609->610 611 2c0a4fb-2c0a506 609->611 610->611 612 2c0a508-2c0a525 call 2bff84d 611->612 613 2c0a52a-2c0a53d 611->613 626 2c0a80f-2c0a812 612->626 615 2c0a592-2c0a595 613->615 616 2c0a53f-2c0a55f call 2c0a813 613->616 617 2c0a5a1-2c0a5d2 615->617 618 2c0a597 615->618 627 2c0a561-2c0a564 616->627 628 2c0a569-2c0a575 call 2c1c580 616->628 624 2c0a5f2 617->624 625 2c0a5d4-2c0a5e2 617->625 622 2c0a599-2c0a59b 618->622 623 2c0a59d-2c0a5a0 618->623 622->617 622->623 623->617 631 2c0a5f5-2c0a5fa 624->631 629 2c0a5e4-2c0a5e7 625->629 630 2c0a5e9-2c0a5f0 625->630 634 2c0a80e 627->634 641 2c0a57b-2c0a58d 628->641 642 2c0a80c 628->642 629->631 630->631 632 2c0a600-2c0a607 631->632 633 2c0a5fc-2c0a5fe 631->633 637 2c0a616-2c0a621 632->637 638 2c0a609-2c0a613 call 2bf9640 632->638 636 2c0a623-2c0a630 633->636 634->626 643 2c0a632-2c0a635 636->643 644 2c0a63b-2c0a64b 636->644 637->636 638->637 641->642 642->634 643->644 646 2c0a6fa-2c0a6fc 643->646 647 2c0a64e-2c0a65e 644->647 650 2c0a70e-2c0a714 646->650 651 2c0a6fe-2c0a70c call 2bd33f0 646->651 648 2c0a6b0-2c0a6c5 call 2c0ad26 647->648 649 2c0a660-2c0a684 call 2c19310 647->649 648->650 661 2c0a6c7-2c0a6cd 648->661 663 2c0a686 649->663 664 2c0a689-2c0a6ac 649->664 653 2c0a716 650->653 654 2c0a718-2c0a743 call 2c19310 650->654 651->650 653->654 666 2c0a745 654->666 667 2c0a74f-2c0a758 654->667 665 2c0a6d0-2c0a6d5 661->665 663->664 664->647 668 2c0a6ae 664->668 669 2c0a6d7-2c0a6da 665->669 670 2c0a6dc-2c0a6df 665->670 671 2c0a747-2c0a749 666->671 672 2c0a74b-2c0a74d 666->672 673 2c0a759-2c0a765 667->673 668->646 669->670 674 2c0a6e1-2c0a6e7 669->674 670->665 671->667 671->672 672->673 675 2c0a801-2c0a808 673->675 676 2c0a76b-2c0a770 673->676 677 2c0a6f7 674->677 678 2c0a6e9-2c0a6ec 674->678 675->642 679 2c0a772-2c0a774 676->679 680 2c0a776-2c0a7a2 call 2c19180 call 2c19230 676->680 677->646 681 2c0a6f1-2c0a6f5 678->681 682 2c0a6ee 678->682 679->680 683 2c0a7a4-2c0a7a6 679->683 680->683 688 2c0a7af-2c0a7d4 call 2c19180 call 2c19230 680->688 681->646 682->681 683->675 685 2c0a7a8 683->685 687 2c0a7aa-2c0a7ad 685->687 685->688 687->688 691 2c0a7d6-2c0a7d8 687->691 688->691 696 2c0a7e1-2c0a7ff call 2c19180 call 2c19230 688->696 691->675 694 2c0a7da 691->694 694->696 697 2c0a7dc-2c0a7df 694->697 696->675 697->675 697->696
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: _strrchr
    • String ID:
    • API String ID: 3213747228-0
    • Opcode ID: e3fae6663a6cdfd9f41c54c219b0f4de7f068a42514f7783c8a721069d00455f
    • Instruction ID: 5216dbd47fe9f24f654a4ae62cfc9f3fa8c2f49328f30bc3dd1bba542c843815
    • Opcode Fuzzy Hash: e3fae6663a6cdfd9f41c54c219b0f4de7f068a42514f7783c8a721069d00455f
    • Instruction Fuzzy Hash: 2DB13772A00355AFDB158F68CCD1BAE7BB5EF99310F148255EA04AB3C1D374EA41CBA0
    Function 02BDBC7B Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 703 2bdbc7b-2bdbca6 call 2bdca8d 706 2bdbcac-2bdbcaf 703->706 707 2bdc01a-2bdc01f call 2be1844 703->707 706->707 709 2bdbcb5-2bdbcbe 706->709 711 2bdbdbb-2bdbdc1 709->711 712 2bdbcc4-2bdbcc8 709->712 713 2bdbdc9-2bdbdd7 711->713 712->711 714 2bdbcce-2bdbcd5 712->714 717 2bdbddd-2bdbde1 713->717 718 2bdbf83-2bdbf86 713->718 715 2bdbced-2bdbcf2 714->715 716 2bdbcd7-2bdbcde 714->716 715->711 720 2bdbcf8-2bdbd00 call 2bd3856 715->720 716->715 719 2bdbce0-2bdbce7 716->719 717->718 723 2bdbde7-2bdbdee 717->723 721 2bdbfa9-2bdbfb2 call 2bd3856 718->721 722 2bdbf88-2bdbf8b 718->722 719->711 719->715 737 2bdbfb4-2bdbfb8 720->737 738 2bdbd06-2bdbd1f call 2bd3856 * 2 720->738 721->707 721->737 722->707 725 2bdbf91-2bdbfa6 call 2bdc020 722->725 726 2bdbe06-2bdbe0c 723->726 727 2bdbdf0-2bdbdf7 723->727 725->721 732 2bdbf23-2bdbf27 726->732 733 2bdbe12-2bdbe39 call 2bdb061 726->733 727->726 731 2bdbdf9-2bdbe00 727->731 731->718 731->726 735 2bdbf29-2bdbf32 call 2bd3127 732->735 736 2bdbf33-2bdbf3f 732->736 733->732 749 2bdbe3f-2bdbe42 733->749 735->736 736->721 742 2bdbf41-2bdbf4b 736->742 738->707 763 2bdbd25-2bdbd2b 738->763 746 2bdbf4d-2bdbf4f 742->746 747 2bdbf59-2bdbf5b 742->747 746->721 750 2bdbf51-2bdbf55 746->750 751 2bdbf5d-2bdbf70 call 2bd3856 * 2 747->751 752 2bdbf72-2bdbf7f call 2bdc83c 747->752 754 2bdbe45-2bdbe5a 749->754 750->721 755 2bdbf57 750->755 781 2bdbfb9 call 2be170d 751->781 767 2bdbfde-2bdbff3 call 2bd3856 * 2 752->767 768 2bdbf81 752->768 758 2bdbf04-2bdbf17 754->758 759 2bdbe60-2bdbe63 754->759 755->751 758->754 764 2bdbf1d-2bdbf20 758->764 759->758 765 2bdbe69-2bdbe71 759->765 770 2bdbd2d-2bdbd31 763->770 771 2bdbd57-2bdbd5f call 2bd3856 763->771 764->732 765->758 766 2bdbe77-2bdbe8b 765->766 772 2bdbe8e-2bdbe9f 766->772 799 2bdbff8-2bdc015 call 2bdb24d call 2bdc731 call 2bdc95c call 2bdc6a8 767->799 800 2bdbff5 767->800 768->721 770->771 776 2bdbd33-2bdbd3a 770->776 785 2bdbd61-2bdbd81 call 2bd3856 * 2 call 2bdc83c 771->785 786 2bdbdc3-2bdbdc6 771->786 777 2bdbec5-2bdbed2 772->777 778 2bdbea1-2bdbeb2 call 2bdc156 772->778 782 2bdbd3c-2bdbd43 776->782 783 2bdbd4e-2bdbd51 776->783 777->772 788 2bdbed4 777->788 796 2bdbeb4-2bdbebd 778->796 797 2bdbed6-2bdbefe call 2bdbbfb 778->797 795 2bdbfbe-2bdbfd9 call 2bd3127 call 2bdc335 call 2bdcb8f 781->795 782->783 790 2bdbd45-2bdbd4c 782->790 783->707 783->771 785->786 817 2bdbd83-2bdbd88 785->817 786->713 794 2bdbf01 788->794 790->771 790->783 794->758 795->767 796->778 802 2bdbebf-2bdbec2 796->802 797->794 799->707 800->799 802->777 817->781 819 2bdbd8e-2bdbda1 call 2bdc3df 817->819 819->795 824 2bdbda7-2bdbdb3 819->824 824->781 825 2bdbdb9 824->825 825->819
    APIs
    • type_info::operator==.LIBVCRUNTIME ref: 02BDBD9A
    • ___TypeMatch.LIBVCRUNTIME ref: 02BDBEA8
    • CallUnexpected.LIBVCRUNTIME ref: 02BDC015
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: CallMatchTypeUnexpectedtype_info::operator==
    • String ID: csm$csm$csm
    • API String ID: 1206542248-393685449
    • Opcode ID: fe4e0c15be2ec0bf61bcc6eee42d7854836e30e1ef1cff78a62484a158eb62bc
    • Instruction ID: 8183dc8297cfe1a5c57166cbd7f9f4517000626954f1343ea85438daac1a0bed
    • Opcode Fuzzy Hash: fe4e0c15be2ec0bf61bcc6eee42d7854836e30e1ef1cff78a62484a158eb62bc
    • Instruction Fuzzy Hash: 8CB13D75800209DFCF19DFA4C980AEEBBB6FF04318B1545EAE8156B211E731EA51CF95
    Function 02BD597B Relevance: 10.7, APIs: 7, Instructions: 151COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    • DName::operator+.LIBCMT ref: 02BD5A09
    • DName::operator+.LIBCMT ref: 02BD5A5C
      • Part of subcall function 02BD44B2: shared_ptr.LIBCMT ref: 02BD44CE
      • Part of subcall function 02BD43A1: DName::operator+.LIBCMT ref: 02BD43C2
    • DName::operator+.LIBCMT ref: 02BD5A4D
    • DName::operator+.LIBCMT ref: 02BD5AAD
    • DName::operator+.LIBCMT ref: 02BD5ABA
    • DName::operator+.LIBCMT ref: 02BD5B01
    • DName::operator+.LIBCMT ref: 02BD5B0E
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: Name::operator+$shared_ptr
    • String ID:
    • API String ID: 1037112749-0
    • Opcode ID: 744be0fdf5a58bcab96be4694fa38de3ce237b53e486148323b78feb8360b25f
    • Instruction ID: 2d32122302ffcff61a1da970145a01b42bd5f666d123a7fe6a628cbf7a97fe0b
    • Opcode Fuzzy Hash: 744be0fdf5a58bcab96be4694fa38de3ce237b53e486148323b78feb8360b25f
    • Instruction Fuzzy Hash: BB5154B1D00218ABDF25DB94D895EEEBBB9EF08710F44419AE515A7180FF74A648CFA0
    Function 02C155DC Relevance: 9.3, APIs: 6, Instructions: 292COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 880 2c155dc-2c155ec 881 2c15606-2c15608 880->881 882 2c155ee-2c15601 call 2bffe93 call 2bffea6 880->882 883 2c15948-2c15955 call 2bffe93 call 2bffea6 881->883 884 2c1560e-2c15614 881->884 900 2c15960 882->900 901 2c1595b call 2bff8ca 883->901 884->883 886 2c1561a-2c15643 884->886 886->883 889 2c15649-2c15652 886->889 892 2c15654-2c15667 call 2bffe93 call 2bffea6 889->892 893 2c1566c-2c1566e 889->893 892->901 898 2c15944-2c15946 893->898 899 2c15674-2c15678 893->899 902 2c15963-2c15966 898->902 899->898 904 2c1567e-2c15682 899->904 900->902 901->900 904->892 907 2c15684-2c1569b 904->907 909 2c156d0-2c156d6 907->909 910 2c1569d-2c156a0 907->910 911 2c156d8-2c156df 909->911 912 2c156aa-2c156c1 call 2bffe93 call 2bffea6 call 2bff8ca 909->912 913 2c156a2-2c156a8 910->913 914 2c156c6-2c156ce 910->914 916 2c156e1 911->916 917 2c156e3-2c15701 call 2c04acd call 2bfffa8 * 2 911->917 943 2c1587b 912->943 913->912 913->914 915 2c15743-2c15762 914->915 920 2c15768-2c15774 915->920 921 2c1581e-2c15827 call 2c0edfe 915->921 916->917 947 2c15703-2c15719 call 2bffea6 call 2bffe93 917->947 948 2c1571e-2c15741 call 2c14dd7 917->948 920->921 925 2c1577a-2c1577c 920->925 932 2c15829-2c1583b 921->932 933 2c15898 921->933 925->921 929 2c15782-2c157a3 925->929 929->921 934 2c157a5-2c157bb 929->934 932->933 938 2c1583d-2c1584c GetConsoleMode 932->938 936 2c1589c-2c158b2 ReadFile 933->936 934->921 939 2c157bd-2c157bf 934->939 941 2c15910-2c1591b GetLastError 936->941 942 2c158b4-2c158ba 936->942 938->933 944 2c1584e-2c15852 938->944 939->921 945 2c157c1-2c157e4 939->945 949 2c15934-2c15937 941->949 950 2c1591d-2c1592f call 2bffea6 call 2bffe93 941->950 942->941 951 2c158bc 942->951 953 2c1587e-2c15888 call 2bfffa8 943->953 944->936 952 2c15854-2c1586c ReadConsoleW 944->952 945->921 954 2c157e6-2c157fc 945->954 947->943 948->915 962 2c15874-2c1587a call 2bffe4c 949->962 963 2c1593d-2c1593f 949->963 950->943 959 2c158bf-2c158d1 951->959 960 2c1588d-2c15896 952->960 961 2c1586e GetLastError 952->961 953->902 954->921 955 2c157fe-2c15800 954->955 955->921 966 2c15802-2c15819 955->966 959->953 970 2c158d3-2c158d7 959->970 960->959 961->962 962->943 963->953 966->921 974 2c158f0-2c158fd 970->974 975 2c158d9-2c158e9 call 2c152ee 970->975 980 2c15909-2c1590e call 2c150d2 974->980 981 2c158ff call 2c15445 974->981 986 2c158ec-2c158ee 975->986 987 2c15904-2c15907 980->987 981->987 986->953 987->986
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 86a8cbb0e2acca0a5b894b76fc0f4bf3321ca26658525bcc07e17ea0179ae9eb
    • Instruction ID: a1a6dde56f4bf12073ca7832e38e554d6a4de284b7b0f3f4027a1629907ced7c
    • Opcode Fuzzy Hash: 86a8cbb0e2acca0a5b894b76fc0f4bf3321ca26658525bcc07e17ea0179ae9eb
    • Instruction Fuzzy Hash: 3AB12570E44245AFEB21DF98C882BBD7BB1AFCB354F444198E505AB2C1C7709A46DFA0
    Function 02BDA1C5 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1300 2bda1c5-2bda1e2 1301 2bda1e8-2bda1f0 1300->1301 1302 2bda313-2bda318 1300->1302 1303 2bda1f6-2bda228 call 2bd699d call 2bd4432 call 2bd4410 1301->1303 1304 2bda2f3-2bda310 call 2bd402d call 2bd4410 1301->1304 1303->1302 1315 2bda22e-2bda236 1303->1315 1304->1302 1316 2bda23c-2bda243 1315->1316 1317 2bda2eb-2bda2f1 1315->1317 1318 2bda24a-2bda255 call 2bd44b2 1316->1318 1317->1302 1321 2bda25a-2bda25f 1318->1321 1322 2bda265-2bda269 1321->1322 1323 2bda2e6-2bda2e9 1321->1323 1324 2bda2cb-2bda2ce 1322->1324 1325 2bda26b-2bda26e 1322->1325 1323->1302 1323->1317 1326 2bda2d8-2bda2e1 call 2bd4561 1324->1326 1327 2bda2d0-2bda2d3 call 2bd461a 1324->1327 1328 2bda2c7-2bda2c9 1325->1328 1329 2bda270-2bda2a5 call 2bd8a54 call 2bd43a1 call 2bd4432 call 2bd450a 1325->1329 1326->1323 1327->1326 1328->1323 1328->1324 1341 2bda2ad-2bda2b0 1329->1341 1342 2bda2a7-2bda2a8 1329->1342 1341->1321 1343 2bda2b2-2bda2b5 1341->1343 1342->1341 1343->1321 1344 2bda2b7-2bda2c5 1343->1344 1344->1318
    APIs
    • DName::operator+.LIBCMT ref: 02BDA209
    • DName::operator+.LIBCMT ref: 02BDA215
      • Part of subcall function 02BD44B2: shared_ptr.LIBCMT ref: 02BD44CE
    • DName::operator+=.LIBCMT ref: 02BDA2D3
      • Part of subcall function 02BD8A54: DName::operator+.LIBCMT ref: 02BD8ABF
      • Part of subcall function 02BD8A54: DName::operator+.LIBCMT ref: 02BD8D89
      • Part of subcall function 02BD43A1: DName::operator+.LIBCMT ref: 02BD43C2
    • DName::operator+.LIBCMT ref: 02BDA290
      • Part of subcall function 02BD450A: DName::operator=.LIBVCRUNTIME ref: 02BD452B
    • DName::DName.LIBVCRUNTIME ref: 02BDA2F7
    • DName::operator+.LIBCMT ref: 02BDA303
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
    • String ID:
    • API String ID: 2795783184-0
    • Opcode ID: 4e153eb8420c6818405ef8fb30b0c394c338ad23af5f50d4840aa2dc73f0b168
    • Instruction ID: 359b19cab4aaaa9889bc4ad5529683eb0d14acf702aabc539178192c6d878cb3
    • Opcode Fuzzy Hash: 4e153eb8420c6818405ef8fb30b0c394c338ad23af5f50d4840aa2dc73f0b168
    • Instruction Fuzzy Hash: 1A41E8B1A002449FDB24DFA8C454BDE7BFAEF09304F5444D9D196D7280FB796A84CB54
    Function 02BD8E12 Relevance: 9.1, APIs: 6, Instructions: 94COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1345 2bd8e12-2bd8e49 call 2bda319 1348 2bd8e98-2bd8e9d 1345->1348 1349 2bd8e4b-2bd8e4f 1345->1349 1350 2bd8e9f-2bd8ea5 1348->1350 1351 2bd8ea7-2bd8ea9 1348->1351 1349->1348 1352 2bd8e51-2bd8e54 1349->1352 1354 2bd8f00-2bd8f06 1350->1354 1355 2bd8eab-2bd8eb4 1351->1355 1356 2bd8eb6-2bd8eba 1351->1356 1352->1348 1353 2bd8e56-2bd8e93 call 2bd8a54 call 2bd43ee call 2bd4410 1352->1353 1353->1348 1355->1354 1358 2bd8ebc-2bd8ec3 call 2bd430a 1356->1358 1359 2bd8ec5-2bd8efd call 2bd402d call 2bd43ee call 2bd4410 1356->1359 1358->1354 1359->1354
    APIs
      • Part of subcall function 02BDA319: Replicator::operator[].LIBCMT ref: 02BDA356
    • DName::operator=.LIBVCRUNTIME ref: 02BD8EBE
      • Part of subcall function 02BD8A54: DName::operator+.LIBCMT ref: 02BD8ABF
      • Part of subcall function 02BD8A54: DName::operator+.LIBCMT ref: 02BD8D89
    • DName::operator+.LIBCMT ref: 02BD8E78
    • DName::operator+.LIBCMT ref: 02BD8E84
    • DName::DName.LIBVCRUNTIME ref: 02BD8EC8
    • DName::operator+.LIBCMT ref: 02BD8EE5
    • DName::operator+.LIBCMT ref: 02BD8EF1
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
    • String ID:
    • API String ID: 955152517-0
    • Opcode ID: 67da7d499f9de4530bd7a761a0f5117fef92969ae48060364e49cbe9da43ceee
    • Instruction ID: 544a346642b829585598da15b36d43736f6d8ad154bf7edf650f22b5ccdafa88
    • Opcode Fuzzy Hash: 67da7d499f9de4530bd7a761a0f5117fef92969ae48060364e49cbe9da43ceee
    • Instruction Fuzzy Hash: F631B3B1A002049FCB24DF68D554AEEBBF6EF49304F1488ADD586A7350FB74A544CF50
    Function 02BD3864 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,02BD385B,02BD3330,02BD2389), ref: 02BD3872
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 02BD3880
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02BD3899
    • SetLastError.KERNEL32(00000000,02BD385B,02BD3330,02BD2389), ref: 02BD38EB
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: 39ab7192f89e74253eb785ec18c90c61382bd8219638cc7a87a689fe5aa9df41
    • Instruction ID: e6a29debbd96624d319e857055e9c014454d8650c1f51207868b2ff0e9782dd6
    • Opcode Fuzzy Hash: 39ab7192f89e74253eb785ec18c90c61382bd8219638cc7a87a689fe5aa9df41
    • Instruction Fuzzy Hash: 220124726E83115EA7242678BC84B9E2B95FB0177872103FAE018910D1FF135C159BC2
    Function 02C0119F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
    Download Yara Rule
    Strings
    • C:\Users\user\Desktop\Aura.exe, xrefs: 02C011BB
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID:
    • String ID: C:\Users\user\Desktop\Aura.exe
    • API String ID: 0-3946295530
    • Opcode ID: 033848be707d9853f0258769f9a39f7a3a00a9f157ea83ad6a39fa56df0cfdd9
    • Instruction ID: 1a78487b190580b186faebbc3f8c7ece5d90f04b436af4d78551a081a882570d
    • Opcode Fuzzy Hash: 033848be707d9853f0258769f9a39f7a3a00a9f157ea83ad6a39fa56df0cfdd9
    • Instruction Fuzzy Hash: B6218171600205AFDB10AFA5CCC0E6BF7AAAF893647184519EA2DD75D0E7B0ED10CFA0
    Function 02C0E1E4 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetConsoleOutputCP.KERNEL32(02C2C080,00000000,00000000,?), ref: 02C0E247
      • Part of subcall function 02C021C3: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,02C08C40,00000000,02C0EC36,?,00000000,?,?,?,02C0E90C,0000FDE9,00000000,?), ref: 02C02224
    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 02C0E499
    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 02C0E4DF
    • GetLastError.KERNEL32 ref: 02C0E582
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
    • String ID:
    • API String ID: 2112829910-0
    • Opcode ID: 6032640b9d6f12b679e14643717b71605bcbd669d8c8e4b7c0397eccc500645b
    • Instruction ID: 274d3cad87ebcaf93370719247a677ed376685c450ab28ab4cf1785e3f7c0829
    • Opcode Fuzzy Hash: 6032640b9d6f12b679e14643717b71605bcbd669d8c8e4b7c0397eccc500645b
    • Instruction Fuzzy Hash: 14D179B5D402589FCB14CFA8D8C0AADBBB5FF49304F18496AE456EB391E730A946CF50
    Function 02BD6AA2 Relevance: 6.2, APIs: 4, Instructions: 192COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 02BD6AA9
    • UnDecorator::getSymbolName.LIBCMT ref: 02BD6B3B
    • DName::operator+.LIBCMT ref: 02BD6C3F
    • DName::DName.LIBVCRUNTIME ref: 02BD6CE2
      • Part of subcall function 02BD44B2: shared_ptr.LIBCMT ref: 02BD44CE
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: Name$Decorator::getH_prolog3Name::Name::operator+Symbolshared_ptr
    • String ID:
    • API String ID: 334624791-0
    • Opcode ID: 0e6e23714a79ddfd171b75ef62d9f90002db8a1d32519d35deb6abcc585e5fe6
    • Instruction ID: e04c8b6319543fd526d56208af97f286e867f6f2c42426f8a58f158425e59715
    • Opcode Fuzzy Hash: 0e6e23714a79ddfd171b75ef62d9f90002db8a1d32519d35deb6abcc585e5fe6
    • Instruction Fuzzy Hash: E5718FB1D102498FDB24CF94E481BEEBBB9FF08314F09059AD511BB241EB75AA45CF90
    Function 02BD7131 Relevance: 6.2, APIs: 4, Instructions: 169COMMON
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 02BD7265
      • Part of subcall function 02BD4101: __aulldvrm.LIBCMT ref: 02BD4132
    • DName::operator+.LIBCMT ref: 02BD71C6
    • DName::operator=.LIBVCRUNTIME ref: 02BD72AA
    • DName::DName.LIBVCRUNTIME ref: 02BD72DC
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: Name::operator+$NameName::Name::operator=__aulldvrm
    • String ID:
    • API String ID: 2973644308-0
    • Opcode ID: f2125b5748592f2eb4331f44fbd6d45b0d8b57b599994c6d2c30315b600b9adf
    • Instruction ID: 77f47ac3ed2cd46f3e38f25f5e41bc42ac89ef29c46a4ecde22ec3b76287dce2
    • Opcode Fuzzy Hash: f2125b5748592f2eb4331f44fbd6d45b0d8b57b599994c6d2c30315b600b9adf
    • Instruction Fuzzy Hash: 0A619D71D10295DFCB24CF58D880BEDBBB1FF46304F05859AE851AB240EBB09A81DF90
    Function 02BDBA24 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: AdjustPointer
    • String ID:
    • API String ID: 1740715915-0
    • Opcode ID: 1f8d7bcfaf326d8e5ca9ef499b8468df96bc0de2baa64f9deb807b82e353d8cb
    • Instruction ID: ef20485e67ff79407f495bb2c993416e1bfb0301446b180a43aeddee11f222e7
    • Opcode Fuzzy Hash: 1f8d7bcfaf326d8e5ca9ef499b8468df96bc0de2baa64f9deb807b82e353d8cb
    • Instruction Fuzzy Hash: 4F51E2726047029FDB298F14C880BFAB7A6FF00718F1645ADED5647295FB31E881CB90
    Function 02BD6E62 Relevance: 6.1, APIs: 4, Instructions: 131COMMON
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 02BD6E95
      • Part of subcall function 02BD4476: DName::operator+=.LIBCMT ref: 02BD448C
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: Name::operator+Name::operator+=
    • String ID:
    • API String ID: 382699925-0
    • Opcode ID: 2b46f8a08eb0beb1b9af3799d8a0eadea13e2d122ce716fe7ce48c283c8501d2
    • Instruction ID: 72741955ff30307777dacfc9642e6c2f91c501a0fd1f331406b14f68f0842a24
    • Opcode Fuzzy Hash: 2b46f8a08eb0beb1b9af3799d8a0eadea13e2d122ce716fe7ce48c283c8501d2
    • Instruction Fuzzy Hash: 30413BB1D0020ADBCF14DFA8E585AEEBBB9EF04314F00459AE505A7240EB75DB88DF91
    Function 02C000C4 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 02C021C3: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,02C08C40,00000000,02C0EC36,?,00000000,?,?,?,02C0E90C,0000FDE9,00000000,?), ref: 02C02224
    • GetLastError.KERNEL32 ref: 02C00128
    • __dosmaperr.LIBCMT ref: 02C0012F
    • GetLastError.KERNEL32(?,?,?,?), ref: 02C00169
    • __dosmaperr.LIBCMT ref: 02C00170
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
    • String ID:
    • API String ID: 1913693674-0
    • Opcode ID: 4cb0d657b772d865c6124ac9dfeace093b7604212d045676c508ef36b6c982cb
    • Instruction ID: d17d348e1c3a0d1a76f2812daf81e4a16df8d5f537a7487ed94588807049d7c7
    • Opcode Fuzzy Hash: 4cb0d657b772d865c6124ac9dfeace093b7604212d045676c508ef36b6c982cb
    • Instruction Fuzzy Hash: 88216571600609BFDB20AF65CCC0B6BB7AAFF443647028519E969976D0E731EE51CBA0
    Function 02C022CA Relevance: 6.1, APIs: 4, Instructions: 74COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 02C022D2
      • Part of subcall function 02C021C3: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,02C08C40,00000000,02C0EC36,?,00000000,?,?,?,02C0E90C,0000FDE9,00000000,?), ref: 02C02224
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 02C0230A
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 02C0232A
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
    • String ID:
    • API String ID: 158306478-0
    • Opcode ID: 09616acf0bf2ecc8c611d520a40b0278e3e4ddaccc4cb4ad0052ef18b4e1b3a3
    • Instruction ID: 53f3479775bed1ea7f2aafd0a10fb84d9ad3e8261c134ced6d51a8c9d0d90a83
    • Opcode Fuzzy Hash: 09616acf0bf2ecc8c611d520a40b0278e3e4ddaccc4cb4ad0052ef18b4e1b3a3
    • Instruction Fuzzy Hash: 1E1122F29026167EA71127B25CCDCBF6A5DEECA2A87000565FE0AD11C0EB64CF0189B2
    Function 02C0761D Relevance: 6.1, APIs: 4, Instructions: 74COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,02C2C080,?,02C0772C,02C17729,02BFFEAB,00000000,?), ref: 02C076DE
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: FreeLibrary
    • String ID:
    • API String ID: 3664257935-0
    • Opcode ID: ab69802b8ee42f997a5ee255865c9e3a6f2999d486bd39122d1c11e1160f34bd
    • Instruction ID: f802933f3db6aee3e5bb510ecde41e1159099ef269e746e8529868647d24e4df
    • Opcode Fuzzy Hash: ab69802b8ee42f997a5ee255865c9e3a6f2999d486bd39122d1c11e1160f34bd
    • Instruction Fuzzy Hash: D5213075E40111ABD7255B68DCC1B5AB7589B42764F250651ED07A72C0DB30FA19CAF0
    Function 02C14C2B Relevance: 6.1, APIs: 4, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 02C14C41
    • GetLastError.KERNEL32(?,?,?,?), ref: 02C14C4E
    • SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 02C14C74
    • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 02C14C9A
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: FilePointer$ErrorLast
    • String ID:
    • API String ID: 142388799-0
    • Opcode ID: ec4b2ccd388cab2ce0c632283e049f510f5521de67faaa5e92c2e31a5d244de9
    • Instruction ID: 0180d6c41b92d77e3537af94c255fbf5fdcf8220a2be0d9e6d8237fed81b0ae2
    • Opcode Fuzzy Hash: ec4b2ccd388cab2ce0c632283e049f510f5521de67faaa5e92c2e31a5d244de9
    • Instruction Fuzzy Hash: F3115771900129BBCF249FA5CD49ADE3F7AFF867A0F104644F826961A0D731CA50EBA0
    Function 02C17A8F Relevance: 6.0, APIs: 4, Instructions: 32COMMON
    Download Yara Rule
    APIs
    • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 02C17AA9
    • GetLastError.KERNEL32 ref: 02C17AB5
      • Part of subcall function 02C17B5E: CloseHandle.KERNEL32(02C2C950,02C17BA8,?,02C14F61,00000000,00000001,00000000,?,?,02C0E5D6,?,00000000,00000000,?,?), ref: 02C17B6E
    • ___initconout.LIBCMT ref: 02C17AC5
      • Part of subcall function 02C17B20: CreateFileW.KERNEL32(02C28DBC,40000000,00000003,00000000,00000003,00000000,00000000,02C17B4F,02C14F4E,?,?,02C0E5D6,?,00000000,00000000,?), ref: 02C17B33
    • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 02C17AD9
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
    • String ID:
    • API String ID: 2744216297-0
    • Opcode ID: 7fcd5cd2021ca94f0a0964382a2b0d66209c8d690e23ca46cde1c73a7f9b8452
    • Instruction ID: ea133ad6185e340fd06f7107654582d6afd9a22b8ab65d4af3278f04a715d4fc
    • Opcode Fuzzy Hash: 7fcd5cd2021ca94f0a0964382a2b0d66209c8d690e23ca46cde1c73a7f9b8452
    • Instruction Fuzzy Hash: FAF08236580100BBCB222B96DC05F4ABFA7FFCE3617214815F94A82120CB32E564EF90
    Function 02C17B75 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,02C14F61,00000000,00000001,00000000,?,?,02C0E5D6,?,00000000,00000000), ref: 02C17B8C
    • GetLastError.KERNEL32(?,02C14F61,00000000,00000001,00000000,?,?,02C0E5D6,?,00000000,00000000,?,?,?,02C0EBC1,00000000), ref: 02C17B98
      • Part of subcall function 02C17B5E: CloseHandle.KERNEL32(02C2C950,02C17BA8,?,02C14F61,00000000,00000001,00000000,?,?,02C0E5D6,?,00000000,00000000,?,?), ref: 02C17B6E
    • ___initconout.LIBCMT ref: 02C17BA8
      • Part of subcall function 02C17B20: CreateFileW.KERNEL32(02C28DBC,40000000,00000003,00000000,00000003,00000000,00000000,02C17B4F,02C14F4E,?,?,02C0E5D6,?,00000000,00000000,?), ref: 02C17B33
    • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,02C14F61,00000000,00000001,00000000,?,?,02C0E5D6,?,00000000,00000000,?), ref: 02C17BBD
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
    • String ID:
    • API String ID: 2744216297-0
    • Opcode ID: f99ccd72ff55cd07586d39ca3e966ec10e02255cd0f68fd39363937d6884729b
    • Instruction ID: 5df42ea18c2b3263de1e3299625a2820c02ac8908456f9a0abfae86c4d72b6a8
    • Opcode Fuzzy Hash: f99ccd72ff55cd07586d39ca3e966ec10e02255cd0f68fd39363937d6884729b
    • Instruction Fuzzy Hash: B8F01C36841115BBCF222FA1DC05B8D7F26FF4A3B1B218511FE1995120CB328934EBD0
    Function 02BFC492 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: __aulldiv
    • String ID: +$-
    • API String ID: 3732870572-2137968064
    • Opcode ID: 4b7f0084c6dd7cc236bf80f2e254111bd822154ec7f7a1d93f11596916ab6f32
    • Instruction ID: c82122fea8767a109a2679b5d9fc6a2bb41226fec717a3b32525b38abb291d3b
    • Opcode Fuzzy Hash: 4b7f0084c6dd7cc236bf80f2e254111bd822154ec7f7a1d93f11596916ab6f32
    • Instruction Fuzzy Hash: 54A1AE70E4424CAFCFA4CE7888517AE7FA1EF46324F04959BEA65AB281D330D589CB50
    Function 02BD2D30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • ___except_validate_context_record.LIBVCRUNTIME ref: 02BD2D6F
    • __IsNonwritableInCurrentImage.LIBCMT ref: 02BD2E23
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: CurrentImageNonwritable___except_validate_context_record
    • String ID: csm
    • API String ID: 3480331319-1018135373
    • Opcode ID: 9978cee5e546398f9fec3984e4128facb1bccc8fb21785d83c2bcd186a108e11
    • Instruction ID: 5709022d3e9d6386632b0385fe8bd5bdee7b47c8c07e551fcb24cb9e9a8324a5
    • Opcode Fuzzy Hash: 9978cee5e546398f9fec3984e4128facb1bccc8fb21785d83c2bcd186a108e11
    • Instruction Fuzzy Hash: C7418234A002999BCF14DF68C884ADEBBB5FF45328F1481D6EC159B352EB319A15CF91
    Function 02BDC020 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlEncodePointer.NTDLL(00000000), ref: 02BDC045
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: EncodePointer
    • String ID: MOC$RCC
    • API String ID: 2118026453-2084237596
    • Opcode ID: 703aa69d3d6cc8e9d9ace1e0aa39ee82cb2a848e1127efec1add896f1758b36c
    • Instruction ID: 3dc3ea5b1efb0a41badee4a0929b851171e76f3b9eb8a1b41503e5c35cdd1038
    • Opcode Fuzzy Hash: 703aa69d3d6cc8e9d9ace1e0aa39ee82cb2a848e1127efec1add896f1758b36c
    • Instruction Fuzzy Hash: B9415B71900219AFCF15DF98CC81AEEBBB5FF48304F15819AF90567211E335A991DF54
    Function 02BD3061 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
    Download Yara Rule
    APIs
    • ___unDName.LIBVCRUNTIME ref: 02BD308E
      • Part of subcall function 02BDA85F: ___unDNameEx.LIBVCRUNTIME ref: 02BDA878
    • RtlInterlockedPushEntrySList.NTDLL(?,?), ref: 02BD3109
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: Name___un$EntryInterlockedListPush
    • String ID: Y
    • API String ID: 723550680-2843332214
    • Opcode ID: f16aa1737ee2731ff88781e75123df76d242c2e1f2c6ff80b9366f355b80c351
    • Instruction ID: f1325261965400a064b3839a291cd3a2bb95e29745c2a4a4f0d3c00885920060
    • Opcode Fuzzy Hash: f16aa1737ee2731ff88781e75123df76d242c2e1f2c6ff80b9366f355b80c351
    • Instruction Fuzzy Hash: DA210771900205AFDB11DF68DC81AEA7BEAEF45618B2440E8E8069B202F7369D45CF92
    Function 02BD7399 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: NameName::
    • String ID: A
    • API String ID: 1333004437-3554254475
    • Opcode ID: 84daa25e9e09342d4b20dd75b252f88e54f53ec6e3dda5bb28b913cca8af7c16
    • Instruction ID: 7fca86d398e3cc805959a0e45b91dd3c9aad34dba57ed0953fe39ee1c8ebde1d
    • Opcode Fuzzy Hash: 84daa25e9e09342d4b20dd75b252f88e54f53ec6e3dda5bb28b913cca8af7c16
    • Instruction Fuzzy Hash: 6421AC71900148AFCF21DF64C841BECBBB2EF04318F0884D9E8159B250EBB1AA86DF41
    Function 02BD3E2D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • ___swprintf_l.LIBCMT ref: 02BD3E4A
      • Part of subcall function 02BDA94E: _vsnprintf.LEGACY_STDIO_DEFINITIONS ref: 02BDA95E
    • swprintf.LIBCMT ref: 02BD3E6D
      • Part of subcall function 02BDA968: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 02BDA97A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: ___swprintf_l__vswprintf_c_l_vsnprintfswprintf
    • String ID: %lf
    • API String ID: 3672277462-2891890143
    • Opcode ID: c042cce5d5b8b35cd3fd3272f8c927533767df4160091193927348bbc152694d
    • Instruction ID: 159cd27d3fe1d0cb04ec49a1d82348c81509b0bf7a48974cfe736d76ec5f1d0b
    • Opcode Fuzzy Hash: c042cce5d5b8b35cd3fd3272f8c927533767df4160091193927348bbc152694d
    • Instruction Fuzzy Hash: 2CF0CDB2500008BADB00AB85CC49FFF7F6DDF85664F1240C8F68526241EB799E00A7B6
    Function 02BD3E8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
    Download Yara Rule
    APIs
    • ___swprintf_l.LIBCMT ref: 02BD3EA6
      • Part of subcall function 02BDA94E: _vsnprintf.LEGACY_STDIO_DEFINITIONS ref: 02BDA95E
    • swprintf.LIBCMT ref: 02BD3EC9
      • Part of subcall function 02BDA968: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 02BDA97A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4198655852.0000000002BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BD1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2bd1000_Aura.jbxd
    Similarity
    • API ID: ___swprintf_l__vswprintf_c_l_vsnprintfswprintf
    • String ID: %lf
    • API String ID: 3672277462-2891890143
    • Opcode ID: 4c2ce2fc40a0e142290f615dd255bdd2c2f2afc439dd888a69cef5da9c4ddd98
    • Instruction ID: 7d9dc5fe044fc520403fc1bc16c9bee33f1fa3ffbcb50d51e348036e703a3186
    • Opcode Fuzzy Hash: 4c2ce2fc40a0e142290f615dd255bdd2c2f2afc439dd888a69cef5da9c4ddd98
    • Instruction Fuzzy Hash: D3F0B4B2100008BADB00AB55CC45FFF7B6DDF49764F1280C8FA4917241EB799E0497B5